Tag Archives: drama

Part 3: Safety nets vs. bad code

If you haven’t looked at part 1 and 2 here, I suggest you do before reading on. This is a direct continuation of part 1.

So the original $wpdb->prepare vulnerability, which, I remind you is based on a potential typo in third-party code, is followed up with a new potential vulnerability based on double preparing a query. So again, bad third-party code.

So here’s one for you. If a developer does $wpdb->prepare( "SELECT * FROM wp_users where ID = %d OR %d". $_GET['param1'], $_GET['param2'] ); (note the . instead of the ,) do I also get a $500 bounty? How far will this go? Will the method be removed completely because #security? To what extent should WordPress and PHP be blamed for potential developer mistakes?

Shouldn’t these be addressed in the actual third-party code and not in core? I’m at a complete and utter loss now. What’s next?

Shout outs to Slavco for bringing all these issues up both with the codebase and the community, and how things are or should be handled.

On WordPress Security and Contributing

…and how neither really worked today.

A sad story in two parts, where I’m rash, harsh and untactful. An explanation, a rant, a call for support, a call for action. You do not have to agree with me, I may be just an asshole and haven’t realized it yet 😉

Continue reading