[wp-trac] [WordPress Trac] #38317: Fixing full path disclosure in rss.php
WordPress Trac
noreply at wordpress.org
Sat Oct 15 15:49:04 UTC 2016
#38317: Fixing full path disclosure in rss.php
--------------------------+-----------------------
Reporter: damian1989 | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone:
Component: Feeds | Version:
Severity: minor | Resolution:
Keywords: | Focuses:
--------------------------+-----------------------
Changes (by mark-k):
* status: closed => reopened
* resolution: wontfix =>
Comment:
@ocean90 , yes this is nothing security related, but it is a bug. PHP
files should either do output or do only function/class definitions. Since
rss.php here was not designed to do output, it shoud just not do any
output when it is parsed, like all other core file that contain just
function definitions and shoult ouput empty page if accessed directly, no
other output, no side effect.
If I run with wp_debug off, I will still get an error in my logs because
obviously It is a php error but the point of having wp_debug off, is to
not get them.
this call need to be protected by checking that the function exist od
WP_DEBUG is set.
for output generating files (wp-includes\theme-compat\footer.php) it is
actually worse because this check breaks backward compatibility which the
deprecation notices are not supposed to do. yeh, no one should have a
reason to remotely load them, but if they do a "function not existing"
type of error should not be output before the HTML, again especially when
wp_debug is off.
looking further along this lines of reasoning wp-includes-embed is double
offender as it will give an error also on the include it does when
accessed directly. hmmm same problem with the two admin files that use
this deprecation function
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38317#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list