WordPress.org

Make WordPress Core

Opened 19 months ago

Last modified 8 months ago

#43459 new feature request

Provide a "manifest.json" file for exposing information about wordpress endpoints

Reported by: bjne Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description

When hosting wordpress sites, there is a problem knowing which .php files
should be executed directly and which is just included by other apps.

I suggest to try to develop a "manifest.json" (filename open for discussion),
that should live in wp-core, and provide a up-to-date reference for configuring
frontend webservers (per-request?)

Currently the practice is mostly to deny access to wp-config.php, but more or
less allow every other endpoint to be executed directly. This is a security concern.

The format should be expandable in the future, but I suggest the following basic
json schema:

{
        "$schema": "http://json-schema.org/draft-06/schema#",
        "type": "object",
        "description": "wordpress manifest",
        "patternProperties": {
                "^(/[^/]+)+$": {
                        "type": "object",
                        "properties": {
                                "type": {
                                        "enum": ["public", "logged_in", admin"]
                                }
                        },
                        "required": ["type"]
                }
        },
        "additionalProperties": false
}

Which would allow the following initial configuration:

{
        "/index.php": {
                "type": "public"
        },
        "/wp-login.php": {
                "type": "public"
        },
        "/wp-admin/wp-admin-php": {
                "type": "admin"
        }
}

Everything not listed in this file should be blacklisted by default.

Change History (1)

#1 @pento
8 months ago

  • Version trunk deleted
Note: See TracTickets for help on using tickets.