Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#54406 closed enhancement (duplicate)

Fatal Error - Admin Filters File Does Not Exit if ABSPATH Not Defined and tries calling WordPress functions

Reported by: machineitsvcs's profile machineitsvcs Owned by:
Milestone: Priority: normal
Severity: minor Version: 5.9
Component: General Keywords: needs-patch
Focuses: administration, coding-standards Cc:

Description

For whatever reason, direct requests are being made to the "/wp-admin/includes/admin-filters.php" file, which does not start with a exit() if ABSPATH is not defined, causing a fatal error on the first function called, add_action(). I would like to suggest adding the typical "if(!defined('ABSPATH')) exit;" to prevent these fatal errors. Although I understand this doesn't actually affect the functionality of WordPress, I'm still classifying as an "enhancement" as it will improve the accuracy/clarity of the error log which was getting populated with these fatal errors.

Change History (1)

#1 @SergeyBiryukov
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi there, welcome back to WordPress Trac! Thanks for the ticket.

This has come up a few times before, for example in #36177, #30806, #44700, #45773, #48049, and most recently in #53271.

Per the Security FAQ, these errors are considered a server configuration issue rather than a security issue:

Why are there path disclosures when directly loading certain files?
This is a server configuration problem. Never enable display_errors on a production site.

Instead of changing all PHP files to add a check for ABSPATH, this should be done in a central location, which is being discussed in #36177.

Let's continue the discussion in that ticket, as it would be best to keep all discussion on the general idea of "blocking malicious requests" in a single place, even if any implemented change does not necessarily follow how the ticket originally intended on it being implemented.

That said, it looks like this ticket is more about unnecessary error logging rather than a path disclosure. Still, blocking direct access to the files in question using the web server configuration file should resolve the issue for now, until any changes are implemented in core.

See also a related similar ticket for bundled themes: #47154.

Note: See TracTickets for help on using tickets.