Make WordPress Core

Opened 16 years ago

Closed 15 years ago

Last modified 13 years ago

#3279 closed defect (bug) (fixed)

Theme doesn't load properly when theme directory name contains a '+' sign

Reported by: ming's profile ming Owned by: westi's profile westi
Milestone: 2.3 Priority: high
Severity: normal Version: 2.2
Component: Administration Keywords: themes has-patch dev-reviewed commit
Focuses: Cc:

Description

A theme directory that contains the '+' symbol causes WP to choke on the directory name. Once activated WP can no longer access the theme directory so the site is blank (view source is completely empty).

The 'current theme' section contains no information: ie
"All of this theme’s files are located in ."

I haven't checked other symbols besides the plus sign

Using WAMP development server on WinXP
WP version 2.1-alpha3 nightly build (oct 22?)

Attachments (1)

3279.diff (770 bytes) - added by westi 15 years ago.
urlencode the arguments that come from the folder names

Download all attachments as: .zip

Change History (12)

#1 @Viper007Bond
16 years ago

  • Milestone set to 2.1
  • Version set to 2.1

I don't have the problem here on 4419. Instead, I am just unable to activate the theme as the activate URL is incorrect:

http://localhost/wordpress-latest/wp-admin/themes.php?action=activate&template=clas%20sic&stylesheet=clas%20sic&_wpnonce=506392aeae

<a href="themes.php?action=activate&amp;template=clas sic&amp;stylesheet=clas sic&#038;_wpnonce=506392aeae" class="screenshot">

The plus sign gets turned into a space.

#2 @matt
15 years ago

  • Milestone changed from 2.1 to 2.2

We should probably disallow this.

#3 @tombarta
15 years ago

why not just pass it through rawurlencode() when outputting to HTML and rawurldecode() when pulling from input? It'll just convert it to %2B in the page, it doesn't require additional rules for theme developers, and it is indicative that there's a XSS or similar vulnerability lurking around.

A little bit of noodling here...

shell> cp -a classic '" onclick="alert('\''Moo!'\'')"'

When I tried to select this theme from the admin interface, my browser mooed at me.

While this may be for the most part trivial (if you can write the wordpress files you probably have more privileges than wordpress itself does), it does have the potential to be exploited in rare cases.

#4 @Nazgul
15 years ago

  • Component changed from Administration to Security
  • Milestone changed from 2.2 to 2.1.1
  • Priority changed from normal to highest omg bbq

#5 @markjaquith
15 years ago

  • Component changed from Security to Administration
  • Milestone changed from 2.1.1 to 2.2
  • Priority changed from highest omg bbq to high

I don't agree that this is a security issue. If you can write to the theme directory, you can easily take over the blog.

#6 @Speedboxer
15 years ago

  • Keywords theme added
  • Version changed from 2.1 to 2.2

In 2.2 a theme with a + symbol can't even get past activation. The plus gets turned into %20 in the URL and never gets activated.

#7 @Speedboxer
15 years ago

  • Keywords themes added; theme removed

#8 @foolswisdom
15 years ago

  • Milestone changed from 2.2 to 2.3

#9 @westi
15 years ago

  • Keywords has-patch added
  • Owner changed from anonymous to westi
  • Status changed from new to assigned

I believe this is caused by the same issue as #4873 we need to urlencode some stuff.

Attaching patch

@westi
15 years ago

urlencode the arguments that come from the folder names

#10 @markjaquith
15 years ago

  • Keywords dev-reviewed commit added

Yep, good call.

#11 @westi
15 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [6016]) urlencode the theme name and stylesheet name in the activate links so as to support directories with + in the name. Fixes #3279.

Note: See TracTickets for help on using tickets.