[wp-trac] [WordPress Trac] #43308: Require authentication for load-scripts.php and load-styles.php
WordPress Trac
noreply at wordpress.org
Wed Feb 14 09:38:22 UTC 2018
#43308: Require authentication for load-scripts.php and load-styles.php
---------------------------+------------------------------
Reporter: youngcp | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Script Loader | Version: 4.9.4
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
---------------------------+------------------------------
Comment (by Clorith):
Hi there, and welcome to Trac.
This patch has a few issues, and a missing consideration, that I'd like to
address, I'd also like to mention that this is best mitigated using tools
like WAFs, fail2ban or similar, due ot the nature of the file you are
trying to modify.
The patch should adhere to the [https://make.wordpress.org/core/handbook
/best-practices/coding-standards/ WordPress coding standards], that's a
bit besides the point, but nice to just mention and get out of the way
right off the bat.
Now, your solution in this patch is to just include `wp-admin/admin.php`,
this does two things;
- It sends a nocache header (there's a not-modified code in `load-
scripts.php` to reduce repeat requests for legitimate users)
- It forced you to be logged in
This second point creates an awkward situation, as some themes and plugins
use this file to concatenate scripts on the front end for visitors as
well. This is a consideration we need to account for that may lead to
broken sites if we implement something with just authentication
requirements.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43308#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list