Widget Logic
Security hole? (4 posts)

  1. Bjørn Johansen
    Posted 4 years ago #

    The plugin sure does what is says, but I'm concerned about the security here.

    As whatever a user enters as "widget logic", gets eval()'ed by PHP, any user with access to modifying widgets essentially could do whatever to to full installation. E.g. a user could enter [informaton removed- Mark] to delete everything you got on the host.

    I couldn't find it anywhere in the plugin code, but there sure should be a whitelist of functions allowed in code like this.


  2. Mark (podz)
    Support Maven
    Posted 4 years ago #

    Could you send information to plugins@wordpress.org please?
    I will then pass this directly to the developer.

    I edited your post to remove the code.

  3. alanft
    Plugin Author

    Posted 4 years ago #

    Bjørn you are not the first person to note this, and actually I'm surprised it's not in the "Other Notes" section of the documentation - I'm going to add that to my 'to do' list - as I've discussed the possible security issue on a few posts here. The consensus being that the quid pro quo of keeping anyone but widget admins out of editing the code is a sufficient price for the power/simplicity of the main idea. it's 'with great power comes great responsibility' of course

    if anyone has some simple 'function whitelist' code they can point me at I'll take a look.

    when i first posted WL (years ago) I noted words to the effect that 'for now' I'm using a simple eval, but might try something more sophisticated if people have a problem with the security implications of this.

    Cheers - A

  4. alanft
    Plugin Author

    Posted 4 years ago #

    what i said last time:


    also i'll be doing a new release soon and I'm going to add the warning back in and make it *specifically* check for current_user_can('edit_theme_options')

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic