#56065 closed defect (bug) (invalid)
PHPCS issue in wp-load.php .
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | Bootstrap/Load | Keywords: | close |
| Focuses: | coding-standards | Cc: |
Description
$_SERVER data not unslashed before sanitization.
if ( false === strpos( $_SERVER['REQUEST_URI'], 'setup-config' ) ) {
header( 'Location: ' . $path );
exit;
}
Change History (6)
#2
@
18 months ago
- Component changed from General to Bootstrap/Load
- Focuses coding-standards added
- Keywords reporter-feedback added
Hi there, welcome back to WordPress Trac! Thanks for the ticket.
Do you get any PHPCS warnings from this file? When running WPCS checks for WordPress core with the default phpcs.xml.dist file, wp-load.php appears to pass all the checks successfully in my testing.
Since we're directly checking for setup-config appearing anywhere in $_SERVER['REQUEST_URI'], I think it would not matter here whether it's slashed or not.
#3
@
18 months ago
- Keywords close added
Hello welcome to core trac! Thanks for the report,
I noticed the same thing with Sergey, I don't get any PHPCS warnings while running WPCS checks for WordPress core, but I get warning while running checks using https://github.com/WordPress/WordPress-Coding-Standards phpcs rules.
Adding close keywords as this doesn't seem come from core phpcs rules.
Using wp_unslash() before sinitatization is recommended.