WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#33498 new defect (bug)

get_home_path does not stripslashes $_SERVER['SCRIPT_FILENAME'] before using it

Reported by: handsomejack201 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.3
Component: General Keywords: has-patch needs-unit-tests
Focuses: Cc:

Description (last modified by swissspidy)

Hello WordPress support,
I'm running WordPress on Windows through Webmatrix and IIS Express 8.5 and FastCGI.

This function has a bug that appears only on windows due to its different path formatting and causes the web.config to not be writable on PHP 5.5 (error from DOMDocument::load).

WordPress runs addslashes on all $_SERVER/$_GET/$_POST variables which places a burden to remember to stripslashes before using any variable from it.

The get_home_path() function does not do this before using $_SERVER['SCRIPT_FILENAME']. This doesn't cause a problem on Linux because the path format is not modified by addslashes, so it works by coincidence.

But on Windows, this causes the path to have double slashes (example: C:\\inetpub\\wordpress). Then it is passed to trailingslashit which gives a weird result:

C:\\inetpub\\wordpress\

(apologies, trac is messing up the slashes)

Now, PHP on windows is very tolerant of such paths, but some APIs such as DOMDocument::load (test on PHP 5.5) returns an error and logs that it wasn't able to open the file. This is used by WordPress to save the web.config file when it detects IIS.

I have attached a patch that fixes this against WordPress 4.3, but I have seen this in 4.2 as well (didn't test with older).

Attachments (3)

get_home_path.patch (943 bytes) - added by handsomejack201 2 years ago.
Patch to fix issue
get_home_patch_2.patch (938 bytes) - added by handsomejack201 2 years ago.
Cleaner patch
get_home_patch_2_fixed.patch (867 bytes) - added by handsomejack201 2 years ago.
Fixed version of the 2nd patch (sorry)

Download all attachments as: .zip

Change History (7)

@handsomejack201
2 years ago

Patch to fix issue

#1 @swissspidy
2 years ago

  • Description modified (diff)

#2 @swissspidy
2 years ago

  • Description modified (diff)
  • Keywords has-patch needs-unit-tests added

#3 @dd32
2 years ago

FYI this should use wp_unslash() rather than stripslashes() directly for that distant day in the future when we're no longer forced to slash the globals.

#4 @handsomejack201
2 years ago

Attaching a cleaner patch. My apologies for not having a unit test, I'm not familiar with developing for WordPress. Just scratching an itch that bothers anyone working with WordPress on Windows :-)

@handsomejack201
2 years ago

Cleaner patch

@handsomejack201
2 years ago

Fixed version of the 2nd patch (sorry)

Note: See TracTickets for help on using tickets.