WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 13 months ago

#10367 closed defect (bug) (wontfix)

Assert the existence of ABSPATH in wp-settings.php

Reported by: wet Owned by: ryan
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch
Focuses: Cc:

Description

wp-settings.php is publicly visible from an URL like http://example.com/wp-settings.php and discloses web server internals like the absolute file system path through PHP notices, as ABSPATH is not defined under such circumstances:

Warning: require(ABSPATHwp-includes/compat.php) [function.require]: failed to open stream: No such file or directory in /[...]/wp-settings.php on line 246

Attached patch fixes this behaviour.

Attachments (1)

wp-settings-11669.patch (325 bytes) - added by wet 5 years ago.

Download all attachments as: .zip

Change History (7)

wet5 years ago

comment:1 wet5 years ago

  • Keywords has-patch added

comment:2 g30rg3x5 years ago

From Ticket #1038
Quoting Viper007Bond:

IMO, if you're that worried about paths, then you should have error reporting off.And the path is only a "problem" if you're on a shared server with poor security.

Recommend "wontfix".

comment:3 Denis-de-Bernardy5 years ago

  • Milestone Unassigned deleted
  • Resolution set to wontfix
  • Status changed from new to closed

comment:4 follow-up: wet5 years ago

  • Cc r.wetzlmayr@… added
  • Resolution wontfix deleted
  • Status changed from closed to reopened

In the light of the current CYA swoop, would this patch be eventually reconsidered for commit?

comment:5 in reply to: ↑ 4 westi5 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

Replying to wet:

In the light of the current CYA swoop, would this patch be eventually reconsidered for commit?

Those changes were about checking capabilities and stopping the direct load of admin files which shouldn't be called directly.

Adding these checks at the top of every file does not improve security and as was said above you should not have error_reporting outputting to the end-user on a live site.

comment:6 ocean9013 months ago

#24561 was marked as a duplicate.

Note: See TracTickets for help on using tickets.