Make WordPress Core

Opened 3 weeks ago

#62224 new enhancement

The class class-wp-theme-json.php methods compute_theme_vars and to_ruleset need to be hardened

Reported by: villu164's profile villu164 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.6.2
Component: Themes Keywords:
Focuses: Cc:

Description

I first reported the issue on HackerOne and was told this can be a public hardening ticket. (https://hackerone.com/bugs?subject=user&report_id=2623479)

The compute_theme_vars (https://core.trac.wordpress.org/browser/tags/6.6.2/src/wp-includes/class-wp-theme-json.php#L2208) and to_ruleset (https://core.trac.wordpress.org/browser/tags/6.6.2/src/wp-includes/class-wp-theme-json.php#L1900) need to be hardened and the theme.json, should be considered as user supplied content. Thus the before-mentioned methods need to adjust for that and use proper sanitization

Change History (0)

Note: See TracTickets for help on using tickets.