Ticket #63137: 63137.3.patch

src/wp-includes/canonical.php

@@ -69 +69 @@
                 // Build the URL in the address bar.
                 $requested_url  = is_ssl() ? 'https://' : 'http://';
                 $requested_url .= $_SERVER['HTTP_HOST'];
-                $requested_url .= $_SERVER['REQUEST_URI'];
+                $requested_url .= isset( $_SERVER['REQUEST_URI'] ) ? $_SERVER['REQUEST_URI'] : '';
         }
 
         $original = parse_url( $requested_url );

src/wp-includes/class-wp-xmlrpc-server.php

@@ -4895 +4895 @@
                         return $blogs;
                 }
 
-                if ( $_SERVER['HTTP_HOST'] === $domain && $_SERVER['REQUEST_URI'] === $path ) {
+                if ( ( isset( $_SERVER['HTTP_HOST'] ) && $_SERVER['HTTP_HOST'] === $domain ) && ( isset( _SERVER['REQUEST_URI'] ) && $_SERVER['REQUEST_URI'] === $path ) ) {
                         return $blogs;
                 } else {
                         foreach ( (array) $blogs as $blog ) {

src/wp-includes/class-wp.php

@@ -172 +172 @@
                         $pathinfo         = str_replace( '%', '%25', $pathinfo );
 
                         list( $req_uri ) = explode( '?', $_SERVER['REQUEST_URI'] );
-                        $self            = $_SERVER['PHP_SELF'];
+                        $self            = isset( $_SERVER['PHP_SELF'] ) ? sanitize_text_field( wp_unslash( $_SERVER['PHP_SELF'] ) ) : '';
 
                         $home_path       = parse_url( home_url(), PHP_URL_PATH );
                         $home_path_regex = '';

src/wp-includes/load.php

@@ -60 +60 @@
 
                         // Some IIS + PHP configurations put the script-name in the path-info (no need to append it twice).
                         if ( isset( $_SERVER['PATH_INFO'] ) ) {
-                                if ( $_SERVER['PATH_INFO'] === $_SERVER['SCRIPT_NAME'] ) {
+                                if ( isset( $_SERVER['SCRIPT_NAME'] ) && $_SERVER['PATH_INFO'] === $_SERVER['SCRIPT_NAME'] ) {
                                         $_SERVER['REQUEST_URI'] = $_SERVER['PATH_INFO'];
                                 } else {
                                         $_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME'] . $_SERVER['PATH_INFO'];
@@ -68 +68 @@
                         }
 
                         // Append the query string if it exists and isn't null.
-                        if ( ! empty( $_SERVER['QUERY_STRING'] ) ) {
+                        if ( isset( $_SERVER['QUERY_STRING'] ) && ! empty( $_SERVER['QUERY_STRING'] ) ) {
                                 $_SERVER['REQUEST_URI'] .= '?' . $_SERVER['QUERY_STRING'];
                         }
                 }
@@ -85 +85 @@
         }
 
         // Fix empty PHP_SELF.
-        $PHP_SELF = $_SERVER['PHP_SELF'];
+        $PHP_SELF = isset( $_SERVER['PHP_SELF'] ) ? sanitize_text_field( wp_unslash( $_SERVER['PHP_SELF'] ) ) : '';
         if ( empty( $PHP_SELF ) ) {
                 $_SERVER['PHP_SELF'] = preg_replace( '/(\?.*)?$/', '', $_SERVER['REQUEST_URI'] );
-                $PHP_SELF            = $_SERVER['PHP_SELF'];
+                $PHP_SELF            = isset( $_SERVER['PHP_SELF'] ) ? sanitize_text_field( wp_unslash( $_SERVER['PHP_SELF'] ) ) : '';
         }
 
         wp_populate_basic_auth_from_authorization_header();
@@ -379 +379 @@
  * @deprecated 5.4.0 Deprecated in favor of do_favicon().
  */
 function wp_favicon_request() {
-        if ( '/favicon.ico' === $_SERVER['REQUEST_URI'] ) {
+        if ( isset( $_SERVER['REQUEST_URI'] ) && '/favicon.ico' === $_SERVER['REQUEST_URI'] ) {
                 header( 'Content-Type: image/vnd.microsoft.icon' );
                 exit;
         }

src/wp-includes/ms-deprecated.php

@@ -370 +370 @@
         if ( is_subdomain_install() ) {
                 $url = "http://" . $domain.$path;
         } else {
-                if ( $domain != $_SERVER['HTTP_HOST'] ) {
+                if ( isset( $_SERVER['HTTP_HOST'] ) && $domain != $_SERVER['HTTP_HOST'] ) {
                         $blogname = substr( $domain, 0, strpos( $domain, '.' ) );
                         $url = 'http://' . substr( $domain, strpos( $domain, '.' ) + 1 ) . $path;
                         // We're not installing the main blog.

src/wp-includes/ms-settings.php

@@ -59 +59 @@
 // have not been populated in the global scope through something like `sunrise.php`.
 if ( ! isset( $current_site ) || ! isset( $current_blog ) ) {
 
-        $domain = strtolower( stripslashes( $_SERVER['HTTP_HOST'] ) );
+        $domain = isset( $_SERVER['HTTP_HOST'] ) ? strtolower( stripslashes( $_SERVER['HTTP_HOST'] ) ) : '';
         if ( str_ends_with( $domain, ':80' ) ) {
                 $domain               = substr( $domain, 0, -3 );
-                $_SERVER['HTTP_HOST'] = substr( $_SERVER['HTTP_HOST'], 0, -3 );
+                $_SERVER['HTTP_HOST'] = isset( $_SERVER['HTTP_HOST'] ) ? substr( $_SERVER['HTTP_HOST'], 0, -3 ) : '';
         } elseif ( str_ends_with( $domain, ':443' ) ) {
                 $domain               = substr( $domain, 0, -4 );
-                $_SERVER['HTTP_HOST'] = substr( $_SERVER['HTTP_HOST'], 0, -4 );
+                $_SERVER['HTTP_HOST'] = isset( $_SERVER['HTTP_HOST'] ) ? substr( $_SERVER['HTTP_HOST'], 0, -4 ) : '';
         }
 
         $path = stripslashes( $_SERVER['REQUEST_URI'] );

src/wp-includes/theme-previews.php

@@ -84 +84 @@
  * @since 6.3.2
  */
 function wp_initialize_theme_preview_hooks() {
-        if ( ! empty( $_GET['wp_theme_preview'] ) ) {
+        if ( isset( $_GET['wp_theme_preview'] ) && ! empty( $_GET['wp_theme_preview'] ) ) {
                 add_filter( 'stylesheet', 'wp_get_theme_preview_path' );
                 add_filter( 'template', 'wp_get_theme_preview_path' );
                 add_action( 'init', 'wp_attach_theme_preview_middleware' );