Make WordPress Core

Opened 15 years ago

Closed 15 years ago

Last modified 11 years ago

#10367 closed defect (bug) (wontfix)

Assert the existence of ABSPATH in wp-settings.php

Reported by: wet's profile wet Owned by: ryan's profile ryan
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch
Focuses: Cc:

Description

wp-settings.php is publicly visible from an URL like http://example.com/wp-settings.php and discloses web server internals like the absolute file system path through PHP notices, as ABSPATH is not defined under such circumstances:

Warning: require(ABSPATHwp-includes/compat.php) [function.require]: failed to open stream: No such file or directory in /[...]/wp-settings.php on line 246

Attached patch fixes this behaviour.

Attachments (1)

wp-settings-11669.patch (325 bytes) - added by wet 15 years ago.

Download all attachments as: .zip

Change History (7)

#1 @wet
15 years ago

  • Keywords has-patch added

#2 @g30rg3x
15 years ago

From Ticket #1038
Quoting Viper007Bond:

IMO, if you're that worried about paths, then you should have error reporting off.And the path is only a "problem" if you're on a shared server with poor security.

Recommend "wontfix".

#3 @Denis-de-Bernardy
15 years ago

  • Milestone Unassigned deleted
  • Resolution set to wontfix
  • Status changed from new to closed

#4 follow-up: @wet
15 years ago

  • Cc r.wetzlmayr@… added
  • Resolution wontfix deleted
  • Status changed from closed to reopened

In the light of the current CYA swoop, would this patch be eventually reconsidered for commit?

#5 in reply to: ↑ 4 @westi
15 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

Replying to wet:

In the light of the current CYA swoop, would this patch be eventually reconsidered for commit?

Those changes were about checking capabilities and stopping the direct load of admin files which shouldn't be called directly.

Adding these checks at the top of every file does not improve security and as was said above you should not have error_reporting outputting to the end-user on a live site.

#6 @ocean90
11 years ago

#24561 was marked as a duplicate.

Note: See TracTickets for help on using tickets.