Opened 4 years ago
Closed 3 years ago
#10367 closed defect (bug) (wontfix)
Assert the existence of ABSPATH in wp-settings.php
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Security | Version: | |
| Severity: | normal | Keywords: | has-patch |
| Cc: | r.wetzlmayr@… |
Description
wp-settings.php is publicly visible from an URL like http://example.com/wp-settings.php and discloses web server internals like the absolute file system path through PHP notices, as ABSPATH is not defined under such circumstances:
Warning: require(ABSPATHwp-includes/compat.php) [function.require]: failed to open stream: No such file or directory in /[...]/wp-settings.php on line 246
Attached patch fixes this behaviour.
Attachments (1)
Change History (6)
- Milestone Unassigned deleted
- Resolution set to wontfix
- Status changed from new to closed
- Cc r.wetzlmayr@… added
- Resolution wontfix deleted
- Status changed from closed to reopened
- Resolution set to wontfix
- Status changed from reopened to closed
Replying to wet:
In the light of the current CYA swoop, would this patch be eventually reconsidered for commit?
Those changes were about checking capabilities and stopping the direct load of admin files which shouldn't be called directly.
Adding these checks at the top of every file does not improve security and as was said above you should not have error_reporting outputting to the end-user on a live site.
Note: See
TracTickets for help on using
tickets.
From Ticket #1038
Quoting Viper007Bond: