WordPress.org

Making WordPress.org

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#4801 closed defect (maybelater)

Template partials should not be publicly accessible

Reported by: jonoaldersonwp Owned by:
Milestone: Priority: low
Component: General Keywords: seo analytics
Cc:

Description (last modified by jonoaldersonwp)

Requests to https://wordpress.org/ URLs ending in header.php or footer.php return template partials.

E.g., https://wordpress.org/plugins/classic-editor/header.php.

These types of requests should return normal behaviour for these URLs (usually a 404 response).

Change History (6)

#1 @jonoaldersonwp
2 years ago

  • Description modified (diff)

#2 @jonoaldersonwp
2 years ago

  • Description modified (diff)
  • Priority changed from lowest to low

#3 @dd32
2 years ago

This functionality is actually intentional in many parts of WordPress.org, it's expected that header.php is accessible directly due to the mismatch of systems we run.

#4 @jonoaldersonwp
2 years ago

That's terrifying ;)

Can we prevent direct browser access to it, and force/return a 404?

#5 @Otto42
2 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

Unfortunately, no. Not without breaking the way that trac and the codex work.

I'm going to mark this as wontfix for now, but maybe in the future when we have a different type of integration with these systems then we will be able to not have these accessible from outside, as it were.

#6 @SergeyBiryukov
2 years ago

  • Resolution changed from wontfix to maybelater
Note: See TracTickets for help on using tickets.