Make WordPress Core

Opened 17 years ago

Closed 16 years ago

Last modified 14 years ago

#3279 closed defect (bug) (fixed)

Theme doesn't load properly when theme directory name contains a '+' sign

Reported by: ming's profile ming Owned by: westi's profile westi
Milestone: 2.3 Priority: high
Severity: normal Version: 2.2
Component: Administration Keywords: themes has-patch dev-reviewed commit
Focuses: Cc:

Description

A theme directory that contains the '+' symbol causes WP to choke on the directory name. Once activated WP can no longer access the theme directory so the site is blank (view source is completely empty).

The 'current theme' section contains no information: ie
"All of this theme’s files are located in ."

I haven't checked other symbols besides the plus sign

Using WAMP development server on WinXP
WP version 2.1-alpha3 nightly build (oct 22?)

Attachments (1)

3279.diff (770 bytes) - added by westi 16 years ago.
urlencode the arguments that come from the folder names

Download all attachments as: .zip

Change History (12)

#1 @Viper007Bond
17 years ago

  • Milestone set to 2.1
  • Version set to 2.1

I don't have the problem here on 4419. Instead, I am just unable to activate the theme as the activate URL is incorrect:

http://localhost/wordpress-latest/wp-admin/themes.php?action=activate&template=clas%20sic&stylesheet=clas%20sic&_wpnonce=506392aeae

<a href="themes.php?action=activate&amp;template=clas sic&amp;stylesheet=clas sic&#038;_wpnonce=506392aeae" class="screenshot">

The plus sign gets turned into a space.

#2 @matt
17 years ago

  • Milestone changed from 2.1 to 2.2

We should probably disallow this.

#3 @tombarta
17 years ago

why not just pass it through rawurlencode() when outputting to HTML and rawurldecode() when pulling from input? It'll just convert it to %2B in the page, it doesn't require additional rules for theme developers, and it is indicative that there's a XSS or similar vulnerability lurking around.

A little bit of noodling here...

shell> cp -a classic '" onclick="alert('\''Moo!'\'')"'

When I tried to select this theme from the admin interface, my browser mooed at me.

While this may be for the most part trivial (if you can write the wordpress files you probably have more privileges than wordpress itself does), it does have the potential to be exploited in rare cases.

#4 @Nazgul
17 years ago

  • Component changed from Administration to Security
  • Milestone changed from 2.2 to 2.1.1
  • Priority changed from normal to highest omg bbq

#5 @markjaquith
17 years ago

  • Component changed from Security to Administration
  • Milestone changed from 2.1.1 to 2.2
  • Priority changed from highest omg bbq to high

I don't agree that this is a security issue. If you can write to the theme directory, you can easily take over the blog.

#6 @Speedboxer
17 years ago

  • Keywords theme added
  • Version changed from 2.1 to 2.2

In 2.2 a theme with a + symbol can't even get past activation. The plus gets turned into %20 in the URL and never gets activated.

#7 @Speedboxer
17 years ago

  • Keywords themes added; theme removed

#8 @foolswisdom
17 years ago

  • Milestone changed from 2.2 to 2.3

#9 @westi
16 years ago

  • Keywords has-patch added
  • Owner changed from anonymous to westi
  • Status changed from new to assigned

I believe this is caused by the same issue as #4873 we need to urlencode some stuff.

Attaching patch

@westi
16 years ago

urlencode the arguments that come from the folder names

#10 @markjaquith
16 years ago

  • Keywords dev-reviewed commit added

Yep, good call.

#11 @westi
16 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [6016]) urlencode the theme name and stylesheet name in the activate links so as to support directories with + in the name. Fixes #3279.

Note: See TracTickets for help on using tickets.