Day: December 12, 2004

Wordform is a project to create a new weblogging tool that incorporates some ideas I’ve had for a tool for a couple of years now. It’s based on WordPress, an open source, GPL PHP/MySQL application; inheriting some functionality, while extending the product in new directions.

This site serves as the test site for Wordform development, as well as the beginnings of tool documentation. I will be documenting each change, before I make the change, describing the purpose and planned behavior; after with the code.

Stay tuned…

The first changes being made to the initial snapshot of the WordPress 1.3a code is to incorporate the ‘floating cloud’ design currently being used at Burningbird into a 1.3 theme. While I’m at it, I’m also moving the default pages down into the themes directory, to minimize the number of files at the root directory of the installation.

While I’m making the changes, pages and links may break from time to time. When finished, this effort should also be usable as a template/theme for WordPress 1.3a, and will incorporate, among other things: live comment preview, post-comment editing, and comment spell checkings.

A vulnerability was discovered with WordPress 1.2.1 and 1.3a, as detailed here and in a forum thread for WordPress, here. This was caused by the fact that an important system variable, siteurl is modified in wp-login.php if the application detects that the URI used to access wp-login.php has changed from what’s stored in the database.

As detailed in both of the above locations, there is usually more than one way to access a specific file, and accessing the file using different variations of URL results in a change to this value that could cause problems with the site. At a minimum, it could result in unnecessary updates to the database.

The current WordPress release was modified to lessen the amount of destructiveness of this vulnerability, but it hasn’t eliminated the problem completely. To fix the remaining vulnerability, I’ve removed the code that updates this value in the database from wp-login.php (though I’ve left the option in the database for now). Unfortunately, this leaves the original problem that served as reason for this code, which is to make it easier to move your WordPress weblog if you need to. Without this code, moving your weblog to another directory can make the administrative pages impossible to access. When I removed the vulnerability, I added back this problem.

To fix this original problem, I added SITEURL as a new parameter to the wp-config.php file, now renamed wf-config.php to differentiate it from the WordPress file. Now, when the WordPress weblog is moved, you can use a text editor to change this value:

define (’SITEURL’, ‘http://wordform.org’);

I also modified the code in the functions.php file that loads siteurl from the database, setting the cached values to that of SITEURL from the wf-config.php file.

if (’siteurl’ == $option->option_name) {
$option->option_value = preg_replace(’|/+$|’, ‘’, SITEURL);
}

This is an interim fix, while the rest of the code is adjusted not to depend on this as an option loaded from the database. Once I’m sure this is so, I’ll remove the option from the database.