Fatal error when someone opens "/wp-includes/blocks" or "/wp-includes/blocks/index.php" directly

[akrocks]

Bug Description

If we try to open {site's domain}/wp-includes/blocks or {site's domain}/wp-includes/blocks/index.php, a fatal error is encountered due to undefined ABSPATH constant.

Steps to reproduce

Create a fresh WordPress site & try opening "{site's domain}/wp-includes/blocks" or "{site's domain}/wp-includes/blocks/index.php".

[akrocks]

Screenshot of fatal error encountered when "/wp-includes/blocks/index.php" is opened.

[akrocks]

Screenshot of fatal error encountered when "/wp-includes/blocks" is opened.

Trac ticket: https://core.trac.wordpress.org/ticket/60237

## Description

• This PR adds a conditional check for the ABSPATH constant in the wp-includes/blocks/index.php file to prevent Undefined constant "ABSPATH" fatal error when someone opens /wp-includes/blocks/ or /wp-includes/blocks/index.php directly.

## Steps to reproduce

• Create a fresh WordPress site & try opening "{site's domain}/wp-includes/blocks" or "{site's domain}/wp-includes/blocks/index.php".

## Screenshots

### Before

#### When opened /wp-includes/blocks

#### When opened /wp-includes/blocks/index.php

### After

#### When opened /wp-includes/blocks

#### When opened /wp-includes/blocks/index.php

[mukesh27]

Thanks @akrocks for the ticket and PR!

Nice catch! The /wp-includes/blocks/index.php added in 5.5 version through [48262]/#50263

[shailu25]

Test Report

Tested Patch: ​https://github.com/WordPress/wordpress-develop/pull/5863

Environment:

WordPress: 6.4.2
OS: Windows
Browser: Firefox
Theme: Twenty Twenty Four
PHP: 8.0.18
Active Plugin: None

Step to Reproduce:

• Create a fresh WordPress site & try opening "{site's domain}/wp-includes/blocks" or "{site's domain}/wp-includes/blocks/index.php".

Actual Result:

• This Patch Prevents Undefined constant "ABSPATH" fatal error When open /wp-includes/blocks/index.php file or /wp-includes/blocks/ directly.✅

Screenshots:

Before Patch: ​https://prnt.sc/5VLmoNAZVoSb
After Patch: ​https://prnt.sc/nvpV8mYVwkZ2

[sakibmd]

Here I used the 'WPINC' constant to protect direct access.

[sakibmd]

I have tested @akrocks PR and it works correctly. I have also introduced an additional solution.

I used the WPINC constant. By using WPINC, it works perfectly to prevent direct access.

[rajinsharwar]

Hi @sakibmd, thanks for your patch, and it works great! But we shouldn't use a new String for this purpose I believe. As done in other files to prevent direct access, we can just do something like this:

// Don't load directly.
if ( ! defined( 'WPINC' ) ) {
        die( '-1' );
}

Feel free to share a new patch, and we can get this merged soon!

Fatal error when someone opens "/wp-includes/blocks/index.php".

Trac ticket: https://core.trac.wordpress.org/ticket/60237

[rajinsharwar]

New patch added. Let's get some test reports before marking it for commit.

[peterwilsoncc]

There have been a number of similar reports to this in the past. Similar errors also happen in many other wp-includes/*.php and wp-admin/includes/*.php files.

However, ​this is not a security issue, nor is it something that's intended to be "fixed" as it's not encountered during "standard usage". As such, I'll close the ticket as wontfix (trac's term to indication no action is planned).

If WordPress is used on a production server, error displaying should be disabled, and/or direct access to the PHP files in the above directories should be disabled.

Some previous discussions: #35835, #38317.

Some other related tickets: #10367, #18715, #30103, #30806, #31663, #47154, #47945.