Opened 9 years ago
Last modified 6 years ago
#33498 new defect (bug)
get_home_path does not stripslashes $_SERVER['SCRIPT_FILENAME'] before using it
Reported by: | handsomejack201 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.3 |
Component: | General | Keywords: | has-patch needs-unit-tests |
Focuses: | Cc: |
Description (last modified by )
Hello WordPress support,
I'm running WordPress on Windows through Webmatrix and IIS Express 8.5 and FastCGI.
This function has a bug that appears only on windows due to its different path formatting and causes the web.config to not be writable on PHP 5.5 (error from DOMDocument::load
).
WordPress runs addslashes
on all $_SERVER
/$_GET
/$_POST
variables which places a burden to remember to stripslashes before using any variable from it.
The get_home_path()
function does not do this before using $_SERVER['SCRIPT_FILENAME']
. This doesn't cause a problem on Linux because the path format is not modified by addslashes
, so it works by coincidence.
But on Windows, this causes the path to have double slashes (example: C:\\inetpub\\wordpress
). Then it is passed to trailingslashit which gives a weird result:
C:\\inetpub\\wordpress\
(apologies, trac is messing up the slashes)
Now, PHP on windows is very tolerant of such paths, but some APIs such as DOMDocument::load
(test on PHP 5.5) returns an error and logs that it wasn't able to open the file. This is used by WordPress to save the web.config file when it detects IIS.
I have attached a patch that fixes this against WordPress 4.3, but I have seen this in 4.2 as well (didn't test with older).
Attachments (3)
Change History (7)
#3
@
9 years ago
FYI this should use wp_unslash()
rather than stripslashes()
directly for that distant day in the future when we're no longer forced to slash the globals.
Patch to fix issue