WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#21359 closed defect (bug) (invalid)

htmlspecialchars() in wp-db.php is a small vulnerability

Reported by: planetzuda Owned by: planetzuda
Milestone: Priority: normal
Severity: minor Version: 3.4.1
Component: Database Keywords:
Focuses: Cc:

Description

Hey,
I was working with wp-db.php when I noticed htmlspecialchars is being used where htmlentities should be used. I know this is very minor, but I've fixed sites that have been hacked due to the misuse of htmlspecialchars. I reccomend changing htmlspecialchars to htmlentities when the site bails with an error. I've already fixed it on my install, so I'd be happy to upload the fixed file.

Attachments (1)

wp-db.php (45.1 KB) - added by planetzuda 3 years ago.
Wp-db.php with htmlentities() instead of htmlspecialchars()

Download all attachments as: .zip

Change History (4)

@planetzuda3 years ago

Wp-db.php with htmlentities() instead of htmlspecialchars()

comment:1 @planetzuda3 years ago

I should note this is the wp-db.php for the wp-includes folder.

comment:2 @nacin3 years ago

Hi there. When you created this ticket, you might have seen:

Do not report potential security vulnerabilities here. Read the Security FAQ and email us at security@….

Regardless, this isn't accurate. htmlspecialchars() is not only safe in this instance, but this also isn't exploitable — this error is only going to happen based on what is in your wp-config.php file for DB credentials (meaning, someone has file/PHP access) or is able to set up your config with wp-admin/setup-config.php (which means you have a blank install just sitting around). We consider both to be a non-starter when it comes to considering what is a "vulnerability".

There's no difference between htmlspecialchars() and htmlentities() (when the same parameters are used) from a security standpoint.

comment:3 @SergeyBiryukov3 years ago

  • Component changed from General to Database
  • Keywords needs-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.