Zranitelnosti v k\u00f3du plugin\u016f a \u0161ablon se objevuj\u00ed neust\u00e1le. Aktu\u00e1ln\u011b se ale jedn\u00e1 o plugin, kter\u00fd pro zrychlen\u00ed str\u00e1nek pou\u017e\u00edv\u00e1 v\u00edce ne\u017e milion u\u017eivatel\u016f. <\/p>\n\n\n\n
Probl\u00e9m pon\u011bkud m\u00edrn\u00ed to, \u017ee chybu lze vyu\u017e\u00edt pouze, kdy\u017e je na webu aktivn\u00ed i plugin Classic Editor, ale ten m\u00e1 5 milion\u016f aktivn\u00edch instalac\u00ed, tak\u017ee pr\u016fnik bude ve stovk\u00e1ch tis\u00edc. <\/p>\n\n\n\n
V\u0161e spo\u010d\u00edv\u00e1 v tom, \u017ee plugin v metod\u011b set_urls_with_terms vkl\u00e1d\u00e1 do SQL dotazu prom\u011bnnou $id, kter\u00e9 nen\u00ed dostate\u010dn\u011b zkontrolov\u00e1na. <\/p>\n\n\n\n
public static function set_urls_with_terms(){\n global $wpdb;\n $terms = $wpdb->get_results(\"SELECT * FROM `\".$wpdb->prefix.\"term_relationships` WHERE `object_id`=\".static::$id, ARRAY_A);\n\n foreach ($terms as $term_key => $term_val){\n static::set_term_urls($term_val[\"term_taxonomy_id\"]);\n }\n}<\/code><\/pre>\n\n\n\nStatick\u00e1 prom\u011bnn\u00e1 $id, je definov\u00e1na pomoc\u00ed set_id metody:<\/p>\n\n\n\n
public static function set_id(){\n if(isset($_GET[\"post\"]) && $_GET[\"post\"]){\n static::$id = esc_sql($_GET[\"post\"]);\n\n if(get_post_status(static::$id) != \"publish\"){\n static::$id = 0;\n }\n }\n}<\/code><\/pre>\n\n\n\nNa prvn\u00ed pohled se m\u016f\u017ee zd\u00e1t, \u017ee program\u00e1tor pou\u017eit\u00edm esc_sql() v\u0161e spr\u00e1vn\u011b vy\u0159e\u0161il, ale bohu\u017eel, funkce pou\u017e\u00edv\u00e1 metodu _escape t\u0159\u00eddy WPDB. <\/p>\n\n\n\n
function esc_sql( $data ) {\n global $wpdb;\n return $wpdb->_escape( $data );\n}<\/code><\/pre>\n\n\n\nKdy\u017e se pod\u00edv\u00e1te na _escape ve WPDB, zjist\u00edte, \u017ee p\u0159es _real_escape se pro bezpe\u010dnou kontrolu pou\u017e\u00edv\u00e1 mysqli_real_escape_string.<\/p>\n\n\n\n