Make WordPress Core

Opened 11 years ago

Last modified 5 years ago

#22798 new enhancement

Invalid URLs not giving 404 with "Default" permalink settings

Reported by: vanchuck's profile vanchuck Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.4
Component: Rewrite Rules Keywords: dev-feedback bulk-reopened
Focuses: Cc:

Description

Steps to reproduce:

Expected Behaviour:

  • 404 page is displayed

Observed Behaviour:

  • No 404 page is ever shown, no matter what the request string is
  • Instead, Wordpress behaves as if no path was requested, eg displaying the homepage/posts lists.
  • If requested url has any of the standard params in it, those params ARE executed, eg http://blogroot.com/foo?paged=2 would properly show the 2nd page of the posts.

Suspected cause:

In line 620 of wp-includes/class-wp.php (in WP->parse_request), there is a conditional which means the only time the request can be marked as a 404 error is if the array of rewrite rules is NOT empty:

        $rewrite = $wp_rewrite->wp_rewrite_rules();

        if ( ! empty($rewrite) ) {
           ...

If the "Default" permalink is selected, and no other rewrite rules are set up elsewhere (for reasons I didn't investigate, adding a add_rewrite_rule to the theme didn't affect anything), then the $rewrite array IS empty and the request can not be checked to see if it's a 404. Therefore, execution of the request continues as if no path info were submitted.

This prevents the showing of the theme's 404 page, and can get a website flagged as spam/exploitative in Google's index.

Workaround:

Define a permalink redirect (eg pick one of the options other than Default).

Server info:

Apache/2.2.16 (Debian) (w/ mod_rewrite)
PHP Version 5.3.3-7+squeeze3 (mod_php5)

.htaccess contents:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

Change History (8)

#1 follow-up: @nacin
11 years ago

and can get a website flagged as spam/exploitative in Google's index.

At this point, I lost you. Huh?

#2 in reply to: ↑ 1 @vanchuck
11 years ago

Replying to nacin:

and can get a website flagged as spam/exploitative in Google's index.

At this point, I lost you. Huh?

It's a side-effect of having a website that redirects a number of pages to the same content, without a proper redirect HTTP Response Code (eg 301, 304). It's a technique spam/link farms use a lot so Google basically outlaws it (they call it Cloaking). I found out about the issue I'm reporting in this ticket, because Google sent me an email saying my blog had been flagged as Malware because of this behaviour. Here's the link they provided with more info:

https://support.google.com/webmasters/bin/answer.py?hl=en&answer=66355

Last edited 11 years ago by vanchuck (previous) (diff)

#4 @knutsp
11 years ago

  • Cc knut@… added

#5 follow-up: @dd32
11 years ago

The .htaccess rewrite rules is what's causing the problem here I believe.

If you're using the Default Permalinks, that is, ?p=123, then you don't need the .htaccess rewrite rules.. when running "without pretty url's" WordPress doesn't parse the request uri and only looks for the $_GET variables (as that's all that concerns it).

I would argue this is a incorrect server setup.

Last edited 11 years ago by dd32 (previous) (diff)

#6 in reply to: ↑ 5 @vanchuck
11 years ago

  • Type changed from defect (bug) to enhancement

Replying to dd32:

I would argue this is a incorrect server setup.

Aha. How this came about for my install was that I manually updated my .htaccess at some point, and when moving back to Default permalink option, the rewrites stayed, which as you point out, shouldn't be that way.

However, if this is really an unhandled/unsupported config, two things would be helpful in this situation to avoid problems for others:

  • If .htaccess is not writeable by WP, there should be a warning message displayed when switching back to Default permalinks option, providing the user with the new updated .htaccess file contents (in this case, with no rewrite directives), as is done when you select a non-Default permalinks option
  • If Default permalinks option is enabled, .htaccess should be automatically (or user should be prompted to update it manually) to include a 404 handler to ensure wayward URLs still get sent to the WP error page. eg:

ErrorDocument 404 /index.php?error=404

Changing to Enhancement, will let you pros determine whether the above are worthwhile suggestions.

#7 @chriscct7
9 years ago

  • Keywords dev-feedback added
  • Version changed from 3.4.2 to 3.4

If Default permalinks option is enabled, .htaccess should be automatically (or user should be prompted to update it manually) to include a 404 handler to ensure wayward URLs still get sent to the WP error page. eg:

If the .htaccess file or one in a higher parent directory already has one this would be a bad idea.

#10 @thowden
5 years ago

  • Keywords bulk-reopened added

Hi All

As at today March 19 2019 this issue is still impacting and resulting in Google incorrectly reporting a site as hacked when it is not.

The default redirect is accepting an invalid URL (a "/?exam=" request) and presenting the home page with that invalid URL intact. Google interprets this as a successful 'hacked page' being displayed.

I came to this issue as a result of searching for why a 404 page is not being displayed or perhaps a 403 Forbidden page would be better ? In any case, this issue is still current with WP core 5.1.1–en_AU updates on a CPanel / WHM server platform.

cheers
Tony
https://www.wrenmaxwell.com.au

Note: See TracTickets for help on using tickets.