WordPress.org

Make WordPress Core

Opened 11 years ago

Closed 6 years ago

#14169 closed defect (bug) (wontfix)

Slashes not removed when $_SERVER in process_conditionals()

Reported by: hakre Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0
Component: Bootstrap/Load Keywords: has-patch needs-refresh
Focuses: Cc:

Description

Since [1964] (now after [12732] in wp-includes/load.php) slashes are added to all values of $_SERVER. If then $_SERVER is accessed, slashes must be removed again otherwise things might not work as intended, e.g. comparing and parsing strings.

Attachments (2)

14169.patch (589 bytes) - added by hakre 11 years ago.
14169.2.patch (804 bytes) - added by hakre 11 years ago.
in WP::send_headers() [wp-includes/classes.php]

Download all attachments as: .zip

Change History (9)

@hakre
11 years ago

#1 @hakre
11 years ago

function process_conditionals() might be dead code.

@hakre
11 years ago

in WP::send_headers() [wp-includes/classes.php]

#2 @hakre
11 years ago

My previous comment about dead code is invalid. Instead there are additional locations where the problem occurs.

AtomServer::process_conditionals() [wp-includes/wp-app.php]
WP::send_headers() [wp-includes/classes.php]

Related: #2597
Related: [3682] ([4715] 2.0 Backport)
Related: #12402

#3 @hakre
11 years ago

Related: [3572]

Additional it's noteworthy that removing and especially adding slashes does not add anything useful when magic_quotes_sybase is ON.

#4 follow-up: @dd32
11 years ago

  • Keywords has-patch commit added
  • Milestone changed from Awaiting Review to Future Release

Technically, both patches look correct to me, However, it should never be a problem as a datestamp such as that field should never contain punctuation.

#5 @nacin
8 years ago

  • Component changed from General to Bootstrap/Load

#6 @wonderboymusic
6 years ago

  • Keywords needs-refresh added; commit removed

#7 in reply to: ↑ 4 @johnbillion
6 years ago

  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Replying to dd32:

a datestamp such as that field should never contain punctuation.

Note: See TracTickets for help on using tickets.