[wp-trac] [WordPress Trac] #31603: Don't change $_SERVER['REQUEST_URI'] just to filter the current URL query string

WordPress Trac noreply at wordpress.org
Thu Apr 30 04:54:03 UTC 2015 

#31603: Don't change $_SERVER['REQUEST_URI'] just to filter the current URL query
string
-------------------------+------------------------------
 Reporter:  morganestes  |       Owner:
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  General      |     Version:  4.2
 Severity:  normal       |  Resolution:
 Keywords:               |     Focuses:  administration
-------------------------+------------------------------

Comment (by morganestes):

 @johnbillion I first came across this when working on #23367 and trying to
 create a canonical admin URL. By the time the admin header fires,
 `$_SERVER['REQUEST_URI']` has already been modified by core several times,
 most often by `remove_query_arg()`.

 For example: in [https://core.trac.wordpress.org/browser/tags/4.2.1/src
 /wp-admin/network/themes.php#L26 themes.php], it's been modified to remove
 'enabled', 'disabled', 'deleted', 'error' from the query string, so when
 we check for any of those in the query later when we're actually
 triggering something based on their existence, `$_SERVER['REQUEST_URI']`
 no longer reflects the true value from initial page load. This becomes a
 problem with things like dismissible or non-repeating notices.

 In [https://core.trac.wordpress.org/browser/tags/4.2.1/src/wp-
 admin/upload.php#L219 upload.php] it's overwritten multiple times, but not
 for specific use later in the file.

 Nearly every instance of changing the value is due to modifying the query
 string for displaying or hiding admin messages. The exceptions are for
 setting values for IIS.

 My main concern is that although it's possible for it to change, modifying
 a server global in multiple places makes it a challenge to know what its
 value is when used elsewhere and it loses its trustworthiness as a true
 server value, especially since `add_query_arg()` and `remove_query_arg()`
 default to `$_SERVER['REQUEST_URI']` if no URL param is passed.. It should
 remain a read-only value and any modifications should be to a new variable
 (even if it's a filterable one).

--
Ticket URL: <https://core.trac.wordpress.org/ticket/31603#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list