Make WordPress Core

Opened 8 weeks ago

Last modified 8 weeks ago

#62722 new defect (bug)

Fix all ABSPATH direct access errors

Reported by: bor0's profile bor0 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords: has-patch dev-feedback
Focuses: Cc:

Description

We host WooCommerce.com, and our logs are flooded with ABSPATH errors due to possibly bots accessing random URLs.

I see that this was already reported in #61314, #61286, #61277, #61912, #55936. The aim of this ticket is to resolve all "undefined ABSPATH" related issues.

Here is the easiest way to get all ABSPATH issues:

$ wp core download
Downloading WordPress 6.7.1 (en_US)...
md5 hash verified: fae7bae13a158496ab884b6cdb0c5c03
Success: WordPress downloaded.
$ wp config create --dbname=wordpress --dbuser=root
Success: Generated 'wp-config.php' file.
$ wp db create
Success: Database created.
$ wp core install --url=localhost:8080 --title="WordPress" --admin_user=bor0 --admin_password=asdf --admin_email=boro.sitnikovski@automattic.com
Success: WordPress installed successfully.
$ > ~/dev/log/error_log # empty error log
$ find . -name '*.php' | sed 's|^\./||' | xargs -I {} echo "http://localhost:8080/{}" > urls.txt # generate urls
$ xargs -P 10 -n 1 curl -s -o /dev/null < urls.txt # visit each url
$ grep ABSPATH ~/dev/log/error_log | grep -o '/[^ ]*.php' | uniq
/opt/homebrew/var/www/wp-settings.php
/opt/homebrew/var/www/wp-admin/includes/class-wp-privacy-data-export-requests-list-table.php
/opt/homebrew/var/www/wp-admin/includes/class-wp-upgrader.php
/opt/homebrew/var/www/wp-admin/includes/nav-menu.php
/opt/homebrew/var/www/wp-admin/includes/class-wp-privacy-data-removal-requests-list-table.php
/opt/homebrew/var/www/wp-admin/includes/template.php
/opt/homebrew/var/www/wp-includes/functions.php
/opt/homebrew/var/www/wp-includes/blocks/require-dynamic-blocks.php
/opt/homebrew/var/www/wp-includes/class-wp-customize-setting.php
/opt/homebrew/var/www/wp-includes/class-wp-customize-panel.php
/opt/homebrew/var/www/wp-includes/class-simplepie.php
/opt/homebrew/var/www/wp-includes/cache.php
/opt/homebrew/var/www/wp-includes/class-IXR.php
/opt/homebrew/var/www/wp-includes/meta.php
/opt/homebrew/var/www/wp-includes/ms-blogs.php
/opt/homebrew/var/www/wp-includes/Requests/library/Requests.php
/opt/homebrew/var/www/wp-includes/wp-diff.php
/opt/homebrew/var/www/wp-includes/class-wp-customize-section.php
/opt/homebrew/var/www/wp-includes/class-wp-customize-control.php
/opt/homebrew/var/www/wp-includes/nav-menu-template.php
/opt/homebrew/var/www/wp-includes/default-widgets.php
/opt/homebrew/var/www/wp-includes/class-wp-http.php
/opt/homebrew/var/www/wp-includes/ms-settings.php
/opt/homebrew/var/www/wp-includes/script-loader.php

Props @raicem

Attachments (1)

62722.patch (11.4 KB) - added by bor0 8 weeks ago.

Download all attachments as: .zip

Change History (2)

@bor0
8 weeks ago

#1 @bor0
8 weeks ago

  • Keywords has-patch dev-feedback added

The attached file looks to address all the ABSPATH issues. Note that there are other issues (such as add_action undefined, etc.) but I'd propose addressing those as separate trac issues.

$ grep ABSPATH ~/dev/log/error_log | grep -o '/[^ ]*.php' | uniq
/opt/homebrew/var/www/wp-settings.php
/opt/homebrew/var/www/wp-admin/includes/class-wp-privacy-data-export-requests-list-table.php
/opt/homebrew/var/www/wp-admin/includes/class-wp-upgrader.php
/opt/homebrew/var/www/wp-admin/includes/nav-menu.php
/opt/homebrew/var/www/wp-admin/includes/class-wp-privacy-data-removal-requests-list-table.php
/opt/homebrew/var/www/wp-admin/includes/template.php
/opt/homebrew/var/www/wp-includes/functions.php
/opt/homebrew/var/www/wp-includes/blocks/require-dynamic-blocks.php
/opt/homebrew/var/www/wp-includes/class-wp-customize-setting.php
/opt/homebrew/var/www/wp-includes/class-wp-customize-panel.php
/opt/homebrew/var/www/wp-includes/class-simplepie.php
/opt/homebrew/var/www/wp-includes/cache.php
/opt/homebrew/var/www/wp-includes/class-IXR.php
/opt/homebrew/var/www/wp-includes/meta.php
/opt/homebrew/var/www/wp-includes/ms-blogs.php
/opt/homebrew/var/www/wp-includes/Requests/library/Requests.php
/opt/homebrew/var/www/wp-includes/wp-diff.php
/opt/homebrew/var/www/wp-includes/class-wp-customize-section.php
/opt/homebrew/var/www/wp-includes/class-wp-customize-control.php
/opt/homebrew/var/www/wp-includes/nav-menu-template.php
/opt/homebrew/var/www/wp-includes/default-widgets.php
/opt/homebrew/var/www/wp-includes/class-wp-http.php
/opt/homebrew/var/www/wp-includes/ms-settings.php
/opt/homebrew/var/www/wp-includes/script-loader.php
$ patch -p0 < ~/Desktop/62722.patch 
patching file 'wp-admin/includes/class-wp-privacy-data-export-requests-list-table.php'
patching file 'wp-admin/includes/class-wp-privacy-data-removal-requests-list-table.php'
patching file 'wp-admin/includes/class-wp-upgrader.php'
patching file 'wp-admin/includes/nav-menu.php'
patching file 'wp-admin/includes/template.php'
patching file 'wp-includes/Requests/library/Requests.php'
patching file 'wp-includes/blocks/require-dynamic-blocks.php'
patching file 'wp-includes/cache.php'
patching file 'wp-includes/class-IXR.php'
patching file 'wp-includes/class-simplepie.php'
patching file 'wp-includes/class-wp-customize-control.php'
patching file 'wp-includes/class-wp-customize-panel.php'
patching file 'wp-includes/class-wp-customize-section.php'
patching file 'wp-includes/class-wp-customize-setting.php'
patching file 'wp-includes/class-wp-http.php'
patching file 'wp-includes/default-widgets.php'
patching file 'wp-includes/functions.php'
patching file 'wp-includes/meta.php'
patching file 'wp-includes/ms-blogs.php'
patching file 'wp-includes/ms-settings.php'
patching file 'wp-includes/nav-menu-template.php'
patching file 'wp-includes/script-loader.php'
patching file 'wp-includes/wp-diff.php'
patching file wp-settings.php
$ > ~/dev/log/error_log # empty error log
$ find . -name '*.php' | sed 's|^\./||' | xargs -I {} echo "http://localhost:8080/{}" > urls.txt # generate urls
$ xargs -P 10 -n 1 curl -s -o /dev/null < urls.txt # visit each url
$ grep ABSPATH ~/dev/log/error_log | grep -o '/[^ ]*.php' | uniq
$

That is, after applying the patch, no ABSPATH errors are reported.

@SergeyBiryukov I'd like to get your attention on this ticket - since you're blazingly fast at helping out :)

Note: See TracTickets for help on using tickets.