Make WordPress Core

Opened 14 years ago

Closed 7 years ago

#13377 closed defect (bug) (fixed)

Add more sanitization in _cleanup_header_comment

Reported by: seanklein's profile seanklein Owned by: johnbillion's profile johnbillion
Milestone: 4.8.2 Priority: normal
Severity: normal Version: 3.0
Component: Security Keywords:
Focuses: Cc:

Description

The _cleanup_header_comment function is used in multiple places, but one in particular can cause some problems on the Page edit screen (or any screen that uses page templates). The get_page_templates function (which gets the list of page templates to display in a <select> box on the page edit screen) uses to cleanup the page templates retrieved from a file.

Unfortunately the function does not sanitize enough, and if (for instance) JavaScript existed in the page template name it would be run on the Page Edit screen.

To test, add some JavaScript (with <script> tags) to the "Template Name:" line of a page template, and load the Page edit screen.

Attachments (2)

13377.diff (3.0 KB) - added by kawauso 14 years ago.
13377.patch (1.8 KB) - added by Mte90 8 years ago.
patch refreshed

Download all attachments as: .zip

Change History (24)

@kawauso
14 years ago

#1 @kawauso
14 years ago

  • Keywords has-patch added

It appears to be used in get_file_data() (which is sanitized properly where used), get_file_description() and get_page_templates().

The attached patch sanitizes uses of the latter two with esc_html(), apart from get_page_templates() in wp_getPageTemplates(). Not really sure what to do with that.

It also standardises trim() usage on get_file_description($file) and makes the $filedesc logic actually understandable.

Last edited 14 years ago by kawauso (previous) (diff)

#2 @ryan
10 years ago

  • Owner ryan deleted
  • Status changed from new to assigned

#3 @chriscct7
9 years ago

  • Keywords needs-refresh added

@Mte90
8 years ago

patch refreshed

#4 @Mte90
8 years ago

  • Keywords dev-feedback added; needs-refresh removed

Patch refreshed but I am not sure if there are other part that require this sanitization because it is very old that ticket.

This ticket was mentioned in Slack in #core by mte90. View the logs.


7 years ago

#6 @johnbillion
7 years ago

  • Milestone changed from Future Release to 4.8.2
  • Owner set to johnbillion
  • Status changed from assigned to reviewing

#7 @johnbillion
7 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 41399:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Props kawauso, Mte90 for initial patches

Fixes #13377

#8 @johnbillion
7 years ago

  • Keywords fixed-major added; has-patch dev-feedback removed
  • Resolution fixed deleted
  • Status changed from closed to reopened

#9 @johnbillion
7 years ago

In 41412:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41399], with additions, to the 4.8 branch.

See #13377

#10 @johnbillion
7 years ago

In 41413:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41412] to the 4.7 branch

See #13377

#11 @johnbillion
7 years ago

In 41414:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41413] to the 4.6 branch

See #13377

#12 @johnbillion
7 years ago

In 41415:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41414] into the 4.5. branch

See #13377

#13 @johnbillion
7 years ago

In 41416:

General: Remove context added in [41414] in order to avoid a string change in a point release.

See #13377

#14 @johnbillion
7 years ago

In 41434:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41415] and [41416] into the 4.4 branch.

See #13377

#15 @johnbillion
7 years ago

In 41444:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41434] with changes to the 4.3 branch.

See #13377

#16 @johnbillion
7 years ago

In 41445:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41434] with changes to the 4.2 branch.

See #13377

#17 @johnbillion
7 years ago

In 41446:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41434] with changes to the 4.1 branch.

See #13377

#18 @johnbillion
7 years ago

In 41447:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41434] with changes to the 4.0 branch.

See #13377

#19 @johnbillion
7 years ago

In 41449:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41434] with changes to the 3.9 branch.

See #13377

#20 @johnbillion
7 years ago

In 41452:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41434] with changes to the 3.8 branch.

See #13377

#21 @johnbillion
7 years ago

In 41456:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41434] with changes to the 3.7 branch.

See #13377

#22 @ocean90
7 years ago

  • Keywords fixed-major removed
  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.