[wp-trac] [WordPress Trac] #53244: PHP Warning on non-existent multisite wp-cron.php

WordPress Trac noreply at wordpress.org
Fri May 21 04:33:52 UTC 2021 

#53244: PHP Warning on non-existent multisite wp-cron.php
--------------------------------+-----------------------------
 Reporter:  dd32                |      Owner:  (none)
     Type:  defect (bug)        |     Status:  new
 Priority:  normal              |  Milestone:  Awaiting Review
Component:  Networks and Sites  |    Version:
 Severity:  normal              |   Keywords:
  Focuses:  multisite           |
--------------------------------+-----------------------------
 A PHP warning can be triggered when a HTTP request is made to `wp-
 cron.php` on a non-existent multisite site.

 For example:
 {{{
 GET https://foobar.example.org/wp-cron.php

 PHP Warning:  Cannot modify header information - headers already sent in
 wp-includes/ms-settings.php on line 79
 PHP Stack trace:
 PHP   1. {main}() wp-cron.php:0
 PHP   2. require_once() wp-cron.php:44
 PHP   3. require_once() wp-load.php:55
 PHP   4. require_once() wp-config.php:125
 PHP   5. require() wp-settings.php:141
 PHP   6. header($header = 'Location: https://example.org/wp-
 signup.php?new=foobar') wp-includes/ms-settings.php:79
 }}}

 While the error doesn't define why it's being triggered, but it's because
 [44488] ends the request when `wp-cron.php` is requested prior to the
 multisite bootstrap.

 Initial thoughts say that this is probably a "good enough" fix:
 {{{
 #!diff
 Index: wp-includes/ms-settings.php
 ===================================================================
 --- wp-includes/ms-settings.php (revision 50552)
 +++ wp-includes/ms-settings.php (working copy)
 @@ -73,7 +73,7 @@

         if ( true === $bootstrap_result ) {
                 // `$current_blog` and `$current_site are now populated.
 -       } elseif ( false === $bootstrap_result ) {
 +       } elseif ( false === $bootstrap_result || headers_sent() ) {
                 ms_not_installed( $domain, $path );
         } else {
                 header( 'Location: ' . $bootstrap_result );
 }}}

 While this warning will never be seen by users, it can end up in the PHP
 logs, especially when a vulnerability scanner is trying every subdomain
 under the sun.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/53244>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list