Opened 4 years ago
Last modified 3 months ago
#35835 reopened enhancement
_deprecated_file undefined in rss-functions.php
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 4.4.2 |
Component: | General | Keywords: | |
Focuses: | Cc: | ||
PR Number: |
Description
If you call wp-includes/rss-functions.php directly, you have an error .
Because _deprecated_file is not defined, you can patch with :
<?php /** * Deprecated. Use rss.php instead. * * @package WordPress */ if(defined(ABSPATH)){ _deprecated_file( basename(__FILE__), '2.1', WPINC . '/rss.php' ); require_once( ABSPATH . WPINC . '/rss.php' ); }
Change History (9)
#1
follow-up:
↓ 5
@
4 years ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
#2
@
4 years ago
Yes, but visiting this webpage produce a http 500 error. So yes, it's not visible, but it exist ...
Why don't just add a single ligne for stop this error ? And making the same in other not-standalone page ...
#3
follow-up:
↓ 4
@
4 years ago
Yes, but visiting this webpage produce a http 500 error.
On a URL which should never be linked to (And you should also have directory indexing disabled ideally).
You'll get a similar error if you access wp-includes/default-filters.php
or any number of others too potentially.
#4
in reply to:
↑ 3
@
4 years ago
Replying to dd32:
Yes, but visiting this webpage produce a http 500 error.
On a URL which should never be linked to (And you should also have directory indexing disabled ideally).
It's is not linked, but pentest software know this addresses and check for path. You'are right, in production, we will set debug to false, but in my opinion, we can make attack with this error, maybe with reloading lot of time, and log lot of errors ( I don't know, i'm not a professional in pentesting )...
I just think, let an error is not a good thing, mostly if you just add one line for remove this ...
if(!defined(ABSPATH)) exit();
#5
in reply to:
↑ 1
@
3 years ago
- Resolution invalid deleted
- Status changed from closed to reopened
Replying to dd32:
Production sites shouldn't be running with
display_errors
turned on, so the undefined constants & undefined functions warnings/notices/errors aren't seen as a bugs within WordPress.
We also cover this in our security handbook.
That's stupid. I have error notification alerts, and I had alerts about this fatal error too. So I just blocked all errors from Wordpress. And this not improving security, because I can't see any errors from Wordpress right now. So fix it and dont make excuses.
+ it adds a lot of trash data to log files (i have thousands of these errors)
+ bots use this bugs in wordpress to scan websites with display_errors On
No wonder wordpress code developers considered as the worst in the industry))
#6
@
3 years ago
- Resolution set to invalid
- Status changed from reopened to closed
Remarking as invalid. Discussion can continue; a committer can re-open if they feel the need to.
#8
@
3 months ago
- Resolution invalid deleted
- Status changed from closed to reopened
- Type changed from defect (bug) to enhancement
Some hacker has discovered many of the WordPress files containing calls to _deprecated_file() and is inundating my server with direct GET requests to them.
Because that function is not defined in WordPress, Apache returns status 500 and - because, as an administrator, I want to be informed of status 500 - my inbox is deluged with alerts.
I would block the originating IPs but they'e all different, so coming from spambots. And the advantage to the hacker eludes me completely - but it is what it is, and I have to deal with it.
Couldn't WordPress handle calls to deprecated files/functions a little more elegantly? Like it does with direct calls to other files which should not be accessed directly - with status 200 and zero bytes?
Production sites shouldn't be running with
display_errors
turned on, so the undefined constants & undefined functions warnings/notices/errors aren't seen as a bugs within WordPress.We also cover this in our security handbook.