Wordpress 1.5.1.3 Security Fixes

Posted in Blogging, Code, General by Elliott Back on June 29th, 2005.

Are you curious as to what changed from release 1.5.1.2 to 1.5.1.3 of Wordpress (WP)? I was, so I did a recursive diff of all the files. Here are the interesting additions:

diff -r wordpress\wp-admin\post.php wordpress-old\wp-admin\post.php

> $comment = $_GET['comment'];
> $p = $_GET['p'];
644,645c644,645
< $comment_ID = (int) $_POST['comment_ID'];
< $comment_post_ID = (int) $_POST['comment_post_ID'];

Post identifiers are now protected with an explicit cast from XSS attacks

diff -r wordpress\wp-includes\functions-post.php wordpress-old\wp-includes\functions-post.php

113a118,122
>
> // Do some escapes for safety
> $post_title = $wpdb->escape($post_title);
> $post_excerpt = $wpdb->escape($post_excerpt);
> $post_content = $wpdb->escape($post_content);

Important variables are now escaped first.

diff -r wordpress\wp-includes\version.php wordpress-old\wp-includes\version.php

5c5
< $wp_version = ‘1.5.1.3′;
—
> $wp_version = ‘1.5.1.2′;

The version has been updated, of course.

diff -r wordpress\xmlrpc.php wordpress-old\xmlrpc.php

132,141c131
< foreach ($array as $k => $v) {
< if (is_array($v)) {
< $this->escape($array[$k]);
< } else if (is_object($v)) {
< //skip
< } else {
< $array[$k] = $wpdb->escape($v);
< }
< }
< }

$args are now escaped with php, not some “special” function.

565,567c530,532
< } else if ( !empty($catnames) ) {
< $post_category = array(get_cat_ID($catnames));
< }
—
> } else {
> $post_category[] = 1;
> }

If an XML ping comes in with no category, we use a default of 1 instead.

1270a1218,1222
> $pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts WHERE ID = $post_ID");
>
> if (’open’ != $pingstatus)
> die(’Sorry, pingbacks are closed for this item.’);
>

A lot of XML ping checking and validation to make sure the ping is “good.”

That about sums it up!

This entry was posted on Wednesday, June 29th, 2005 at 11:05 pm and is tagged with wp version, catnames, xmlrpc, security fixes, cat id, args, foreach, escapes, lt, excerpt, recursive diff, release 1, array, validation, variables, additions. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback.

Viewing 3 Comments

MacManX 3 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Angsuman assembled an easy-to-use updater package that you might be interested in: http://blog.taragana.com/index.php/archive/word...

reply edit reblog flag

http://www.macmanx.com

elran 3 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

i just upgrade from 1.5.1.2 to 1.5.1.3, and was wondering what the actual diffs were between versions. however, it was late and i just ended up copying the 4 new files over the old ones. Also, i was not at my linux box at the time (anyone know of a free, open source diff program for windows.. with no ads? i did't think so). So thanks for that, i guess.

Anyway, i thought you might be interested in the WordPress plugin called "Force Word Wrapping". You can get it from th WP plugin db, and once activated, it will make sure that long URLs like the one placed by some people (not naming any names - you must be thrilled with M??ManX's comment, and probably so helpful to you too).Give it a try maybe - cause i really like the site design, and it's just killing me to see it get stomped like that..

reply edit reblog flag

http://techblog.touchbasic.com/

Elliott Back 3 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Yeah--I've added the word-wrap CSS attribute for those non-compliant IE browsers, and now the Force Wordwrap plugin (which you can see from the sidebar on the main page is activated). My old layout I think floated the comments, so it wasn't that big a deal--they'd just run harmless off instead of breaking the layout.

reply edit reblog flag

http://elliottback.com