Skip to content

Instantly share code, notes, and snippets.

@hannob
Created April 27, 2015 14:52
Show Gist options
  • Save hannob/a07f7b7e196c75c4c1a8 to your computer and use it in GitHub Desktop.
Save hannob/a07f7b7e196c75c4c1a8 to your computer and use it in GitHub Desktop.
Wordpress 4.2 XSS emergency fix
--- wordpress/wp-comments-post.php 2015-01-08 08:05:25.000000000 +0100
+++ htdocs/wp-comments-post.php 2015-04-27 16:50:24.250000000 +0200
@@ -12,6 +12,12 @@
exit;
}
+$psize=0;
+foreach($_POST as $p) {
+ $psize += strlen($p);
+}
+if ($psize > 50000) die("Comment too large");
+
/** Sets up the WordPress Environment. */
require( dirname(__FILE__) . '/wp-load.php' );
@sarciszewski
Copy link

--- wordpress/wp-comments-post.php  2015-01-08 08:05:25.000000000 +0100
+++ htdocs/wp-comments-post.php 2015-04-27 16:50:24.250000000 +0200

---wordpress vs +++htdocs?

@GuillaumeLeclerc
Copy link

Does anyone know why the XSS filter is not applied before storing to the database. If the message is safe before putting it into the database. Truncating it would cause no harm right ?

@hannob
Copy link
Author

hannob commented Apr 27, 2015

This patch is obsolete now, please use the official upstream fix in wordpress 4.2.1:
https://wordpress.org/news/2015/04/wordpress-4-2-1/

@GuillaumeLeclerc the problem is a bit tricky. The filter is applied, but the data is truncated later. And browsers do trickery to try to interpret invalid code which in this case leads to the truncation creating javascript the browser can interpret.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment