search

PlaceSpeak / wp-placespeak-connect

A Wordpress plugin for code-free integration of PlaceSpeak's "Connect" GeoID API.
https://www.placespeak.com/connect/about/
1 stars 0 forks source link

Prevent direct file access #11

Open hughstimson opened 7 years ago

hughstimson commented 7 years ago

From the Wordpress plugin directory reviewers:

Allowing Direct File Access to plugin files

Direct file access is when someone directly queries your file. This can be done by simply entering the complete path to the file in the URL bar of the browser but can also be done by doing a POST request directly to the file. For files that only contain a PHP class the risk of something funky happening when directly accessed is pretty small. For files that contain procedural code, functions and function calls, the chance of security risks is a lot bigger.

You can avoid this by putting this code at the top of all php files:

if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly

hughstimson commented 7 years ago

This is addressed (I think) by ee43a1af7cb7b6a918530f332800352bb582b99d, but depending on how we handle issue #12 may need to be updated.

soulseekah commented 7 years ago

https://github.com/PlaceSpeak/wp-placespeak-connect/commit/ee43a1af7cb7b6a918530f332800352bb582b99d fixed this correctly, can confirm.