[wp-trac] [WordPress Trac] #41999: /wp-includes/theme-compat/embed.php causes unnecessary errors in request log
WordPress Trac
noreply at wordpress.org
Wed Sep 27 08:25:21 UTC 2017
#41999: /wp-includes/theme-compat/embed.php causes unnecessary errors in request
log
-------------------------+------------------------------
Reporter: arjenlentz | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 4.8.2
Severity: normal | Resolution:
Keywords: close | Focuses:
-------------------------+------------------------------
Changes (by swissspidy):
* keywords: => close
* type: defect (bug) => enhancement
Old description:
> FastCGI sent in stderr: "PHP message: PHP Fatal error: Call to undefined
> function get_header() in [...]/wp-includes/theme-compat/embed.php on line
> 13"
>
> It's being called directly: "GET /wp-includes/theme-compat/embed.php
> HTTP/1.1"
> Of course people shouldn't, but they do, for a purpose: to derive certain
> information or find vulnerabilities.
> It also clutters error logs, which may cause real errors to get missed.
>
> Other WP include and plugin files that contain direct code (rather than
> only function/class definitions), have a catch for this:
>
> if ( ! defined( 'ABSPATH' ) ) {
> exit; // Exit if accessed directly.
> }
>
> I suggest this gets added to the top of the /wp-includes/theme-
> compat/embed.php file.
> Easy fix.
> thanks
New description:
FastCGI sent in stderr: "PHP message: PHP Fatal error: Call to undefined
function get_header() in [...]/wp-includes/theme-compat/embed.php on line
13"
It's being called directly: "GET /wp-includes/theme-compat/embed.php
HTTP/1.1"
Of course people shouldn't, but they do, for a purpose: to derive certain
information or find vulnerabilities.
It also clutters error logs, which may cause real errors to get missed.
Other WP include and plugin files that contain direct code (rather than
only function/class definitions), have a catch for this:
{{{
if ( ! defined( 'ABSPATH' ) ) {
exit; // Exit if accessed directly.
}
}}}
I suggest this gets added to the top of the /wp-includes/theme-
compat/embed.php file.
Easy fix.
thanks
--
Comment:
> Other WP include and plugin files that contain direct code (rather than
only function/class definitions), have a catch for this
Only some files include such checks, not all.
IMHO this is something that should be prevented on the web server level
using `.htaccess` or similar.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/41999#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list