[wp-trac] [WordPress Trac] #51806: Add an early exit for files with _deprecated_file() calls
WordPress Trac
noreply at wordpress.org
Fri Nov 20 12:08:34 UTC 2020
#51806: Add an early exit for files with _deprecated_file() calls
----------------------------+---------------------
Reporter: SergeyBiryukov | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 5.7
Component: General | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
----------------------------+---------------------
Comment (by zodiac1978):
> Just noting that this is not so much about full path disclosure
specifically
I understand, but then we need to discuss our recommended path here.
The error log mentioned in the first ticket could be generated through
testing tools, like wpcheck, which are just taking one of those files to
check for full path disclosure:
For example:
https://github.com/sergejmueller/wpcheck/blob/50fea1c1fe9b46d3fda8c2dae3b2214e9c0f5671/lib/rules
/fpd-vulnerability.js#L32
If we fix it in one file, these tools will change to another file and
generate unnecessary error logs again.
I think we have two (or three) possible solutions here:
- 1. Fix every single file to not show any errors on direct access.
- 2a. Force disabling `display_errors` per default (maybe not if
`WP_DEBUG` is true)
- 2b. Add a check in Site Health to inform the user that `display_errors`
is on.
If we have a decision on the path, then we could go forward.
Maybe @clorith can add an opinion on the Site Health idea?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51806#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list