Make WordPress Core

Opened 8 months ago

Last modified 2 days ago

#61314 reopened defect (bug)

Uncaught exception 'Error' with multiple messages in wp-include directory files during direct access

Reported by: deepakrohilla's profile deepakrohilla Owned by: audrasjb's profile audrasjb
Milestone: 6.8 Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description

wp-includes folder .php extension files include in others files not loaded directly. If someone encounter and address direct access of wp-includes directory files, will return 500 error, so restrict direct access call in wp-includes and its sub directories to ensure all code works well.

These are the lists of files which encountered error on direct access.

Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/class-wp-customize-control.php:707
Request URI : <domain-name>/wp-includes/class-wp-customize-control.php

Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/ms-blogs.php:11
Request URI : <domain-name>/wp-includes/ms-blogs.php

Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/class-wp-http.php:11
Request URI : <domain-name>/wp-includes/class-wp-http.php

Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/class-wp-customize-panel.php:411
Request URI : <domain-name>/wp-includes/class-wp-customize-panel.php

Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/class-wp-customize-setting.php:964
Request URI : <domain-name>/wp-includes/class-wp-customize-setting.php

Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/ms-settings.php:35
Request URI : <domain-name>/wp-includes/ms-settings.php

Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/nav-menu-template.php:11
Request URI : <domain-name>/wp-includes/nav-menu-template.php

Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/wp-diff.php:13
Request URI : <domain-name>/wp-includes/wp-diff.php

Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/class-IXR.php:42
Request URI : <domain-name>/wp-includes/class-IXR.php

Uncaught exception 'Error' with message 'Call to undefined function is_main_site()' in /var/www/wp-includes/update.php:1080
Request URI : <domain-name>/wp-includes/update.php

Uncaught exception 'Error' with message 'Call to undefined function is_admin()' in /var/www/wp-includes/vars.php:23
Request URI : <domain-name>/wp-includes/vars.php

Uncaught exception 'Error' with message 'Call to undefined function add_shortcode()' in /var/www/wp-includes/media.php:2173
Request URI : <domain-name>/wp-includes/media.php

Uncaught exception 'Error' with message 'Call to undefined function add_filter()' in /var/www/wp-includes/default-filters.php:22
Request URI : <domain-name>/wp-includes/default-filters.php

Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/functions.php:8
Request URI : <domain-name>/wp-includes/functions.php

Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/default-widgets.php:11
Request URI : <domain-name>/wp-includes/default-widgets.php

Uncaught exception 'Error' with message 'Call to undefined function feed_content_type()' in /var/www/wp-includes/feed-atom.php:8
Request URI : <domain-name>/wp-includes/feed-atom.php

Uncaught exception 'Error' with message 'Class "SimplePie_Sanitize" not found' in /var/www/wp-includes/class-wp-simplepie-sanitize-kses.php:21
Request URI : <domain-name>/wp-includes/class-wp-simplepie-sanitize-kses.php

Uncaught exception 'Error' with message 'Class "Text_Diff_Renderer" not found' in /var/www/wp-includes/class-wp-text-diff-renderer-table.php:17
Request URI : <domain-name>/wp-includes/class-wp-text-diff-renderer-table.php

Change History (13)

This ticket was mentioned in PR #6665 on WordPress/wordpress-develop by @deepakrohilla.


8 months ago
#1

Fix direct accessibility of wp-includes directory multiple files.

#2 @cbravobernal
5 weeks ago

  • Keywords dev-feedback added
  • Milestone changed from Awaiting Review to 6.8

This ticket was mentioned in Slack in #core by audrasjb. View the logs.


5 days ago

#4 @audrasjb
3 days ago

  • Keywords commit added; dev-feedback removed
  • Owner changed from deepakrohilla to audrasjb
  • Status changed from assigned to accepted

As per yesterdays Core early tickets bug scrub: The performance tests were failing so we agreed to restart them to make sure it wasn't a false alert.

I did restart them, and it appears all the test are now passing ✅

Thus I'm self assigning the ticket to ship it in 6.8 :)

#5 @audrasjb
3 days ago

In 59678:

General: Stop direct loading of files in /wp-admin that should only be included.

This changeset restricts direct access call in /wp-admin and its sub directories.

Follow-up to [11768].

Props deepakrohilla.
See #61314.

#6 @audrasjb
3 days ago

  • Keywords reporter-feedback added; commit removed

@deepakrohilla I committed part of you changes, those related to /wp-admin folder.
Concerning changes located in /wp-includes, I noticed a lot of files not modified by your PR. For example, you modified default-filters.php but not default-constants.php. Was it on purpose? There's a lot of other files with the same question. Thanks.

#7 @deepakrohilla
3 days ago

@audrasjb Thank you for committing the changes related to the /wp-admin folder.

Regarding the /wp-includes folder, the modifications in my PR were focused on addressing specific fatal errors, such as the "Uncaught Error" issue. Files like default-constants.php and others were not modified because they did not return any errors. For example, direct access to /wp-includes/embed.php also does not trigger any errors, which is why default-constants.php was left unchanged.

Last edited 3 days ago by deepakrohilla (previous) (diff)

#8 @flixos90
2 days ago

Thanks @audrasjb for taking this one, I was just about to take a look at it :)

I agree with your feedback that we should add the conditional check on every file that shouldn't be directly accessible, except files that have only a single class. I think for all other files there is no clear guidance on whether or not to include any function calls or hook additions directly in the root of the file, so it's safer to always have them.

FWIW this aligns with plugin directory guidelines that any non-class (or non-interface or non-trait) file should have such a check.

#9 @audrasjb
2 days ago

  • Keywords commit added; reporter-feedback removed

Alrighty thank you both! Then I will start committing the other changes addressed by the PR then reopen this ticket so we can address the remaining files.

#10 @audrasjb
2 days ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 59688:

General: Stop direct loading of files in /wp-includes that should only be included.

This changeset restricts direct access call in /wp-includes and its sub directories.

Follow-up to [11768], [59678].

Props deepakrohilla.
Fixes #61314.

#12 @audrasjb
2 days ago

  • Keywords has-patch commit removed
  • Resolution fixed deleted
  • Severity changed from major to normal
  • Status changed from closed to reopened

Reopening to address more occurrences (I'll add a new PR soon).

#13 @swissspidy
2 days ago

btw, this issue has come up numerous times in the past, see #36177 and all the tickets that were closed as duplicates. See also #18546

Note: See TracTickets for help on using tickets.