Skip to:
Content

bbPress.org

Opened 8 years ago

Last modified 8 years ago

#1705 new defect

Path disclosure if display_errors is on in production

Reported by: johnjamesjacoby Owned by: johnjamesjacoby
Milestone: Future Release (Legacy) Priority: low
Severity: minor Version: 1.1-alpha
Component: Tools - Warnings/Notices Keywords: has-patch needs-testing
Cc:

Description

In bbPress 1.x, if display_errors is switched on, it's possible to hit a template file directly which will result in a full path disclosure when bbPress functions like bb_get_header() are not available.

See this report at htbridge for more info.

Having display_errors switched on is not advisable for production sites. Until WordPress embraces display_errors work-arounds for this, I'm inclined to call this a non-issue.

The fix for working around this is relatively invasive, and I'm attaching a patch. I added empty() checks to all exposed (global) variables in the templates and added checks for BB_PATH at the top to prevent direct access in the first place.

Attachments (1)

1705.diff (28.8 KB) - added by johnjamesjacoby 8 years ago.

Download all attachments as: .zip

Change History (3)

@johnjamesjacoby
8 years ago

#1 @johnjamesjacoby
8 years ago

  • Priority changed from normal to low
  • Severity changed from normal to minor

#2 @johnjamesjacoby
8 years ago

Lowered priority and severity until WordPress also supports display_errors.

Note: See TracTickets for help on using tickets.