WordPress 2.9 – exec-php and header injection

Upgrades to WordPress 2.9 on several of the production blogs – and it’s the same old issue with php header injection.

I’ve blogged about this before – and raised a trac ticket. I’m probably going to write a plugin to solve this one for good.

Here’s the change – around line 863 of wp-includes/pluggable.php

/*
** Remove header injection piece - fix for exec-php
** evilzenscientist - 27 Dec 09
** originally from 28 May 08
** ref http://trac.wordpress.org/ticket/2860
        if ( $is_IIS ) {
                header("Refresh: 0;url=$location");
        } else {
                if ( php_sapi_name() != 'cgi-fcgi' )
                        status_header($status); // This causes problems on I
                header("Location: $location", true, $status);
        }
}
endif;
**
*/
/** added new header injection and refresh
** http://trac.wordpress.org/ticket/2860
** evilzenscientist - 28 May 2008
*/
if( !headers_sent() ) {
if ($is_IIS)
header("Refresh: 0;url=$location");
else
header("Location: $location");
} else
echo "<meta http-equiv='refresh' content='0;url=$location' />";
}
endif;
/** end of change */

Leave a Reply

Your email address will not be published. Required fields are marked *