Make WordPress Core

Opened 2 years ago

Last modified 4 months ago

#55944 new enhancement

Few wp-admin files need to exit if directly loaded

Reported by: superpoincare's profile superpoincare Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.0
Component: Administration Keywords: has-patch
Focuses: Cc:

Description

Some files in wp-admin don't have a check to see if they're being loaded directly, although some others make sure.

The files are:

/wp-admin/network/menu.php
/wp-admin/user/menu.php
/wp-admin/admin-header.php
/wp-admin/menu-header.php
/wp-admin/menu.php
/wp-admin/options-head.php

Change History (3)

#2 @deepakrohilla
6 months ago

  • Keywords has-patch added

@SergeyBiryukov I have cover maximum number of files of wp-includes & wp-admin directory and raised in https://core.trac.wordpress.org/ticket/61314#ticket with patch

#3 @leedxw
4 months ago

Tracking down some fatal errors in the logs, a (third-party scan) direct request to

GET /wp-admin/options-head.php

will result in 500 and a stack trace:

PHP Fatal error:  Uncaught Error: Call to undefined function wp_reset_vars() in /var/www/html/wp-admin/options-head.php:11
Stack trace:
#0 {main}
  thrown in /var/www/html/wp-admin/options-head.php on line 11

also seeing stack traces resulting from direct calls to

  • /wp-admin/network/menu.php
  • /wp-admin/user/menu.php
  • /wp-admin/upgrade-functions.php
  • /wp-admin/menu.php
  • /wp-admin/menu-header.php
  • /wp-admin/custom-header.php
  • /wp-admin/custom-background.php
  • /wp-admin/admin-header.php
  • /wp-admin/admin-functions.php
Last edited 4 months ago by leedxw (previous) (diff)
Note: See TracTickets for help on using tickets.