Make WordPress Core

Opened 6 years ago

Last modified 5 years ago

#41999 new enhancement

/wp-includes/theme-compat/embed.php causes unnecessary errors in request log

Reported by: arjenlentz's profile arjenlentz Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.8.2
Component: Embeds Keywords: close
Focuses: Cc:

Description (last modified by swissspidy)

FastCGI sent in stderr: "PHP message: PHP Fatal error: Call to undefined function get_header() in [...]/wp-includes/theme-compat/embed.php on line 13"

It's being called directly: "GET /wp-includes/theme-compat/embed.php HTTP/1.1"
Of course people shouldn't, but they do, for a purpose: to derive certain information or find vulnerabilities.
It also clutters error logs, which may cause real errors to get missed.

Other WP include and plugin files that contain direct code (rather than only function/class definitions), have a catch for this:

 if ( ! defined( 'ABSPATH' ) ) {
         exit; // Exit if accessed directly.
 }

I suggest this gets added to the top of the /wp-includes/theme-compat/embed.php file.
Easy fix.
thanks

Change History (4)

#1 @swissspidy
6 years ago

  • Description modified (diff)
  • Keywords close added
  • Type changed from defect (bug) to enhancement

Other WP include and plugin files that contain direct code (rather than only function/class definitions), have a catch for this

Only some files include such checks, not all.

IMHO this is something that should be prevented on the web server level using .htaccess or similar.

#2 @SergeyBiryukov
6 years ago

  • Component changed from General to Embeds

#3 @vizkr
5 years ago

@swissspidy

.htaccess is a hug performance drain and it's usage is strongly discouraged upon by Apache 2.4 plus nginx doesn't even support the construct. So if this file is a common foot printing vector why not fix this in the file?

#4 @swissspidy
5 years ago

This is not unique to embed.php though. One could just as well try to access wp-includes/default-filters.php and get a similar warning. The only real way to prevent this is in the server settings. Turning off error display and direct access to PHP files can be done in both Apache and nginx.

Note: See TracTickets for help on using tickets.