Make WordPress Core

Opened 5 months ago

Closed 4 months ago

#60237 closed defect (bug) (wontfix)

Fatal error when someone opens "/wp-includes/blocks" or "/wp-includes/blocks/index.php" directly

Reported by: akrocks's profile akrocks Owned by: rajinsharwar's profile rajinsharwar
Milestone: Priority: normal
Severity: normal Version: 5.5
Component: Editor Keywords: has-patch needs-testing
Focuses: Cc:

Description

Bug Description

If we try to open {site's domain}/wp-includes/blocks or {site's domain}/wp-includes/blocks/index.php, a fatal error is encountered due to undefined ABSPATH constant.

Steps to reproduce

Create a fresh WordPress site & try opening "{site's domain}/wp-includes/blocks" or "{site's domain}/wp-includes/blocks/index.php".

Attachments (4)

60237.diff (435 bytes) - added by akrocks 5 months ago.
Screenshot 2024-01-12 at 11.11.05 AM.png (134.0 KB) - added by akrocks 5 months ago.
Screenshot of fatal error encountered when "/wp-includes/blocks/index.php" is opened.
Screenshot 2024-01-12 at 11.36.54 AM.png (231.2 KB) - added by akrocks 5 months ago.
Screenshot of fatal error encountered when "/wp-includes/blocks" is opened.
60237.2.diff (445 bytes) - added by sakibmd 4 months ago.
Here I used the 'WPINC' constant to protect direct access.

Download all attachments as: .zip

Change History (13)

@akrocks
5 months ago

@akrocks
5 months ago

Screenshot of fatal error encountered when "/wp-includes/blocks/index.php" is opened.

@akrocks
5 months ago

Screenshot of fatal error encountered when "/wp-includes/blocks" is opened.

This ticket was mentioned in PR #5863 on WordPress/wordpress-develop by @akrocks.


5 months ago
#1

Trac ticket: https://core.trac.wordpress.org/ticket/60237

## Description

  • This PR adds a conditional check for the ABSPATH constant in the wp-includes/blocks/index.php file to prevent Undefined constant "ABSPATH" fatal error when someone opens /wp-includes/blocks/ or /wp-includes/blocks/index.php directly.

## Steps to reproduce

  • Create a fresh WordPress site & try opening "{site's domain}/wp-includes/blocks" or "{site's domain}/wp-includes/blocks/index.php".

## Screenshots

### Before

#### When opened /wp-includes/blocks

https://i0.wp.com/github.com/Pathan-Amaankhan/wordpress-develop/assets/63953699/f5ab1041-3b94-4e34-bfd9-8500655667c4

#### When opened /wp-includes/blocks/index.php

https://i0.wp.com/github.com/Pathan-Amaankhan/wordpress-develop/assets/63953699/c7c5d4e3-6f21-4683-b9cd-01b5e9565151

### After

#### When opened /wp-includes/blocks

https://i0.wp.com/github.com/Pathan-Amaankhan/wordpress-develop/assets/63953699/844b8acc-6a87-417e-b33d-3369a86efa1b

#### When opened /wp-includes/blocks/index.php

https://i0.wp.com/github.com/Pathan-Amaankhan/wordpress-develop/assets/63953699/5545ba4c-3ca6-4825-a1ad-745b53c905c6

#2 @mukesh27
5 months ago

  • Component changed from Site Health to Editor
  • Milestone changed from Awaiting Review to 6.5
  • Version set to 5.5

Thanks @akrocks for the ticket and PR!

Nice catch! The /wp-includes/blocks/index.php added in 5.5 version through [48262]/#50263

#3 @shailu25
5 months ago

Test Report

Tested Patch: https://github.com/WordPress/wordpress-develop/pull/5863

Environment:

WordPress: 6.4.2
OS: Windows
Browser: Firefox
Theme: Twenty Twenty Four
PHP: 8.0.18
Active Plugin: None

Step to Reproduce:

  • Create a fresh WordPress site & try opening "{site's domain}/wp-includes/blocks" or "{site's domain}/wp-includes/blocks/index.php".

Actual Result:

  • This Patch Prevents Undefined constant "ABSPATH" fatal error When open /wp-includes/blocks/index.php file or /wp-includes/blocks/ directly.✅

Screenshots:

Before Patch: https://prnt.sc/5VLmoNAZVoSb
After Patch: https://prnt.sc/nvpV8mYVwkZ2

@sakibmd
4 months ago

Here I used the 'WPINC' constant to protect direct access.

#4 @sakibmd
4 months ago

  • Resolution set to invalid
  • Status changed from new to closed

I have tested @akrocks PR and it works correctly. I have also introduced an additional solution.

I used the WPINC constant. By using WPINC, it works perfectly to prevent direct access.

#5 @sakibmd
4 months ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

#6 @rajinsharwar
4 months ago

  • Keywords changes-requested added
  • Owner set to rajinsharwar
  • Status changed from reopened to assigned

Hi @sakibmd, thanks for your patch, and it works great! But we shouldn't use a new String for this purpose I believe. As done in other files to prevent direct access, we can just do something like this:

// Don't load directly.
if ( ! defined( 'WPINC' ) ) {
        die( '-1' );
}

Feel free to share a new patch, and we can get this merged soon!

Last edited 4 months ago by rajinsharwar (previous) (diff)

This ticket was mentioned in PR #5961 on WordPress/wordpress-develop by @rajinsharwar.


4 months ago
#7

Fatal error when someone opens "/wp-includes/blocks/index.php".

Trac ticket: https://core.trac.wordpress.org/ticket/60237

#8 @rajinsharwar
4 months ago

  • Keywords needs-testing added; changes-requested removed

New patch added. Let's get some test reports before marking it for commit.

#9 @peterwilsoncc
4 months ago

  • Milestone 6.5 deleted
  • Resolution set to wontfix
  • Status changed from assigned to closed

There have been a number of similar reports to this in the past. Similar errors also happen in many other wp-includes/*.php and wp-admin/includes/*.php files.

However, this is not a security issue, nor is it something that's intended to be "fixed" as it's not encountered during "standard usage". As such, I'll close the ticket as wontfix (trac's term to indication no action is planned).

If WordPress is used on a production server, error displaying should be disabled, and/or direct access to the PHP files in the above directories should be disabled.

Some previous discussions: #35835, #38317.

Some other related tickets: #10367, #18715, #30103, #30806, #31663, #47154, #47945.

Note: See TracTickets for help on using tickets.