WordPress.org

Make WordPress Core

Opened 6 months ago

#53244 new defect (bug)

PHP Warning on non-existent multisite wp-cron.php

Reported by: dd32 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Networks and Sites Keywords:
Focuses: multisite Cc:

Description

A PHP warning can be triggered when a HTTP request is made to wp-cron.php on a non-existent multisite site.

For example:

GET https://foobar.example.org/wp-cron.php

PHP Warning:  Cannot modify header information - headers already sent in wp-includes/ms-settings.php on line 79
PHP Stack trace:
PHP   1. {main}() wp-cron.php:0
PHP   2. require_once() wp-cron.php:44
PHP   3. require_once() wp-load.php:55
PHP   4. require_once() wp-config.php:125
PHP   5. require() wp-settings.php:141
PHP   6. header($header = 'Location: https://example.org/wp-signup.php?new=foobar') wp-includes/ms-settings.php:79

While the error doesn't define why it's being triggered, but it's because [44488] ends the request when wp-cron.php is requested prior to the multisite bootstrap.

Initial thoughts say that this is probably a "good enough" fix:

  • wp-includes/ms-settings.php

     
    7373
    7474        if ( true === $bootstrap_result ) {
    7575                // `$current_blog` and `$current_site are now populated.
    76         } elseif ( false === $bootstrap_result ) {
     76        } elseif ( false === $bootstrap_result || headers_sent() ) {
    7777                ms_not_installed( $domain, $path );
    7878        } else {
    7979                header( 'Location: ' . $bootstrap_result );

While this warning will never be seen by users, it can end up in the PHP logs, especially when a vulnerability scanner is trying every subdomain under the sun.

Change History (0)

Note: See TracTickets for help on using tickets.