Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Wordpress 4.2 XSS emergency fix
--- wordpress/wp-comments-post.php 2015-01-08 08:05:25.000000000 +0100
+++ htdocs/wp-comments-post.php 2015-04-27 16:50:24.250000000 +0200
@@ -12,6 +12,12 @@
exit;
}
+$psize=0;
+foreach($_POST as $p) {
+ $psize += strlen($p);
+}
+if ($psize > 50000) die("Comment too large");
+
/** Sets up the WordPress Environment. */
require( dirname(__FILE__) . '/wp-load.php' );
@sarciszewski

This comment has been minimized.

Copy link

commented Apr 27, 2015

--- wordpress/wp-comments-post.php  2015-01-08 08:05:25.000000000 +0100
+++ htdocs/wp-comments-post.php 2015-04-27 16:50:24.250000000 +0200

---wordpress vs +++htdocs?

@GuillaumeLeclerc

This comment has been minimized.

Copy link

commented Apr 27, 2015

Does anyone know why the XSS filter is not applied before storing to the database. If the message is safe before putting it into the database. Truncating it would cause no harm right ?

@hannob

This comment has been minimized.

Copy link
Owner Author

commented Apr 27, 2015

This patch is obsolete now, please use the official upstream fix in wordpress 4.2.1:
https://wordpress.org/news/2015/04/wordpress-4-2-1/

@GuillaumeLeclerc the problem is a bit tricky. The filter is applied, but the data is truncated later. And browsers do trickery to try to interpret invalid code which in this case leads to the truncation creating javascript the browser can interpret.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.