Support » Plugin: Widget Logic » [Plugin: Widget Logic] Security hole?

  • The plugin sure does what is says, but I’m concerned about the security here.

    As whatever a user enters as “widget logic”, gets eval()’ed by PHP, any user with access to modifying widgets essentially could do whatever to to full installation. E.g. a user could enter [informaton removed- Mark] to delete everything you got on the host.

    I couldn’t find it anywhere in the plugin code, but there sure should be a whitelist of functions allowed in code like this.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Mark (podz)


    Support Maven

    Could you send information to please?
    I will then pass this directly to the developer.

    I edited your post to remove the code.

    Plugin Contributor alanft


    Bjørn you are not the first person to note this, and actually I’m surprised it’s not in the “Other Notes” section of the documentation – I’m going to add that to my ‘to do’ list – as I’ve discussed the possible security issue on a few posts here. The consensus being that the quid pro quo of keeping anyone but widget admins out of editing the code is a sufficient price for the power/simplicity of the main idea. it’s ‘with great power comes great responsibility’ of course

    if anyone has some simple ‘function whitelist’ code they can point me at I’ll take a look.

    when i first posted WL (years ago) I noted words to the effect that ‘for now’ I’m using a simple eval, but might try something more sophisticated if people have a problem with the security implications of this.

    Cheers – A

    Plugin Contributor alanft


    what i said last time:

    also i’ll be doing a new release soon and I’m going to add the warning back in and make it *specifically* check for current_user_can(‘edit_theme_options’)

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Plugin: Widget Logic] Security hole?’ is closed to new replies.