[wp-trac] [WordPress Trac] #55067: Use of undefined constant ABSPATH - assumed 'ABSPATH' as of WP5.9
WordPress Trac
noreply at wordpress.org
Thu Jan 25 23:31:05 UTC 2024
#55067: Use of undefined constant ABSPATH - assumed 'ABSPATH' as of WP5.9
-----------------------------------+------------------------------
Reporter: maveloweb | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 5.9
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion | Focuses:
-----------------------------------+------------------------------
Comment (by azaozz):
Replying to [comment:11 jorbin]:
> I think this is something that is best solved at a hosting level by
preventing direct PHP file access to wp-includes
Yep I tend to agree. There aren't (shouldn't be) any "entry points" in
`/wp-includes`, however the .js and .css files should be accessible by the
web server.
As far as I see almost all PHP files there do not have "loose" PHP code in
them, i.e. only contain functions and classes and don't do anything even
when loaded directly. This is the proper "architectural design" for all
.php files in `/wp-includes` (and generally for all "includes" directories
as the name suggests; files there can only be "included" in other files,
not accessed directly).
However `wp-includes/blocks/index.php` does not follow these simple design
rules and includes "loose" PHP code that runs in the global scope.
Thinking there are several "PHP architectural design" bugs there that need
fixing. This will also prevent any output if that file is accessed
directly, just like most of the files in `/wp-includes`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/55067#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list