#18250 closed defect (bug) (fixed)
I/O Sanity Failures in _wp_specialchars()
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | 3.3 | Priority: | normal |
| Severity: | critical | Version: | 2.8 |
| Component: | Security | Keywords: | |
| Focuses: | Cc: |
Description
Background
While reviewing and re-testing code from #12284 and [17171], I realized we had missed something nearby and in plain sight:
$string = str_replace( array( '|wp_entity|', '|/wp_entity|' ), array( '&', ';' ), $string );
This bug was reported to the security group during the 3.2 RC1 development cycle.
A patch was submitted to the security group prior to 3.2 RC1.
Today we agreed to add the patch to a Trac ticket.
I believe this bug affects all versions of WordPress from version 2.8 through 3.2.1.
Vulnerability
Anonymous users can break comment feed validation by injecting the phrase |wp_entity| into the body of any comment in the feed.
Any other output from _wp_specialchars() would be similarly vulnerable, but the comment feed is the most obvious example.
Attachments (1)
Change History (4)
Note: See
TracTickets for help on using
tickets.
The original 1 June security patch.