Opened 13 years ago
Last modified 13 years ago
#1705 new defect (bug)
Path disclosure if display_errors is on in production
Reported by: | johnjamesjacoby | Owned by: | johnjamesjacoby |
---|---|---|---|
Milestone: | Future Release (Legacy) | Priority: | low |
Severity: | minor | Version: | 1.1-alpha |
Component: | Tools - Warnings/Notices | Keywords: | has-patch needs-testing |
Cc: |
Description
In bbPress 1.x, if display_errors is switched on, it's possible to hit a template file directly which will result in a full path disclosure when bbPress functions like bb_get_header() are not available.
See this report at htbridge for more info.
Having display_errors switched on is not advisable for production sites. Until WordPress embraces display_errors work-arounds for this, I'm inclined to call this a non-issue.
The fix for working around this is relatively invasive, and I'm attaching a patch. I added empty() checks to all exposed (global) variables in the templates and added checks for BB_PATH at the top to prevent direct access in the first place.
Lowered priority and severity until WordPress also supports display_errors.