2008/11/7 Andrea De Iacovo <[EMAIL PROTECTED]>: > Il giorno ven, 07/11/2008 alle 15.36 -0600, Raphael Geissert ha scritto: >> >> You can also set cookies via javascript code, e.g. >> <script>document.cookie = "GLOBALS=1;domain=.domain.tld"; </script> > > ok that's true. > > So let's see what we have: > 1. $_REQUEST references are widely used in wordpress. > 2. the standard EGPCS makes cookies overwrite GET and POST values in > $_REQUEST > 3. such values are used in "dangerous" cases (such as user deletion or > logout after redirection). > 4. "grave" data loss (user, post, comments deletion) could be avoided > not logging in as administrator (but only as a user with some > privileges)
All fine, although 4 is more a social than a technical problem, as there is no way we can force users to do that (although I definitely agree that it is a way to mitigate many possible issues). > 5. the issue is related to wordpress only and does not influence other > parts of the system > 6. we can try to prepare a workaround while we wait an officile fix from > upstream: maybe I could implement a function to check out if dangerous > cookies are present and stop any other operation until those cookies are > not removed. You better not, that's how the GLOBALS DoS work. > > So I agree that I absolutely have to solve the bug(s) but I keep > thinking it should be set as important instead of grave. But please do work with upstream so the changes actually take place up there. Like I said to Thijs: although I do believe that the whole situation makes it a critical issue, I am ok if the consensus turns out to be that it isn't critical, as long as the severity isn't dropped to anything below important. > > Thank you very much for all your help with the issue. > If you need more information just ask me, please. Thank *you* for being collaborative :) > > Cheers. > > Andrea > Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net Bill Vaughan - "The tax collector must love poor people, he's creating so many of them." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]