Opened 6 years ago
Last modified 5 years ago
#41999 new enhancement
/wp-includes/theme-compat/embed.php causes unnecessary errors in request log
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | 4.8.2 |
| Component: | Embeds | Keywords: | close |
| Focuses: | Cc: |
Description (last modified by )
FastCGI sent in stderr: "PHP message: PHP Fatal error: Call to undefined function get_header() in [...]/wp-includes/theme-compat/embed.php on line 13"
It's being called directly: "GET /wp-includes/theme-compat/embed.php HTTP/1.1"
Of course people shouldn't, but they do, for a purpose: to derive certain information or find vulnerabilities.
It also clutters error logs, which may cause real errors to get missed.
Other WP include and plugin files that contain direct code (rather than only function/class definitions), have a catch for this:
if ( ! defined( 'ABSPATH' ) ) {
exit; // Exit if accessed directly.
}
I suggest this gets added to the top of the /wp-includes/theme-compat/embed.php file.
Easy fix.
thanks
Change History (4)
#1
@
6 years ago
- Description modified (diff)
- Keywords close added
- Type changed from defect (bug) to enhancement
#3
@
5 years ago
@swissspidy
.htaccess is a hug performance drain and it's usage is strongly discouraged upon by Apache 2.4 plus nginx doesn't even support the construct. So if this file is a common foot printing vector why not fix this in the file?
#4
@
5 years ago
This is not unique to embed.php though. One could just as well try to access wp-includes/default-filters.php and get a similar warning. The only real way to prevent this is in the server settings. Turning off error display and direct access to PHP files can be done in both Apache and nginx.
Only some files include such checks, not all.
IMHO this is something that should be prevented on the web server level using
.htaccessor similar.