Make WordPress Core

Opened 5 weeks ago

#62355 new defect (bug)

WP sets REQUEST_URI to an invalid value if it's not set

Reported by: kkmuffme's profile kkmuffme Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description

https://github.com/WordPress/wordpress-develop/blame/trunk/src/wp-includes/load.php#L39

This is invalid, since REQUEST_URI is always at least / and cannot be an empty string (you can test it, even for https://example.com it will be / - or read https://datatracker.ietf.org/doc/html/rfc3986, which shows it's possibly that it can be empty, but in that case PHP would not set the $_SERVER variable, therefore in context of PHP it's impossible it's an empty string for a valid request, unless someone incorrectly modifies it - like WP in this case)

This issue propagates e.g. https://github.com/WordPress/wordpress-develop/blame/trunk/src/wp-includes/load.php#L72 which then means we have an impossible "?foo" for example as request URI.

Change History (0)

Note: See TracTickets for help on using tickets.