Opened 10 years ago
Last modified 3 years ago
#31603 new enhancement
Don't change $_SERVER['REQUEST_URI'] just to filter the current URL query string
Reported by: | morganestes | Owned by: | |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | normal | Version: | |
Component: | General | Keywords: | needs-patch |
Focuses: | administration | Cc: |
Description
While working on #23367, I found 14 places in core that overwrite $_SERVER['REQUEST_URI']
, which causes problems when trying to use it elsewhere and I don't know which version is going to make an appearance.
I propose either switching from overwriting $_SERVER['REQUEST_URI']
to using a local var when we need to, or creating a filter that's accessible everywhere if we need the modified value to use elsewhere.
Change History (8)
This ticket was mentioned in Slack in #core by morganestes. View the logs.
10 years ago
#5
@
10 years ago
@morganestes Can you provide some examples of the places in core which override this and the problem it causes? Just for reference.
#6
@
10 years ago
@johnbillion I first came across this when working on #23367 and trying to create a canonical admin URL. By the time the admin header fires, $_SERVER['REQUEST_URI']
has already been modified by core several times, most often by remove_query_arg()
.
For example: in themes.php, it's been modified to remove 'enabled', 'disabled', 'deleted', 'error' from the query string, so when we check for any of those in the query later when we're actually triggering something based on their existence, $_SERVER['REQUEST_URI']
no longer reflects the true value from initial page load. This becomes a problem with things like dismissible or non-repeating notices.
In upload.php it's overwritten multiple times, but not for specific use later in the file.
Nearly every instance of changing the value is due to modifying the query string for displaying or hiding admin messages. The exceptions are for setting values for IIS.
My main concern is that although it's possible for it to change, modifying a server global in multiple places makes it a challenge to know what its value is when used elsewhere and it loses its trustworthiness as a true server value, especially since add_query_arg()
and remove_query_arg()
default to $_SERVER['REQUEST_URI']
if no URL param is passed.. It should remain a read-only value and any modifications should be to a new variable (even if it's a filterable one).
@morganestes: Care to add a patch for consideration?