WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 8 months ago

#4759 closed enhancement (duplicate)

Blank index.php in wp-content subdirs

Reported by: ozh Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords: index opendir security
Focuses: Cc:

Description

Ola

Directory /wp-content has had its "Silence is golden" blank index page for years now, why not add this file by default to /plugins & /themes ?

It would greatly reduce script kiddies ability to find exploitable plugins (example)

Change History (6)

comment:1 @zamoose8 years ago

+1 I concur.

Not sure whether it's worth making "diffs" in this circumstance, really.

comment:2 @docwhat8 years ago

Would index.html be better than index.php? There would be no risk of any code executing *ever* by accident.

Either way, there should be a comment explaining why the file is blank and that it should be kept that way.

Alternatively, rewrite rules might be better, since you could redirect the user to a legit page (like the root) in case they were walking up a URL.

Ciao!

comment:3 @Ozh8 years ago

  • Component changed from Security to Administration
  • Keywords has-patch added
  • Severity changed from trivial to normal
  • Summary changed from Blank index.php in wp-content subdirs to Blank index.php in wp-content subdirs (proposal + bug patch)
  • Type changed from enhancement to defect

As of now there is a bug (feature?) making the Dashboard default page display the content of any 'index.php' that might exist in /wp-content/plugins/
I think this is a bug because index.php might not be a plugin

Here is a proposal for a fix of this behavior (sorry, I have nothing like svn or patch on the machine I'm on right now).

1) A new function (in wp-admin/includes/plugins.php would be appropriate)

/**
 * Checks if a file is (seems to be) a plugin - Ozh
 * @param	string	$plugin_file	full path to a file
 * @return 	boolean
 */
function is_pluginfile($plugin_file) {
	if ( !is_readable( $plugin_file ) or substr($plugin_file, -4) != '.php' )
		return false;
		
	$plugin_data = get_plugin_data( $plugin_file );

	if ( empty ( $plugin_data['Name'] ) )
		return false;

	return true;
}

2) Changes to /wp-admin/menu-header.php

Replace every file_exists with is_pluginfile

3) If this patch is accepted, function get_plugins() from /wp-admin/includes/plugins.php could use is_pluginfile() as well with an improved test on line 73:

line 73 -- 		if ( !is_readable( "$plugin_root/$plugin_file" ) )
line 73 ++ 		if ( !is_pluginfile( "$plugin_root/$plugin_file" ) )

comment:4 @Ozh8 years ago

  • Component changed from Administration to Security
  • Keywords has-patch removed
  • Summary changed from Blank index.php in wp-content subdirs (proposal + bug patch) to Blank index.php in wp-content subdirs
  • Type changed from defect to enhancement

Sorry for the mess, the previous reply & patch was incomplete. See #4787 for a more complete problem analysis & patch. Ticket changed to be just a blank index.php proposal, as an easy and trivial "security" enhancement

comment:5 @foolswisdom8 years ago

  • Milestone 2.3 deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Closing as dup of #4787.

comment:6 @jdgrimes8 months ago

This was fixed in #8699.

Note: See TracTickets for help on using tickets.