[wp-trac] [WordPress Trac] #54406: Fatal Error - Admin Filters File Does Not Exit if ABSPATH Not Defined and tries calling WordPress functions

WordPress Trac noreply at wordpress.org
Tue Nov 9 18:45:43 UTC 2021 

#54406: Fatal Error - Admin Filters File Does Not Exit if ABSPATH Not Defined and
tries calling WordPress functions
---------------------------+-----------------------------------------------
 Reporter:  machineitsvcs  |       Owner:  (none)
     Type:  enhancement    |      Status:  closed
 Priority:  normal         |   Milestone:
Component:  General        |     Version:  trunk
 Severity:  minor          |  Resolution:  duplicate
 Keywords:  needs-patch    |     Focuses:  administration, coding-standards
---------------------------+-----------------------------------------------
Changes (by SergeyBiryukov):

 * status:  new => closed
 * resolution:   => duplicate
 * milestone:  Awaiting Review =>


Comment:

 Hi there, welcome back to WordPress Trac! Thanks for the ticket.

 This has come up a few times before, for example in #36177, #30806,
 #44700, #45773, #48049, and most recently in #53271.

 Per the [https://make.wordpress.org/core/handbook/testing/reporting-
 security-vulnerabilities/ Security FAQ], these errors are considered a
 server configuration issue rather than a security issue:
 > ''' Why are there path disclosures when directly loading certain
 files?'''
 > This is a server configuration problem. Never enable `display_errors` on
 a production site.

 Instead of changing all PHP files to add a check for `ABSPATH`, this
 should be done in a central location, which is being discussed in #36177.

 Let's continue the discussion in that ticket, as it would be best to keep
 all discussion on the general idea of "blocking malicious requests" in a
 single place, even if any implemented change does not necessarily follow
 how the ticket originally intended on it being implemented.

 That said, it looks like this ticket is more about unnecessary error
 logging rather than a path disclosure. Still, blocking direct access to
 the files in question using the web server configuration file should
 resolve the issue for now, until any changes are implemented in core.

 See also a related similar ticket for bundled themes: #47154.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54406#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list