Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #30377, comment 63


Ignore:
Timestamp:
03/09/2022 07:53:14 AM (3 years ago)
Author:
dd32
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #30377, comment 63

    initial v1  
    44Using string functions to remove parts of a URL (both `?...` and `#...`) is a potential security issue here (and why it would've  been reverted prevously), as it's possible to cause it to strip more than anticipated and result in operating on the incorrect filename. You should really use `wp_parse_url()` instead too (It's kind of like parsing HTML with Regex, possible, but should be avoided).
    55
    6 Additionally, since the parameter can be a Filename, Path, or URL, you need to restrict any URL handling to URLs only, not filenames.
     6Additionally, since the parameter can be a Filename, Path, or URL, you need to restrict any URL handling to URLs only, not filenames. `wp_http_validate_url()` is the obvious thing there at first.. but it's not available in SHORTINIT I don't think, and...
    77
    88If a filename on disk ''looks like'' a url (You can have a filename on Linux that IS a url), you can't treat it as a URL either. If the filename came from an untrusted location, you can't treat it as a URL unless it's known to be intentionally a URL.