[New Sniff] Forbidden functions #9
Comments
|
I would also suggest having a look at the following (existing) sniffs to see if these can/should be (partially) incorporated: |
|
Some of the sniffs in WPCS are not separated correctly so that is why I opened an issue to discuss it WordPress/WordPress-Coding-Standards#582 |
|
We'd need to go through this one function by function. There's a lot that we'd allow: https://github.com/WPTRT/WordPress-Coding-Standards/blob/feature/theme-review-sniffs/WordPress/Sniffs/VIP/RestrictedFunctionsSniff.php |
|
@justintadlock Totally, that is also why I created a new issue upstream to separate some of these checks so that we can only use which applies to us. WordPress/WordPress-Coding-Standards#582 |
|
Does the backtick operator even work out of context, ie. outside a shell_exec? Update: Yes, it does. $file = `uname -a`;
echo $file;Which resulted in the expected output Further tests with:
went successfully through as well. One with malicious intent could easily cobble together a rootkit / intrusion kit with that. Also, one with next-to-none knowledge about sanitization and security could accidently tear open a BIG fat security hole for people of the former persuasion. So yes, there should DEFINITELY be a test for (and against) the backtick operator. cu, w0lf. |
Well, only on PHP < 5.4 and only when |
Sorry, but: not true. My development environment uses PHP 7 (version 7.0.5 to be exact). Guess where I tested it? ;) Also, there is no more safe_mode after PHP 5.4: http://php.net/manual/en/features.safe-mode.php cu, w0lf. |
|
@ginsterbusch Of course. I'm getting confused, its late here 😴 |
|
@jrfnl No offense taken :) cu, w0lf. |
|
@ginsterbusch Still an hour or so before it gets light... all the same - result: squizlabs/PHP_CodeSniffer#1073 |
|
Is there a danger from preg_replace() with the 'e' modifier? |
|
@joyously Yes there is, but that would be a rule to itself as the Related upstream PR covering |
|
Regarding the backtick operator for executing shell commands: The upstream PR at PHPCS has been merged, but is currently not yet contained in a released version. Branch: https://github.com/WPTRT/WordPress-Coding-Standards/commits/WPTRT/PHPCS2.7/feature/disallow-backtick-shell-execution |
|
I am cleaning up a hack on one of my client sites, and the injected code starts with: |
|
Would love to hear if there is some new info about this 🙂 |
Rule:
A number of functions are forbidden for use in a theme.
Current list:
eval()ini_set()popen()proc_open()exec()shell_exec()system()passthru()base64_decode()base64_encode()uudecode()str_rot13()Ref: https://make.wordpress.org/themes/handbook/review/required/theme-check-plugin/#check-for-bad-things
Theme check file covering this rule:
https://github.com/Otto42/theme-check/blob/master/checks/badthings.php
Decision needed:
The above list needs proper review - is this list complete ?
Should the WPCS
WordPress.PHP.DiscouragedFunctionssniff be turned on as well ?Should there also be a check against the use of the backtick operator ?
Ref: http://php.net/manual/en/language.operators.execution.php
To do:
WordPress.PHP.DiscouragedFunctionssniff to the ruleset.The text was updated successfully, but these errors were encountered: