Harden handling of PHP superglobals to prevent notices and data integrity issues #10870
Conversation
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Unlinked AccountsThe following contributors have not linked their GitHub and WordPress.org accounts: @vishal.kakadiya@rtcamp.com. Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases. Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
| 'label' => __( 'Web server' ), | ||
| 'value' => $_SERVER['SERVER_SOFTWARE'] ?? __( 'Unable to determine what web server software is used' ), | ||
| 'debug' => $_SERVER['SERVER_SOFTWARE'] ?? 'unknown', | ||
| 'value' => isset( $_SERVER['SERVER_SOFTWARE'] ) ? wp_unslash( $_SERVER['SERVER_SOFTWARE'] ) : __( 'Unable to determine what web server software is used' ), |
There was a problem hiding this comment.
Can you add unit test for this please?
There was a problem hiding this comment.
@mukeshpanchal27 I don't see the test cases for this whole class. Should I need to write a unit test for the whole class OR is it good to merge for now?
There was a problem hiding this comment.
Unfortunately there are no tests at all for WP_Debug_Data. So I don't think this needs to be tested now.
sabernhardt
left a comment
sabernhardt
left a comment
There was a problem hiding this comment.
I recommend reverting both changes to _index.php, which do not relate to hardening.
You could open a separate pull request to rewrite the comment.
|
@sabernhardt I have reverted that suggested changes now. |
peterwilsoncc
left a comment
peterwilsoncc
left a comment
There was a problem hiding this comment.
I've added a note inline.
|
There's not actually any security hardening here, is there? The introduction of |
@westonruter Make sense, the ticket title may be confusing. But the goal is to sanitize the superglobal variables without directly using them in code. Do you have any suggestions/opinions on this? |
|
The goal makes sense. It's more about data integrity, though. |
westonruter
left a comment
westonruter
left a comment
There was a problem hiding this comment.
I can commit this later today unless there are any points of feedback.
westonruter
changed the title
…bug_Data`. Developed in #10870 Follow-up to [56056], [45156], [44986] Props vishalkakadiya, sabernhardt, peterwilsoncc, mukesh27, westonruter. Fixes #64599. git-svn-id: https://develop.svn.wordpress.org/trunk@61606 602fd350-edb4-49c9-b593-d223f7449a82
5 participants
Detail
WordPress core relies on several values from PHP superglobal variables. In some cases, these values are accessed directly without first verifying their existence or applying proper sanitization. This can lead to potential security concerns and PHP notices.
This pull request addresses a subset of these issues by adding appropriate existence checks and sanitization to ensure safer and more robust handling of superglobal data.
Trac ticket: https://core.trac.wordpress.org/ticket/64599