WordPress.org

Making WordPress.org

Opened 7 months ago

Closed 7 months ago

Last modified 7 months ago

#4801 closed defect (maybelater)

Template partials should not be publicly accessible

Reported by: jonoaldersonwp Owned by:
Milestone: Priority: low
Component: General Keywords: seo analytics
Cc:

Description (last modified by jonoaldersonwp)

Requests to https://wordpress.org/ URLs ending in header.php or footer.php return template partials.

E.g., https://wordpress.org/plugins/classic-editor/header.php.

These types of requests should return normal behaviour for these URLs (usually a 404 response).

Change History (6)

#1 @jonoaldersonwp
7 months ago

  • Description modified (diff)

#2 @jonoaldersonwp
7 months ago

  • Description modified (diff)
  • Priority changed from lowest to low

#3 @dd32
7 months ago

This functionality is actually intentional in many parts of WordPress.org, it's expected that header.php is accessible directly due to the mismatch of systems we run.

#4 @jonoaldersonwp
7 months ago

That's terrifying ;)

Can we prevent direct browser access to it, and force/return a 404?

#5 @Otto42
7 months ago

  • Resolution set to wontfix
  • Status changed from new to closed

Unfortunately, no. Not without breaking the way that trac and the codex work.

I'm going to mark this as wontfix for now, but maybe in the future when we have a different type of integration with these systems then we will be able to not have these accessible from outside, as it were.

#6 @SergeyBiryukov
7 months ago

  • Resolution changed from wontfix to maybelater
Note: See TracTickets for help on using tickets.