[wp-trac] [WordPress Trac] #49810: Remove workaround for $HTTP_RAW_POST_DATA bug present in PHP < 5.2.2
WordPress Trac
noreply at wordpress.org
Tue Jun 2 03:24:55 UTC 2020
#49810: Remove workaround for $HTTP_RAW_POST_DATA bug present in PHP < 5.2.2
-------------------------------------+-----------------------------
Reporter: skoskie | Owner: SergeyBiryukov
Type: enhancement | Status: reopened
Priority: normal | Milestone: 5.5
Component: XML-RPC | Version: trunk
Severity: trivial | Resolution:
Keywords: has-patch needs-testing | Focuses:
-------------------------------------+-----------------------------
Comment (by jrf):
I've had a look at this and all other occurrences of `$HTTP_RAW_POST_DATA`
in WP.
First off, this is a PHP Core removed global variable. Any plugin which
relies on WP core backfilling that variable is most definitely ''doing it
wrong™''.
In reality, WP doesn't actually backfill the variable except for the XML-
RPC entry point and select REST requests, which aren't the most common
entry point for WP anyway, and on top of that, XML-RPC is very often
disabled.
So, let's look at the three different files in which the issue occurs:
== `src/wp-includes/IXR/class-IXR-server.php`
This is a file from an external dependency. I'm not sure by heart if this
dependency is still maintained externally or abandoned and now maintained
in WP Core only.
This file doesn't actually backfill the variable, it just uses it if
available.
**Conclusion**: This should just be switched out for `php://input`.
== `src/wp-includes/rest-api/class-wp-rest-server.php`
While this function - `WP_REST_Server::get_raw_data()` - does actually
backfill the global, this looks more like an oversight than an
architectural choice.
The important thing here is that the static
`WP_REST_Server::get_raw_data()` method is in place to handle the
potential non-availability of the `$HTTP_RAW_POST_DATA` variable and that
any REST related code **''should already use this method''** instead of
relying on the availability of the `$HTTP_RAW_POST_DATA` variable.
**Conclusion**: This should just be switched out for `php://input`.
== `src/xmlrpc.php`
This is the only one where a case could be made for letting the variable
remain as-is. The variable gets backfilled in the global scope for a very
select entry point and is subsequently **''never used in WP Core''**,
though the `class-IXR-server.php` file may have used it, but as it already
had its own BC-code in place that was never an issue.
**Conclusion**: As it is never used in Core, this ''might'' be an entry
point for which plugins expect the variable to exist and leaving it in
place doesn't do any actual harm.
== Patch
I've attached a new patch via GitHub to address this issue based on the
above analysis.
== PHPCompatibility report
{{{
FILE: src\wp-includes\IXR\class-IXR-server.php
----------------------------------------------------------------------------------------------------------------------------------------------------
FOUND 3 ERRORS AFFECTING 3 LINES
----------------------------------------------------------------------------------------------------------------------------------------------------
50 | ERROR | Global variable '$HTTP_RAW_POST_DATA' is deprecated since
PHP 5.6 and removed since PHP 7.0; Use php://input instead
51 | ERROR | Global variable '$HTTP_RAW_POST_DATA' is deprecated since
PHP 5.6 and removed since PHP 7.0; Use php://input instead
55 | ERROR | Global variable '$HTTP_RAW_POST_DATA' is deprecated since
PHP 5.6 and removed since PHP 7.0; Use php://input instead
----------------------------------------------------------------------------------------------------------------------------------------------------
FILE: src\wp-includes\rest-api\class-wp-rest-server.php
----------------------------------------------------------------------------------------------------------------------------------------------------
FOUND 4 ERRORS AFFECTING 4 LINES
----------------------------------------------------------------------------------------------------------------------------------------------------
1374 | ERROR | Global variable '$HTTP_RAW_POST_DATA' is deprecated since
PHP 5.6 and removed since PHP 7.0; Use php://input instead
1380 | ERROR | Global variable '$HTTP_RAW_POST_DATA' is deprecated since
PHP 5.6 and removed since PHP 7.0; Use php://input instead
1381 | ERROR | Global variable '$HTTP_RAW_POST_DATA' is deprecated since
PHP 5.6 and removed since PHP 7.0; Use php://input instead
1384 | ERROR | Global variable '$HTTP_RAW_POST_DATA' is deprecated since
PHP 5.6 and removed since PHP 7.0; Use php://input instead
----------------------------------------------------------------------------------------------------------------------------------------------------
FILE: src\xmlrpc.php
----------------------------------------------------------------------------------------------------------------------------------------------------
FOUND 5 ERRORS AFFECTING 4 LINES
----------------------------------------------------------------------------------------------------------------------------------------------------
20 | ERROR | Global variable '$HTTP_RAW_POST_DATA' is deprecated since
PHP 5.6 and removed since PHP 7.0; Use php://input instead
21 | ERROR | Global variable '$HTTP_RAW_POST_DATA' is deprecated since
PHP 5.6 and removed since PHP 7.0; Use php://input instead
25 | ERROR | Global variable '$HTTP_RAW_POST_DATA' is deprecated since
PHP 5.6 and removed since PHP 7.0; Use php://input instead
26 | ERROR | Global variable '$HTTP_RAW_POST_DATA' is deprecated since
PHP 5.6 and removed since PHP 7.0; Use php://input instead
26 | ERROR | Global variable '$HTTP_RAW_POST_DATA' is deprecated since
PHP 5.6 and removed since PHP 7.0; Use php://input instead
----------------------------------------------------------------------------------------------------------------------------------------------------
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49810#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list