[wp-trac] [WordPress Trac] #51806: Add an early exit for files with _deprecated_file() calls

Thu Nov 19 15:50:56 UTC 2020

#51806: Add an early exit for files with _deprecated_file() calls
----------------------------+---------------------
 Reporter:  SergeyBiryukov  |       Owner:  (none)
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  5.7
Component:  General         |     Version:
 Severity:  normal          |  Resolution:
 Keywords:                  |     Focuses:
----------------------------+---------------------

Comment (by zodiac1978):

 As a first step I checked the 30 search results which are using
 `_deprecated_file()`:

 These files are all resulting in a full path disclosure if
 `display_errors` is enabled:

 {{{
 wp-admin/admin-functions.php
 wp-admin/custom-background.php
 wp-admin/custom-header.php
 wp-admin/includes/class-wp-upgrader-skins.php
 wp-admin/upgrade-functions.php
 wp-includes/class-feed.php
 wp-includes/class-json.php
 wp-includes/class-oembed.php
 wp-includes/class-snoopy.php
 wp-includes/class-wp-customize-control.php
 wp-includes/class-wp-feed-cache.php
 wp-includes/customize/class-wp-customize-new-menu-control.php
 wp-includes/customize/class-wp-customize-new-menu-section.php
 wp-includes/date.php
 wp-includes/embed-template.php
 wp-includes/locale.php
 wp-includes/registration-functions.php
 wp-includes/registration.php
 wp-includes/rss-functions.php
 wp-includes/rss.php
 wp-includes/session.php
 wp-includes/spl-autoload-compat.php
 wp-includes/theme-compat/comments.php
 wp-includes/theme-compat/footer.php
 wp-includes/theme-compat/header.php
 wp-includes/theme-compat/sidebar.php
 }}}


 PHPMailer is checking via `function_exists` first:

 {{{
 wp-includes/class-phpmailer.php
 }}}

 Nut sure why this is not reproducing the FPD:

 {{{
 wp-includes/class-smtp.php
 }}}

 This file has check and uses `_deprecated_file()` only if a my-hacks.php
 file exists:

 {{{
 wp-includes/load.php
 }}}


 And the 30th search result is just the function itself:

 {{{
 wp-includes/functions.php
 }}}


 And for completeness I would like to point again to the issue on the
 Health Check plugin to check for `display_errors`:
 https://github.com/WordPress/health-check/issues/370

 because we recommend to disable this setting:
 https://make.wordpress.org/core/handbook/testing/reporting-security-
 vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-
 certain-files

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/51806#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform