Skip to:

Opened 12 years ago

Last modified 12 years ago

#1705 new defect (bug)

Path disclosure if display_errors is on in production

Reported by: johnjamesjacoby's profile johnjamesjacoby Owned by: johnjamesjacoby's profile johnjamesjacoby
Milestone: Future Release (Legacy) Priority: low
Severity: minor Version: 1.1-alpha
Component: Tools - Warnings/Notices Keywords: has-patch needs-testing


In bbPress 1.x, if display_errors is switched on, it's possible to hit a template file directly which will result in a full path disclosure when bbPress functions like bb_get_header() are not available.

See this report at htbridge for more info.

Having display_errors switched on is not advisable for production sites. Until WordPress embraces display_errors work-arounds for this, I'm inclined to call this a non-issue.

The fix for working around this is relatively invasive, and I'm attaching a patch. I added empty() checks to all exposed (global) variables in the templates and added checks for BB_PATH at the top to prevent direct access in the first place.

Attachments (1)

1705.diff (28.8 KB) - added by johnjamesjacoby 12 years ago.

Download all attachments as: .zip

Change History (3)

#1 @johnjamesjacoby
12 years ago

  • Priority changed from normal to low
  • Severity changed from normal to minor

#2 @johnjamesjacoby
12 years ago

Lowered priority and severity until WordPress also supports display_errors.

Note: See TracTickets for help on using tickets.