Opened 9 months ago
Closed 9 months ago
#60237 closed defect (bug) (wontfix)
Fatal error when someone opens "/wp-includes/blocks" or "/wp-includes/blocks/index.php" directly
Reported by: | akrocks | Owned by: | rajinsharwar |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 5.5 |
Component: | Editor | Keywords: | has-patch needs-testing |
Focuses: | Cc: |
Description
Bug Description
If we try to open {site's domain}/wp-includes/blocks or {site's domain}/wp-includes/blocks/index.php, a fatal error is encountered due to undefined ABSPATH constant.
Steps to reproduce
Create a fresh WordPress site & try opening "{site's domain}/wp-includes/blocks" or "{site's domain}/wp-includes/blocks/index.php".
Attachments (4)
Change History (13)
This ticket was mentioned in PR #5863 on WordPress/wordpress-develop by @akrocks.
9 months ago
#1
Trac ticket: https://core.trac.wordpress.org/ticket/60237
## Description
- This PR adds a conditional check for the
ABSPATH
constant in thewp-includes/blocks/index.php
file to preventUndefined constant "ABSPATH"
fatal error when someone opens/wp-includes/blocks/
or/wp-includes/blocks/index.php
directly.
## Steps to reproduce
- Create a fresh WordPress site & try opening "{site's domain}/wp-includes/blocks" or "{site's domain}/wp-includes/blocks/index.php".
## Screenshots
### Before
#### When opened /wp-includes/blocks
#### When opened /wp-includes/blocks/index.php
### After
#### When opened /wp-includes/blocks
#### When opened /wp-includes/blocks/index.php
#2
@
9 months ago
- Component changed from Site Health to Editor
- Milestone changed from Awaiting Review to 6.5
- Version set to 5.5
#3
@
9 months ago
Test Report
Tested Patch: https://github.com/WordPress/wordpress-develop/pull/5863
Environment:
WordPress: 6.4.2
OS: Windows
Browser: Firefox
Theme: Twenty Twenty Four
PHP: 8.0.18
Active Plugin: None
Step to Reproduce:
- Create a fresh WordPress site & try opening "{site's domain}/wp-includes/blocks" or "{site's domain}/wp-includes/blocks/index.php".
Actual Result:
- This Patch Prevents Undefined constant "ABSPATH" fatal error When open /wp-includes/blocks/index.php file or /wp-includes/blocks/ directly.✅
Screenshots:
Before Patch: https://prnt.sc/5VLmoNAZVoSb
After Patch: https://prnt.sc/nvpV8mYVwkZ2
#4
@
9 months ago
- Resolution set to invalid
- Status changed from new to closed
I have tested @akrocks PR and it works correctly. I have also introduced an additional solution.
I used the WPINC
constant. By using WPINC
, it works perfectly to prevent direct access.
#6
@
9 months ago
- Keywords changes-requested added
- Owner set to rajinsharwar
- Status changed from reopened to assigned
Hi @sakibmd, thanks for your patch, and it works great! But we shouldn't use a new String for this purpose I believe. As done in other files to prevent direct access, we can just do something like this:
// Don't load directly.
if ( ! defined( 'WPINC' ) ) {
die( '-1' );
}
Feel free to share a new patch, and we can get this merged soon!
This ticket was mentioned in PR #5961 on WordPress/wordpress-develop by @rajinsharwar.
9 months ago
#7
Fatal error when someone opens "/wp-includes/blocks/index.php".
Trac ticket: https://core.trac.wordpress.org/ticket/60237
#8
@
9 months ago
- Keywords needs-testing added; changes-requested removed
New patch added. Let's get some test reports before marking it for commit.
#9
@
9 months ago
- Milestone 6.5 deleted
- Resolution set to wontfix
- Status changed from assigned to closed
There have been a number of similar reports to this in the past. Similar errors also happen in many other wp-includes/*.php
and wp-admin/includes/*.php
files.
However, this is not a security issue, nor is it something that's intended to be "fixed" as it's not encountered during "standard usage". As such, I'll close the ticket as wontfix
(trac's term to indication no action is planned).
If WordPress is used on a production server, error displaying should be disabled, and/or direct access to the PHP files in the above directories should be disabled.
Some previous discussions: #35835, #38317.
Some other related tickets: #10367, #18715, #30103, #30806, #31663, #47154, #47945.
Screenshot of fatal error encountered when "/wp-includes/blocks/index.php" is opened.