#3279 closed defect (bug) (fixed)
Theme doesn't load properly when theme directory name contains a '+' sign
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 2.3 | Priority: | high |
Severity: | normal | Version: | 2.2 |
Component: | Administration | Keywords: | themes has-patch dev-reviewed commit |
Focuses: | Cc: |
Description
A theme directory that contains the '+' symbol causes WP to choke on the directory name. Once activated WP can no longer access the theme directory so the site is blank (view source is completely empty).
The 'current theme' section contains no information: ie
"All of this theme’s files are located in ."
I haven't checked other symbols besides the plus sign
Using WAMP development server on WinXP
WP version 2.1-alpha3 nightly build (oct 22?)
Attachments (1)
Change History (12)
#3
@
16 years ago
why not just pass it through rawurlencode()
when outputting to HTML and rawurldecode()
when pulling from input? It'll just convert it to %2B
in the page, it doesn't require additional rules for theme developers, and it is indicative that there's a XSS or similar vulnerability lurking around.
A little bit of noodling here...
shell> cp -a classic '" onclick="alert('\''Moo!'\'')"'
When I tried to select this theme from the admin interface, my browser mooed at me.
While this may be for the most part trivial (if you can write the wordpress files you probably have more privileges than wordpress itself does), it does have the potential to be exploited in rare cases.
#4
@
16 years ago
- Component changed from Administration to Security
- Milestone changed from 2.2 to 2.1.1
- Priority changed from normal to highest omg bbq
#5
@
16 years ago
- Component changed from Security to Administration
- Milestone changed from 2.1.1 to 2.2
- Priority changed from highest omg bbq to high
I don't agree that this is a security issue. If you can write to the theme directory, you can easily take over the blog.
#6
@
16 years ago
- Keywords theme added
- Version changed from 2.1 to 2.2
In 2.2 a theme with a + symbol can't even get past activation. The plus gets turned into %20 in the URL and never gets activated.
I don't have the problem here on 4419. Instead, I am just unable to activate the theme as the activate URL is incorrect:
The plus sign gets turned into a space.