Make WordPress Core

Opened 15 years ago

Closed 15 years ago

Last modified 15 years ago

#11941 closed defect (bug) (wontfix)

Security Issues in class Snoopy within trunk

Reported by: hakre's profile hakre Owned by: ryan's profile ryan
Milestone: Priority: normal
Severity: normal Version: 3.0
Component: Security Keywords:
Focuses: Cc:

Description

The core trunk codebase contains a class called Snoopy which has security issues (it is said). Next to this, one I found in concrete is that it does not properly fitler XML/HTML so it's open to XSS and other forms of injection.

  1. If the class is still in use I suggest to replace it with WP API functions (related: #8082).
  2. (Then,) If the class isn't any longer in use, I suggest to remove it from trunk.
  3. It's about time. If you do not think so, then the class should be mimicked with WP API functions.

In any case that code should be removed finally.

Change History (2)

#1 @dd32
15 years ago

  • Milestone 3.0 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Snoopy will be staying for backcompat for a little bit longer.

Snoopy should not be responsible for any XSS/filtering, its designed to return the raw content of a URL, the same as WP_HTTP is. Data from all external sources should be filtered properly by the functions using it.

Snoopy is no longer used by WordPress at all, Magpie which used it has a WP_HTTP -> Snoopy-style-result compat function.

Closing as worksforme due to the above reasons. If you wish to have a ticket for removal of snoopy, please open one for Future Release without Security-conotations for the removal.

#2 @nacin
15 years ago

MagpieRSS in turn is deprecated in favor of Simplepie, of course.

Note: See TracTickets for help on using tickets.