Opened 8 months ago
Last modified 2 days ago
#61314 reopened defect (bug)
Uncaught exception 'Error' with multiple messages in wp-include directory files during direct access
Reported by: | deepakrohilla | Owned by: | audrasjb |
---|---|---|---|
Milestone: | 6.8 | Priority: | normal |
Severity: | normal | Version: | |
Component: | General | Keywords: | |
Focuses: | Cc: |
Description
wp-includes folder .php extension files include in others files not loaded directly. If someone encounter and address direct access of wp-includes directory files, will return 500 error, so restrict direct access call in wp-includes and its sub directories to ensure all code works well.
These are the lists of files which encountered error on direct access.
Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/class-wp-customize-control.php:707
Request URI : <domain-name>/wp-includes/class-wp-customize-control.php
Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/ms-blogs.php:11
Request URI : <domain-name>/wp-includes/ms-blogs.php
Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/class-wp-http.php:11
Request URI : <domain-name>/wp-includes/class-wp-http.php
Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/class-wp-customize-panel.php:411
Request URI : <domain-name>/wp-includes/class-wp-customize-panel.php
Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/class-wp-customize-setting.php:964
Request URI : <domain-name>/wp-includes/class-wp-customize-setting.php
Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/ms-settings.php:35
Request URI : <domain-name>/wp-includes/ms-settings.php
Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/nav-menu-template.php:11
Request URI : <domain-name>/wp-includes/nav-menu-template.php
Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/wp-diff.php:13
Request URI : <domain-name>/wp-includes/wp-diff.php
Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/class-IXR.php:42
Request URI : <domain-name>/wp-includes/class-IXR.php
Uncaught exception 'Error' with message 'Call to undefined function is_main_site()' in /var/www/wp-includes/update.php:1080
Request URI : <domain-name>/wp-includes/update.php
Uncaught exception 'Error' with message 'Call to undefined function is_admin()' in /var/www/wp-includes/vars.php:23
Request URI : <domain-name>/wp-includes/vars.php
Uncaught exception 'Error' with message 'Call to undefined function add_shortcode()' in /var/www/wp-includes/media.php:2173
Request URI : <domain-name>/wp-includes/media.php
Uncaught exception 'Error' with message 'Call to undefined function add_filter()' in /var/www/wp-includes/default-filters.php:22
Request URI : <domain-name>/wp-includes/default-filters.php
Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/functions.php:8
Request URI : <domain-name>/wp-includes/functions.php
Uncaught exception 'Error' with message 'Undefined constant "ABSPATH"' in /var/www/wp-includes/default-widgets.php:11
Request URI : <domain-name>/wp-includes/default-widgets.php
Uncaught exception 'Error' with message 'Call to undefined function feed_content_type()' in /var/www/wp-includes/feed-atom.php:8
Request URI : <domain-name>/wp-includes/feed-atom.php
Uncaught exception 'Error' with message 'Class "SimplePie_Sanitize" not found' in /var/www/wp-includes/class-wp-simplepie-sanitize-kses.php:21
Request URI : <domain-name>/wp-includes/class-wp-simplepie-sanitize-kses.php
Uncaught exception 'Error' with message 'Class "Text_Diff_Renderer" not found' in /var/www/wp-includes/class-wp-text-diff-renderer-table.php:17
Request URI : <domain-name>/wp-includes/class-wp-text-diff-renderer-table.php
Change History (13)
This ticket was mentioned in PR #6665 on WordPress/wordpress-develop by @deepakrohilla.
8 months ago
#1
This ticket was mentioned in Slack in #core by audrasjb. View the logs.
5 days ago
#4
@
3 days ago
- Keywords commit added; dev-feedback removed
- Owner changed from deepakrohilla to audrasjb
- Status changed from assigned to accepted
As per yesterdays Core early tickets bug scrub: The performance tests were failing so we agreed to restart them to make sure it wasn't a false alert.
I did restart them, and it appears all the test are now passing ✅
Thus I'm self assigning the ticket to ship it in 6.8 :)
#6
@
3 days ago
- Keywords reporter-feedback added; commit removed
@deepakrohilla I committed part of you changes, those related to /wp-admin folder.
Concerning changes located in /wp-includes, I noticed a lot of files not modified by your PR. For example, you modified default-filters.php
but not default-constants.php
. Was it on purpose? There's a lot of other files with the same question. Thanks.
#7
@
3 days ago
@audrasjb Thank you for committing the changes related to the /wp-admin folder.
Regarding the /wp-includes folder, the modifications in my PR were focused on addressing specific fatal errors, such as the "Uncaught Error" issue. Files like default-constants.php and others were not modified because they did not return any errors. For example, direct access to /wp-includes/embed.php also does not trigger any errors, which is why default-constants.php was left unchanged.
#8
@
2 days ago
Thanks @audrasjb for taking this one, I was just about to take a look at it :)
I agree with your feedback that we should add the conditional check on every file that shouldn't be directly accessible, except files that have only a single class. I think for all other files there is no clear guidance on whether or not to include any function calls or hook additions directly in the root of the file, so it's safer to always have them.
FWIW this aligns with plugin directory guidelines that any non-class (or non-interface or non-trait) file should have such a check.
#9
@
2 days ago
- Keywords commit added; reporter-feedback removed
Alrighty thank you both! Then I will start committing the other changes addressed by the PR then reopen this ticket so we can address the remaining files.
Fix direct accessibility of wp-includes directory multiple files.