Make WordPress Core

Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#18366 closed defect (bug) (wontfix)

Sanitize order and orderby in get_terms() breaks my plugin...

Reported by: jameslafferty's profile jameslafferty Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.2
Component: Taxonomy Keywords: dev-feedback
Focuses: Cc:

Description (last modified by ocean90)

And generally reduces possibilities for extending the taxonomy model. My plugin "Term Menu Order" (http://wordpress.org/extend/plugins/term-menu-order/) allowed manual ordering of terms, which isn't possible given the method of sanitizing the order and orderby clauses. I totally get the potential security concerns -- maybe there's a way to sanitize the inputs that's a bit less draconian, though? The relevant changeset is r18344.

Change History (9)

#1 @jameslafferty
13 years ago

  • Cc james@… added

#2 @ocean90
13 years ago

  • Description modified (diff)

Changeset linked.

#3 follow-up: @SergeyBiryukov
13 years ago

Seems like it's still possible to set orderby using get_terms_orderby filter. What exactly is broken here?

#4 @SergeyBiryukov
13 years ago

  • Keywords reporter-feedback added

#5 in reply to: ↑ 3 @jameslafferty
13 years ago

Replying to SergeyBiryukov:

Seems like it's still possible to set orderby using get_terms_orderby filter. What exactly is broken here?

The issue is that whereas previously I could get_terms(... orderby => 'menu_order' ...) when the plugin was installed, I no longer can. Using the filter in this case makes for more awkward, less intuitive code even in the simplest scenario, and, if I want to vary orderby over several different get_terms calls within a theme, I need to get even more "creative".

It's also not totally clear to me what we gain by comparing against the whitelist if we then allow the sanitized orderby to be straight overwritten with the filter. Likely, I'm missing something here, but wouldn't it be better to sanitize orderby further down? In which case, couldn't we do that sanity check in place of the final else clause?

#6 @SergeyBiryukov
13 years ago

  • Keywords dev-feedback added; reporter-feedback removed

#7 @jameslafferty
13 years ago

I managed to get the Term Menu Order working again using get_terms_orderby and get_terms_args. This definitely feels like a workaround, though, and I still feel that the security measure is being implemented a bit over-aggressively.

#8 @nacin
13 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

This measure blocked an SQLi. I have no problems with its aggressiveness. It's a workaround, but so is running an ALTER and adding a field to a core table. :-)

#9 @scribu
13 years ago

By "SQLi" I assume you meant "SQL injection" and not the MySQL Improved extension. :p

Note: See TracTickets for help on using tickets.