cordon off all non-entry points from the public
|Reported by:||jidanni||Owned by:||ryan|
Gentlemen, I just realized that anybody can go prancing around
the whole file tree, executing php programs left and right.
http://example.net/blog/wp-config.php http://example.net/blog/wp-admin/includes/ http://example.net/blog/wp-admin/includes/file.php ... Fatal error: Call to undefined function __() in ...file.php on line 11 each file will generally produce a different error message.
We are very very lucky nothing worse happens here, allowing the public
to randomly execute internal components of wordpress that were never
intended to be executed separately, even by the administrator.
Compare this to MediaWiki. No idle executing random PHP files allowed:
$ find * -name .htaccess includes/.htaccess languages/.htaccess maintenance/archives/.htaccess maintenance/.htaccess math/.htaccess serialized/.htaccess t/.htaccess tests/.htaccess $ find * -name .htaccess|xargs cat|sort -u Deny from all
And for individual files, we observe
die( "This file is part of MediaWiki, it is not a valid entry point" );
Now you might say "go make your own .htaccess files or use a plugin."
However I say the onus is on the core team to identify the entry
points to be allowed, and cordon the rest off like MediaWiki does!
Change History (6)
- Keywords 2nd-opinion dev-feedback added
- Milestone changed from 2.8 to 2.9
- Type changed from defect (bug) to feature request