Primary network site loads with any arbitrary path on sub-folder networks

[mordauk]

Take this example:

• Network install with subfolders
• Primary site is /
• Any number of sites in the network

On some server setups (including WordPress.org itself), if you navigate to site.com/a-non-registered-site-path the primary site is loaded, whereas the expected behavior is for a site not found error.

Screenshot of network admin at site.com/:

Screenshot of network admin at site.com/a-non-registered-site-path:

This happens because $paths in get_site_by_path() includes both a-non-registered-site-path and / as allowed paths which are then used for the IN statement of the SQL to find the current site:

$sql = $wpdb->prepare( "SELECT * FROM $wpdb->blogs WHERE domain = %s", $domains[0] );
$sql .= " AND path IN ($search_paths) ORDER BY CHAR_LENGTH(path) DESC LIMIT 1";
$site = $wpdb->get_row( $sql );

I've managed to fix the issue by only adding / to $paths if $paths is empty.

I found a related discussion in #31507 and some related comments in #27003 where get_site_by_path() was first introduced but none of them quite address this issue.

[joshlevinson]

On some server setups (including WordPress.org itself)

Any more details on what's necessary server-wise to replicate for testing?

[jeremyfelt]

Thanks for the patch @mordauk. I have a feeling this is a duplicate of #17376. In one of the later comments, I laid out a series of URLs and expectations, but left out any network admin URLs. I'm guessing they act the same.

Can you check that out and confirm?

[jeremyfelt]

Fairly convinced this is a duplicate of #17376, which we should be able to fix this cycle with the help of tests via #34941.