Posted 5 months ago #
The plugin sure does what is says, but I'm concerned about the security here.
As whatever a user enters as "widget logic", gets eval()'ed by PHP, any user with access to modifying widgets essentially could do whatever to to full installation. E.g. a user could enter [informaton removed- Mark] to delete everything you got on the host.
I couldn't find it anywhere in the plugin code, but there sure should be a whitelist of functions allowed in code like this.
Posted 5 months ago #
Could you send information to plugins@wordpress.org please?
I will then pass this directly to the developer.
I edited your post to remove the code.
Posted 5 months ago #
Bjørn you are not the first person to note this, and actually I'm surprised it's not in the "Other Notes" section of the documentation - I'm going to add that to my 'to do' list - as I've discussed the possible security issue on a few posts here. The consensus being that the quid pro quo of keeping anyone but widget admins out of editing the code is a sufficient price for the power/simplicity of the main idea. it's 'with great power comes great responsibility' of course
if anyone has some simple 'function whitelist' code they can point me at I'll take a look.
when i first posted WL (years ago) I noted words to the effect that 'for now' I'm using a simple eval, but might try something more sophisticated if people have a problem with the security implications of this.
Cheers - A
Posted 5 months ago #
what i said last time:
http://wordpress.org/support/topic/widget-logic-security
also i'll be doing a new release soon and I'm going to add the warning back in and make it *specifically* check for current_user_can('edit_theme_options')
You must log in to post.
