-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Implement sniff ?] Prevent path disclosure on add_theme_page ? #18
Comments
This path should not be used period and in combination with anything theme I would agree for the rule only if we generalize it. On Tuesday, July 12, 2016, Juliette notifications@github.com wrote:
|
@emiluzelac We can cover not allowing |
I disagree to a generalized rule on It's like the whole |
What is a legit use for it? On Friday, July 15, 2016, Justin Tadlock notifications@github.com wrote:
|
I use a theme that uses |
Drop-in libraries often need it for finding correct paths and so on. The real question though is why discourage the use in the first place? Is there are particular issue? If so, we should address those specifically. |
Consistency. Can drop-in libraries not use core paths? On Fri, Jul 15, 2016 at 3:15 PM, Justin Tadlock notifications@github.com
|
Some drop-ins are used in plugins and themes. |
And in this case there is a particular issue this would address, see the original issue description above. |
That makes sense @Pross, thanks :) |
As the sniff prevents a security issue I am going to add the check. |
PR #19 merged... |
Decision needed by Theme Review Board:
There is currently no rule to check for the use of
__FILE__
in combination withadd_theme_page()
which could lead to full path disclosure..There is already a sniff available in WPCS which will check this -
WordPress.VIP.PluginMenuSlug
.Should this sniff be activated for theme reviews ?
Advice: Follow WP VIP's lead in this.
To do:
WordPress.VIP.PluginMenuSlug
sniff to the ruleset.The text was updated successfully, but these errors were encountered: