Remote Code Execution (RCE)
Introduction
This article covers possible ways to secure the code from RCE vulnerability. This includes applying a proper function to check for the userβs input.
How to secure
For a dynamic function call or function call using the call_user_func function, we recommend using a whitelist check on the allowed functions that can be called:
function image_render_callback($atts) { $atts = shortcode_atts( array( 'sanitize' => 'esc_attr', 'src'=>'', 'text'=>'' ), $atts);
$chosen_callback = $atts["sanitize"]; $allowed_functions = array("trim", "esc_attr", "esc_html", "sanitize_text_field"); $text = "";
if ( ! empty( $chosen_callback ) && is_callable( $chosen_callback ) && in_array($chosen_callback, $allowed_functions) ) { $text = call_user_func( $chosen_callback, $atts["text"] ); }
return sprintf("<img src='%s'>%s</img>", esc_attr($atts["src"]), esc_html($text));
}
add_shortcode("imagerender", "image_render_callback");Contributors
