WordPress.org

Make WordPress Core

Opened 15 years ago

Closed 14 years ago

#2267 closed defect (bug) (fixed)

'%' in comment author's URLs is incorrectly stripped out.

Reported by: gzfelix@… Owned by:
Milestone: Priority: high
Severity: normal Version: 2.0.5
Component: General Keywords: has-patch 2nd-opinion dev-feedback security
Focuses: Cc:

Description

'%' in comment author's URLs is incorrectly stripped out. For example, a url like:

http://www.example.com/%e5%a4%a7%e9%9b%be%e7%ac%bc%e7%bd%a9%e5%8d%97%e4%ba%ac/

will be stripped out as:

http://www.example.com/e5a4a7e99bbee7acbce7bda9e58d97e4baac/.

Solution:

in wp-includes/comment-functions.php, line 214:

replace

$url = preg_replace('|[a-z0-9-~+_.?#=&;,/:]|i', , $url);

with:

$url = preg_replace('|[a-z0-9-~+_.?#=&;,/:%]|i', , $url);

Attachments (1)

fix_percents.diff (610 bytes) - added by abhay 15 years ago.
add percent sign to the regular expression replacement in clean_url()

Download all attachments as: .zip

Change History (11)

#1 @gzfelix
15 years ago

  • Milestone changed from 2.0 to 2.0.1

@abhay
15 years ago

add percent sign to the regular expression replacement in clean_url()

#2 @abhay
15 years ago

  • Keywords percent-sign bg|has-patch added

kudos to gzfelix

#3 @skeltoac
15 years ago

  • Keywords bg|2nd-opinion bg|dev-feedback added; percent-sign removed

This needs significant analysis and testing. Yes, percents are the preferred way to encode entities in a URL. However, this might open up the author URL to XSS (cross-site scripting) vulnerabilities by encoding entities that are used to exploit *cough* browsers like IE and NS.

#4 @gzfelix
15 years ago

Wordpress serves as a blog software for me in UTF-8 encoding. And the majority of my blog posts are in Chinese. IE and Mozilla/NS/Firefox all send percent-encoded URLs or POSTed form values. If percents are stripped out, all CJK characters (maybe in other languages) will be unavailable to use in comment author URLs and trackback pings.

#5 @matt
15 years ago

  • Milestone changed from 2.0.1 to 2.1

#6 @matt
15 years ago

  • Keywords security added

#7 @Nazgul
14 years ago

  • Keywords has-patch 2nd-opinion dev-feedback added; bg|has-patch bg|2nd-opinion bg|dev-feedback removed

#8 follow-up: @ryan
14 years ago

  • Milestone changed from 2.1 to 2.0.5
  • Version changed from 2.0 to 2.0.5

Fixed awhile ago.

#9 @(none)
14 years ago

  • Milestone 2.0.5 deleted

Milestone 2.0.5 deleted

#10 in reply to: ↑ 8 @foolswisdom
14 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Replying to ryan:

Fixed awhile ago.

Closing as fixed then.

Note: See TracTickets for help on using tickets.