WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 2 years ago

#18250 closed defect (bug) (fixed)

I/O Sanity Failures in _wp_specialchars()

Reported by: miqrogroove Owned by:
Milestone: 3.3 Priority: normal
Severity: critical Version: 2.8
Component: Security Keywords:
Focuses: Cc:

Description

Background

While reviewing and re-testing code from #12284 and [17171], I realized we had missed something nearby and in plain sight:

$string = str_replace( array( '|wp_entity|', '|/wp_entity|' ), array( '&', ';' ), $string );

This bug was reported to the security group during the 3.2 RC1 development cycle.

A patch was submitted to the security group prior to 3.2 RC1.

Today we agreed to add the patch to a Trac ticket.

I believe this bug affects all versions of WordPress from version 2.8 through 3.2.1.

Vulnerability

Anonymous users can break comment feed validation by injecting the phrase |wp_entity| into the body of any comment in the feed.

Any other output from _wp_specialchars() would be similarly vulnerable, but the comment feed is the most obvious example.

Attachments (1)

wp-io-sanity-by-miqrogroove.patch (1.4 KB) - added by miqrogroove 3 years ago.
The original 1 June security patch.

Download all attachments as: .zip

Change History (4)

miqrogroove3 years ago

The original 1 June security patch.

comment:1 miqrogroove3 years ago

[18485]

Should be fixed now. Needs milestone set.

comment:2 SergeyBiryukov3 years ago

  • Milestone changed from Awaiting Review to 3.3
  • Resolution set to fixed
  • Status changed from new to closed

comment:3 downloadbook2 years ago

download free ebook for computer

Version 0, edited 2 years ago by downloadbook (next)
Note: See TracTickets for help on using tickets.