Opened 5 weeks ago
#62355 new defect (bug)
WP sets REQUEST_URI to an invalid value if it's not set
Reported by: | kkmuffme | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | General | Keywords: | |
Focuses: | Cc: |
Description
https://github.com/WordPress/wordpress-develop/blame/trunk/src/wp-includes/load.php#L39
This is invalid, since REQUEST_URI is always at least / and cannot be an empty string (you can test it, even for https://example.com it will be / - or read https://datatracker.ietf.org/doc/html/rfc3986, which shows it's possibly that it can be empty, but in that case PHP would not set the $_SERVER variable, therefore in context of PHP it's impossible it's an empty string for a valid request, unless someone incorrectly modifies it - like WP in this case)
This issue propagates e.g. https://github.com/WordPress/wordpress-develop/blame/trunk/src/wp-includes/load.php#L72 which then means we have an impossible "?foo" for example as request URI.