WordPress.org

Make WordPress Core

Opened 9 years ago

Closed 8 years ago

Last modified 8 years ago

#18366 closed defect (bug) (wontfix)

Sanitize order and orderby in get_terms() breaks my plugin...

Reported by: jameslafferty Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.2
Component: Taxonomy Keywords: dev-feedback
Focuses: Cc:

Description (last modified by ocean90)

And generally reduces possibilities for extending the taxonomy model. My plugin "Term Menu Order" (http://wordpress.org/extend/plugins/term-menu-order/) allowed manual ordering of terms, which isn't possible given the method of sanitizing the order and orderby clauses. I totally get the potential security concerns -- maybe there's a way to sanitize the inputs that's a bit less draconian, though? The relevant changeset is r18344.

Change History (9)

#1 @jameslafferty
9 years ago

  • Cc james@… added

#2 @ocean90
9 years ago

  • Description modified (diff)

Changeset linked.

#3 follow-up: @SergeyBiryukov
9 years ago

Seems like it's still possible to set orderby using get_terms_orderby filter. What exactly is broken here?

#4 @SergeyBiryukov
9 years ago

  • Keywords reporter-feedback added

#5 in reply to: ↑ 3 @jameslafferty
9 years ago

Replying to SergeyBiryukov:

Seems like it's still possible to set orderby using get_terms_orderby filter. What exactly is broken here?

The issue is that whereas previously I could get_terms(... orderby => 'menu_order' ...) when the plugin was installed, I no longer can. Using the filter in this case makes for more awkward, less intuitive code even in the simplest scenario, and, if I want to vary orderby over several different get_terms calls within a theme, I need to get even more "creative".

It's also not totally clear to me what we gain by comparing against the whitelist if we then allow the sanitized orderby to be straight overwritten with the filter. Likely, I'm missing something here, but wouldn't it be better to sanitize orderby further down? In which case, couldn't we do that sanity check in place of the final else clause?

#6 @SergeyBiryukov
9 years ago

  • Keywords dev-feedback added; reporter-feedback removed

#7 @jameslafferty
8 years ago

I managed to get the Term Menu Order working again using get_terms_orderby and get_terms_args. This definitely feels like a workaround, though, and I still feel that the security measure is being implemented a bit over-aggressively.

#8 @nacin
8 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

This measure blocked an SQLi. I have no problems with its aggressiveness. It's a workaround, but so is running an ALTER and adding a field to a core table. :-)

#9 @scribu
8 years ago

By "SQLi" I assume you meant "SQL injection" and not the MySQL Improved extension. :p

Note: See TracTickets for help on using tickets.