WordPress.org
Get WordPress

Make WordPress Core

Changes between Version 3 and Version 4 of Ticket #41925, comment 16


Ignore:
Timestamp:
09/20/2017 09:23:36 PM (8 years ago)
Author:
soulseekah
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #41925, comment 16

    v3 v4  
    4242And once we do, how do we build a safety net for the myriad of other typos (including stray quotes) in prepare that would also yield the same injection opportunities? Shall we build a parser for a parser? I'm really stumped here.
    4343
    44 I asked for clarification from the vulnerability author (https://medium.com/@soulseekah/hold-on-hold-on-hold-on-45e549d7baf1) and some sort of response might be due. Keeping this shut and hush-hush and secret test cases, seeing how it was disclosed almost 4 weeks ago is really preventing others from exploring the problem space and coming up with a better solution that improves wpdb not makes it worse. The community is ready to help, embrace it. It's what open source is about. Thank you.
     44I asked for clarification from the vulnerability author (https://medium.com/@soulseekah/hold-on-hold-on-hold-on-45e549d7baf1) and some sort of response might be due. Keeping this shut and hush-hush and secret test cases, seeing how it was disclosed almost 4 weeks ago is really preventing others from exploring the problem space and coming up with a better solution that improves wpdb not makes it worse. The community is ready to help, embrace it. It's what open source is about.
     45
     46But again, this is just a feature request. I would like to see support for numbered placeholders in the prepare statements. I'd probably open the same ticket even if they didn't work at all. So let's figure out a way to do it without breaking the documented compatibility (plain s, f, d). Nothing more, nothing less.
     47
     48Thank you.