yaronuliel's Replies | ww.wp.xz.cn

Forum Replies Created

Viewing 2 replies - 1 through 2 (of 2 total)

Forum: Plugins
In reply to: [W3 Total Cache] [BUG] Wrong assumption for logged in cookie name

Thread Starter yaronuliel
(@yaronuliel)

2 years, 2 months ago

Hi @vmarko
This is not exactly the same –

Firstly, you have some places where the string wordpress_logged_in is hardcoded, with no option to filter or modify via settings (e.g. here)

Secondly, WordPress default behavior is not to use "wordpress_logged_in" but to use the constant LOGGED_IN_COOKIE (which happens to have the default value wordpress_logged_in user – it sound similar, but it is not the same. Same way you shouldn’t hardcode wp-content in your code base, but use the provided constants/functions to get the correct value

You shouldn’t expect someone to install w3tc and think about whether someone has previously changed the values. Not only that, but it is also hard to track the issue, and people might easily get the production with it (I only spotted it after 3 days, since it needed to have a very specific chain of events for it to really matter in my case)

I still argue that this should be fixed in the plugin source, and should be treated as a security issue (information disclosure vulnerability).

Forum: Plugins
In reply to: [Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin] Bug: Can’t override templates when theme is installed as composer package

Thread Starter yaronuliel
(@yaronuliel)

2 years, 10 months ago

Is there anybody out there?

Viewing 2 replies - 1 through 2 (of 2 total)