← Back to context

Comment by seba_dos1

2 years ago

If the codebase was built on the assumption that user callbacks will execute in a context where POST data is sanitized (which is evidenced by the code that was already there), then failing to sanitize $_REQUEST in addition to $_POST is certainly a security issue.

Of course, relying on such simplistic measures is still brittle and inelegant, but that's another matter. Reworking it would likely be quite invasive to that codebase and far beyond the scope of a security patch.

(also, frankly, the entire WordPress ecosystem isn't particularly known for its high quality codebase... this kind of "fix" is exactly what you'd expect there even without all that drama around)

> Security issues can be fixed WITHOUT renaming the plugin or removing links and text even if the original author has no access anymore

Not sure who you're arguing with there, but certainly not with me.

You have plenty of shitty behavior to call out there, so not sure why you decided to announce that there's no security issue being handled at all instead. It only makes your point weaker for no good reason.

7 comments

seba_dos1

Reply
DanielLestrange  2 years ago

If anything, the problem here is call_user_func, which when an attacker HAS ACCESS TO THE CODE, can be dangerous.

How on earth does emptying POST or REQUEST solve anything at all in regards? How on earth does, no matter what crap ACF added BEFORE the takeover, this "Fix" justify a hostile takeover? If or not there is a security issue with this code (which there IS, but not with POST or REQUEST data) is not even the matter anymore - it was and is posed and defended as a "urgent action to fix a security issue in a plugin the author has no access to"

And I repeat - there has not been any security fix!!

Read my root comment: > because the only relevant changes are actually neither introducing fixes, nor ever changing the plugin core code in a way that fixes security issues.

And I stand by that. Anyone reading this code can see it.

  • seba_dos1  2 years ago

    > How on earth does, no matter what crap ACF added BEFORE the takeover, this "Fix" justify a hostile takeover?

    You can continue arguing with yourself, but I don't need to be there.

    • DanielLestrange  1 year ago

      Why do you not actually provide some researched facts? I mean, I am all ears to stand corrected. Yet it appears all you (and other automatticians, and/or else employees) can do is deflect and talk down pretending you know better. Do you? Then teach your fellow humans where they are wrong. So far, I still have not been proven wrong about this pretended fix, which fixed nothing at all.

      4 replies →