Comments (15)
I would also suggest having a look at the following (existing) sniffs to see if these can/should be (partially) incorporated:
WordPress.VIP.FileSystemWritesDisallow
WordPress.VIP.RestrictedFunctions
WordPress.VIP.SessionFunctionsUsage
from wpthemereview.
Some of the sniffs in WPCS are not separated correctly so that is why I opened an issue to discuss it WordPress/WordPress-Coding-Standards#582
from wpthemereview.
We'd need to go through this one function by function. There's a lot that we'd allow: https://github.com/WPTRT/WordPress-Coding-Standards/blob/feature/theme-review-sniffs/WordPress/Sniffs/VIP/RestrictedFunctionsSniff.php
from wpthemereview.
@justintadlock Totally, that is also why I created a new issue upstream to separate some of these checks so that we can only use which applies to us. WordPress/WordPress-Coding-Standards#582
from wpthemereview.
Does the backtick operator even work out of context, ie. outside a shell_exec?
Update: Yes, it does.
Second Update: ... with PHP 7.0.5 / Ubuntu 14.04 LTS / Linux x86_64
Tested the following in my local fiddle (similar to PHPFiddle; wrote it a few years ago, for quicker PHP tests):
$file = `uname -a`;
echo $file;
Which resulted in the expected output
Linux coolrunnings 4.2.0-41-generic #48~14.04.1-Ubuntu SMP Fri Jun 24 17:09:15 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Further tests with:
- whoami => (my user name)
- groups => (the groups my user name is in)
- ls ~ => (display the content of the home directory of the current user)
went successfully through as well. One with malicious intent could easily cobble together a rootkit / intrusion kit with that. Also, one with next-to-none knowledge about sanitization and security could accidently tear open a BIG fat security hole for people of the former persuasion.
So yes, there should DEFINITELY be a test for (and against) the backtick operator.
cu, w0lf.
from wpthemereview.
Does the backtick operator even work out of context, ie. outside a shell_exec?
Well, only on PHP < 5.4 and only when safe_mode
is off
, but yes, in that case, it would work.
from wpthemereview.
Well, only on PHP < 5.4 and only when safe_mode is off, but yes, in that case, it would work.
Sorry, but: not true. My development environment uses PHP 7 (version 7.0.5 to be exact). Guess where I tested it? ;)
Also, there is no more safe_mode after PHP 5.4: http://php.net/manual/en/features.safe-mode.php
cu, w0lf.
from wpthemereview.
@ginsterbusch Of course. I'm getting confused, its late here 😴
from wpthemereview.
@jrfnl No offense taken :)
yeah, its late, leaning towards early (dawn is creeping up already).
cu, w0lf.
from wpthemereview.
@ginsterbusch Still an hour or so before it gets light... all the same - result: squizlabs/PHP_CodeSniffer#1073
from wpthemereview.
Is there a danger from preg_replace() with the 'e' modifier?
from wpthemereview.
@joyously Yes there is, but that would be a rule to itself as the preg_replace()
function itself should not be blocked and this sniff is not about checking the function parameters.
Related upstream PR covering preg_replace()
with /e
(and currently not mergable because of licensing issues): WordPress/WordPress-Coding-Standards#608
from wpthemereview.
Regarding the backtick operator for executing shell commands:
The upstream PR at PHPCS has been merged, but is currently not yet contained in a released version.
I've pushed a branch which can be used for the PR once PHPCS releases a version containing this sniff.
Branch: https://github.com/WPTRT/WordPress-Coding-Standards/commits/WPTRT/PHPCS2.7/feature/disallow-backtick-shell-execution
Relevant commit: f71fbc8
from wpthemereview.
I am cleaning up a hack on one of my client sites, and the injected code starts with:
$l___l_='base'.(32*2).'_de'.'code';
from wpthemereview.
Would love to hear if there is some new info about this 🙂
from wpthemereview.
Related Issues (20)
- variables in template files are flagged as global HOT 15
- Exceptions to prefixing hook names HOT 7
- False positive on loading stylesheet in JS file HOT 4
- [New sniff] WC template versions HOT 7
- Dealing with rules that shouldn't apply to templates HOT 1
- Add sniff: WordPress.PHP.IniSet HOT 6
- [New sniff] Check if page templates are using reserved prefix HOT 1
- Detect WPTRT feature project versions HOT 3
- Add sniff documentation HOT 1
- Minimal PHP version HOT 11
- Whitelist wp_body_open function from PrefixAllGlobals sniff HOT 5
- sniff: plugin territory - action hook wp_edit_nav_menu_walker
- File name with reserved slug in subfolder HOT 11
- Optimisation and minor grammar fixes
- [Implement sniff] Warn about short ternary usage in themes HOT 9
- Internal.Exception -- function update_current_version() should be removed.
- [Update existing sniff] Allow register_block_style HOT 1
- Allow `add_menu_page` & `add_submenu_page` HOT 9
- twentyseventeen theme: posts with no date - but date is shown in similar posts HOT 1
- 👍
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wpthemereview.