#18366 closed defect (bug) (wontfix)
Sanitize order and orderby in get_terms() breaks my plugin...
Reported by: | jameslafferty | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.2 |
Component: | Taxonomy | Keywords: | dev-feedback |
Focuses: | Cc: |
Description (last modified by )
And generally reduces possibilities for extending the taxonomy model. My plugin "Term Menu Order" (http://wordpress.org/extend/plugins/term-menu-order/) allowed manual ordering of terms, which isn't possible given the method of sanitizing the order and orderby clauses. I totally get the potential security concerns -- maybe there's a way to sanitize the inputs that's a bit less draconian, though? The relevant changeset is r18344.
Change History (9)
#3
follow-up:
↓ 5
@
13 years ago
Seems like it's still possible to set orderby
using get_terms_orderby
filter. What exactly is broken here?
#5
in reply to:
↑ 3
@
13 years ago
Replying to SergeyBiryukov:
Seems like it's still possible to set
orderby
usingget_terms_orderby
filter. What exactly is broken here?
The issue is that whereas previously I could get_terms(... orderby => 'menu_order' ...) when the plugin was installed, I no longer can. Using the filter in this case makes for more awkward, less intuitive code even in the simplest scenario, and, if I want to vary orderby over several different get_terms calls within a theme, I need to get even more "creative".
It's also not totally clear to me what we gain by comparing against the whitelist if we then allow the sanitized orderby to be straight overwritten with the filter. Likely, I'm missing something here, but wouldn't it be better to sanitize orderby further down? In which case, couldn't we do that sanity check in place of the final else clause?
#7
@
13 years ago
I managed to get the Term Menu Order working again using get_terms_orderby and get_terms_args. This definitely feels like a workaround, though, and I still feel that the security measure is being implemented a bit over-aggressively.
#8
@
13 years ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
This measure blocked an SQLi. I have no problems with its aggressiveness. It's a workaround, but so is running an ALTER and adding a field to a core table. :-)
#9
@
13 years ago
By "SQLi" I assume you meant "SQL injection" and not the MySQL Improved extension. :p
Changeset linked.