Issues in wp-settings.php (ticket-41057) - Issues in ticket-41057 - ntwb/wordpress - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4967)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/wp-settings.php (2 issues)

Labels

Severity

Major 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Used to set up and fix common variables and include
 * the WordPress procedural and class library.
 *
 * Allows for some configuration in wp-config.php (see default-constants.php)
 *
 * @package WordPress
 */

/**
 * Stores the location of the WordPress directory of functions, classes, and core content.
 *
 * @since 1.0.0
 */
define( 'WPINC', 'wp-includes' );

// Include files required for initialization.
require( ABSPATH . WPINC . '/load.php' );
require( ABSPATH . WPINC . '/default-constants.php' );
require_once( ABSPATH . WPINC . '/plugin.php' );

/*
 * These can't be directly globalized in version.php. When updating,
 * we're including version.php from another install and don't want
 * these values to be overridden if already set.
 */
global $wp_version, $wp_db_version, $tinymce_version, $required_php_version, $required_mysql_version, $wp_local_package;
require( ABSPATH . WPINC . '/version.php' );

/**
 * If not already configured, `$blog_id` will default to 1 in a single site
 * configuration. In multisite, it will be overridden by default in ms-settings.php.
 *
 * @global int $blog_id
 * @since 2.0.0
 */
global $blog_id;

// Set initial default constants including WP_MEMORY_LIMIT, WP_MAX_MEMORY_LIMIT, WP_DEBUG, SCRIPT_DEBUG, WP_CONTENT_DIR and WP_CACHE.
wp_initial_constants();

// Check for the required PHP version and for the MySQL extension or a database drop-in.
wp_check_php_mysql_versions();

// Disable magic quotes at runtime. Magic quotes are added using wpdb later in wp-settings.php.
@ini_set( 'magic_quotes_runtime', 0 );
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
@ini_set( 'magic_quotes_sybase',  0 );
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}

// WordPress calculates offsets from UTC.
date_default_timezone_set( 'UTC' );

// Turn register_globals off.
wp_unregister_GLOBALS();

// Standardize $_SERVER variables across setups.
wp_fix_server_vars();

// Check if we have received a request due to missing favicon.ico
wp_favicon_request();

// Check if we're in maintenance mode.
wp_maintenance();

// Start loading timer.
timer_start();

// Check if we're in WP_DEBUG mode.
wp_debug_mode();

/**
 * Filters whether to enable loading of the advanced-cache.php drop-in.
 *
 * This filter runs before it can be used by plugins. It is designed for non-web
 * run-times. If false is returned, advanced-cache.php will never be loaded.
 *
 * @since 4.6.0
 *
 * @param bool $enable_advanced_cache Whether to enable loading advanced-cache.php (if present).
 *                                    Default true.
 */
if ( WP_CACHE && apply_filters( 'enable_loading_advanced_cache_dropin', true ) ) {
	// For an advanced caching plugin to use. Uses a static drop-in because you would only want one.
	WP_DEBUG ? include( WP_CONTENT_DIR . '/advanced-cache.php' ) : @include( WP_CONTENT_DIR . '/advanced-cache.php' );

	// Re-initialize any hooks added manually by advanced-cache.php
	if ( $wp_filter ) {
		$wp_filter = WP_Hook::build_preinitialized_hooks( $wp_filter );
	}
}

// Define WP_LANG_DIR if not set.
wp_set_lang_dir();

// Load early WordPress files.
require( ABSPATH . WPINC . '/compat.php' );
require( ABSPATH . WPINC . '/class-wp-list-util.php' );
require( ABSPATH . WPINC . '/functions.php' );
require( ABSPATH . WPINC . '/class-wp-matchesmapregex.php' );
require( ABSPATH . WPINC . '/class-wp.php' );
require( ABSPATH . WPINC . '/class-wp-error.php' );
require( ABSPATH . WPINC . '/pomo/mo.php' );

// Include the wpdb class and, if present, a db.php database drop-in.
global $wpdb;
require_wp_db();

// Set the database table prefix and the format specifiers for database table columns.
$GLOBALS['table_prefix'] = $table_prefix;
wp_set_wpdb_vars();

// Start the WordPress object cache, or an external object cache if the drop-in is present.
wp_start_object_cache();

// Attach the default filters.
require( ABSPATH . WPINC . '/default-filters.php' );

// Initialize multisite if enabled.
if ( is_multisite() ) {
	require( ABSPATH . WPINC . '/class-wp-site-query.php' );
	require( ABSPATH . WPINC . '/class-wp-network-query.php' );
	require( ABSPATH . WPINC . '/ms-blogs.php' );
	require( ABSPATH . WPINC . '/ms-settings.php' );
} elseif ( ! defined( 'MULTISITE' ) ) {
	define( 'MULTISITE', false );
}

register_shutdown_function( 'shutdown_action_hook' );

// Stop most of WordPress from being loaded if we just want the basics.
if ( SHORTINIT )
	return false;

// Load the L10n library.
require_once( ABSPATH . WPINC . '/l10n.php' );
require_once( ABSPATH . WPINC . '/class-wp-locale.php' );
require_once( ABSPATH . WPINC . '/class-wp-locale-switcher.php' );

// Run the installer if WordPress is not installed.
wp_not_installed();

// Load most of WordPress.
require( ABSPATH . WPINC . '/class-wp-walker.php' );
require( ABSPATH . WPINC . '/class-wp-ajax-response.php' );
require( ABSPATH . WPINC . '/formatting.php' );
require( ABSPATH . WPINC . '/capabilities.php' );
require( ABSPATH . WPINC . '/class-wp-roles.php' );
require( ABSPATH . WPINC . '/class-wp-role.php' );
require( ABSPATH . WPINC . '/class-wp-user.php' );
require( ABSPATH . WPINC . '/class-wp-query.php' );
require( ABSPATH . WPINC . '/query.php' );
require( ABSPATH . WPINC . '/date.php' );
require( ABSPATH . WPINC . '/theme.php' );
require( ABSPATH . WPINC . '/class-wp-theme.php' );
require( ABSPATH . WPINC . '/template.php' );
require( ABSPATH . WPINC . '/user.php' );
require( ABSPATH . WPINC . '/class-wp-user-query.php' );
require( ABSPATH . WPINC . '/class-wp-session-tokens.php' );
require( ABSPATH . WPINC . '/class-wp-user-meta-session-tokens.php' );
require( ABSPATH . WPINC . '/meta.php' );
require( ABSPATH . WPINC . '/class-wp-meta-query.php' );
require( ABSPATH . WPINC . '/class-wp-metadata-lazyloader.php' );
require( ABSPATH . WPINC . '/general-template.php' );
require( ABSPATH . WPINC . '/link-template.php' );
require( ABSPATH . WPINC . '/author-template.php' );
require( ABSPATH . WPINC . '/post.php' );
require( ABSPATH . WPINC . '/class-walker-page.php' );
require( ABSPATH . WPINC . '/class-walker-page-dropdown.php' );
require( ABSPATH . WPINC . '/class-wp-post-type.php' );
require( ABSPATH . WPINC . '/class-wp-post.php' );
require( ABSPATH . WPINC . '/post-template.php' );
require( ABSPATH . WPINC . '/revision.php' );
require( ABSPATH . WPINC . '/post-formats.php' );
require( ABSPATH . WPINC . '/post-thumbnail-template.php' );
require( ABSPATH . WPINC . '/category.php' );
require( ABSPATH . WPINC . '/class-walker-category.php' );
require( ABSPATH . WPINC . '/class-walker-category-dropdown.php' );
require( ABSPATH . WPINC . '/category-template.php' );
require( ABSPATH . WPINC . '/comment.php' );
require( ABSPATH . WPINC . '/class-wp-comment.php' );
require( ABSPATH . WPINC . '/class-wp-comment-query.php' );
require( ABSPATH . WPINC . '/class-walker-comment.php' );
require( ABSPATH . WPINC . '/comment-template.php' );
require( ABSPATH . WPINC . '/rewrite.php' );
require( ABSPATH . WPINC . '/class-wp-rewrite.php' );
require( ABSPATH . WPINC . '/feed.php' );
require( ABSPATH . WPINC . '/bookmark.php' );
require( ABSPATH . WPINC . '/bookmark-template.php' );
require( ABSPATH . WPINC . '/kses.php' );
require( ABSPATH . WPINC . '/cron.php' );
require( ABSPATH . WPINC . '/deprecated.php' );
require( ABSPATH . WPINC . '/script-loader.php' );
require( ABSPATH . WPINC . '/taxonomy.php' );
require( ABSPATH . WPINC . '/class-wp-taxonomy.php' );
require( ABSPATH . WPINC . '/class-wp-term.php' );
require( ABSPATH . WPINC . '/class-wp-term-query.php' );
require( ABSPATH . WPINC . '/class-wp-tax-query.php' );
require( ABSPATH . WPINC . '/update.php' );
require( ABSPATH . WPINC . '/canonical.php' );
require( ABSPATH . WPINC . '/shortcodes.php' );
require( ABSPATH . WPINC . '/embed.php' );
require( ABSPATH . WPINC . '/class-wp-embed.php' );
require( ABSPATH . WPINC . '/class-oembed.php' );
require( ABSPATH . WPINC . '/class-wp-oembed-controller.php' );
require( ABSPATH . WPINC . '/media.php' );
require( ABSPATH . WPINC . '/http.php' );
require( ABSPATH . WPINC . '/class-http.php' );
require( ABSPATH . WPINC . '/class-wp-http-streams.php' );
require( ABSPATH . WPINC . '/class-wp-http-curl.php' );
require( ABSPATH . WPINC . '/class-wp-http-proxy.php' );
require( ABSPATH . WPINC . '/class-wp-http-cookie.php' );
require( ABSPATH . WPINC . '/class-wp-http-encoding.php' );
require( ABSPATH . WPINC . '/class-wp-http-response.php' );
require( ABSPATH . WPINC . '/class-wp-http-requests-response.php' );
require( ABSPATH . WPINC . '/class-wp-http-requests-hooks.php' );
require( ABSPATH . WPINC . '/widgets.php' );
require( ABSPATH . WPINC . '/class-wp-widget.php' );
require( ABSPATH . WPINC . '/class-wp-widget-factory.php' );
require( ABSPATH . WPINC . '/nav-menu.php' );
require( ABSPATH . WPINC . '/nav-menu-template.php' );
require( ABSPATH . WPINC . '/admin-bar.php' );
require( ABSPATH . WPINC . '/rest-api.php' );
require( ABSPATH . WPINC . '/rest-api/class-wp-rest-server.php' );
require( ABSPATH . WPINC . '/rest-api/class-wp-rest-response.php' );
require( ABSPATH . WPINC . '/rest-api/class-wp-rest-request.php' );
require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-controller.php' );
require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-posts-controller.php' );
require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-attachments-controller.php' );
require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-post-types-controller.php' );
require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-post-statuses-controller.php' );
require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-revisions-controller.php' );
require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-taxonomies-controller.php' );
require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-terms-controller.php' );
require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-users-controller.php' );
require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-comments-controller.php' );
require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-settings-controller.php' );
require( ABSPATH . WPINC . '/rest-api/fields/class-wp-rest-meta-fields.php' );
require( ABSPATH . WPINC . '/rest-api/fields/class-wp-rest-comment-meta-fields.php' );
require( ABSPATH . WPINC . '/rest-api/fields/class-wp-rest-post-meta-fields.php' );
require( ABSPATH . WPINC . '/rest-api/fields/class-wp-rest-term-meta-fields.php' );
require( ABSPATH . WPINC . '/rest-api/fields/class-wp-rest-user-meta-fields.php' );

$GLOBALS['wp_embed'] = new WP_Embed();

// Load multisite-specific files.
if ( is_multisite() ) {
	require( ABSPATH . WPINC . '/ms-functions.php' );
	require( ABSPATH . WPINC . '/ms-default-filters.php' );
	require( ABSPATH . WPINC . '/ms-deprecated.php' );
}

// Define constants that rely on the API to obtain the default value.
// Define must-use plugin directory constants, which may be overridden in the sunrise.php drop-in.
wp_plugin_directory_constants();

$GLOBALS['wp_plugin_paths'] = array();

// Load must-use plugins.
foreach ( wp_get_mu_plugins() as $mu_plugin ) {
	include_once( $mu_plugin );
}
unset( $mu_plugin );

// Load network activated plugins.
if ( is_multisite() ) {
	foreach ( wp_get_active_network_plugins() as $network_plugin ) {
		wp_register_plugin_realpath( $network_plugin );
		include_once( $network_plugin );
	}
	unset( $network_plugin );
}

/**
 * Fires once all must-use and network-activated plugins have loaded.
 *
 * @since 2.8.0
 */
do_action( 'muplugins_loaded' );

if ( is_multisite() )
	ms_cookie_constants(  );

// Define constants after multisite is loaded.
wp_cookie_constants();

// Define and enforce our SSL constants
wp_ssl_constants();

// Create common globals.
require( ABSPATH . WPINC . '/vars.php' );

// Make taxonomies and posts available to plugins and themes.
// @plugin authors: warning: these get registered again on the init hook.
create_initial_taxonomies();
create_initial_post_types();

// Register the default theme directory root
register_theme_directory( get_theme_root() );

// Load active plugins.
foreach ( wp_get_active_and_valid_plugins() as $plugin ) {
	wp_register_plugin_realpath( $plugin );
	include_once( $plugin );
}
unset( $plugin );

// Load pluggable functions.
require( ABSPATH . WPINC . '/pluggable.php' );
require( ABSPATH . WPINC . '/pluggable-deprecated.php' );

// Set internal encoding.
wp_set_internal_encoding();

// Run wp_cache_postload() if object cache is enabled and the function exists.
if ( WP_CACHE && function_exists( 'wp_cache_postload' ) )
	wp_cache_postload();

/**
 * Fires once activated plugins have loaded.
 *
 * Pluggable functions are also available at this point in the loading order.
 *
 * @since 1.5.0
 */
do_action( 'plugins_loaded' );

// Define constants which affect functionality if not already defined.
wp_functionality_constants();

// Add magic quotes and set up $_REQUEST ( $_GET + $_POST )
wp_magic_quotes();

/**
 * Fires when comment cookies are sanitized.
 *
 * @since 2.0.11
 */
do_action( 'sanitize_comment_cookies' );

/**
 * WordPress Query object
 * @global WP_Query $wp_the_query
 * @since 2.0.0
 */
$GLOBALS['wp_the_query'] = new WP_Query();

/**
 * Holds the reference to @see $wp_the_query
 * Use this global for WordPress queries
 * @global WP_Query $wp_query
 * @since 1.5.0
 */
$GLOBALS['wp_query'] = $GLOBALS['wp_the_query'];

/**
 * Holds the WordPress Rewrite object for creating pretty URLs
 * @global WP_Rewrite $wp_rewrite
 * @since 1.5.0
 */
$GLOBALS['wp_rewrite'] = new WP_Rewrite();

/**
 * WordPress Object
 * @global WP $wp
 * @since 2.0.0
 */
$GLOBALS['wp'] = new WP();

/**
 * WordPress Widget Factory Object
 * @global WP_Widget_Factory $wp_widget_factory
 * @since 2.8.0
 */
$GLOBALS['wp_widget_factory'] = new WP_Widget_Factory();

/**
 * WordPress User Roles
 * @global WP_Roles $wp_roles
 * @since 2.0.0
 */
$GLOBALS['wp_roles'] = new WP_Roles();

/**
 * Fires before the theme is loaded.
 *
 * @since 2.6.0
 */
do_action( 'setup_theme' );

// Define the template related constants.
wp_templating_constants(  );

// Load the default text localization domain.
load_default_textdomain();

$locale = get_locale();
$locale_file = WP_LANG_DIR . "/$locale.php";
if ( ( 0 === validate_file( $locale ) ) && is_readable( $locale_file ) )
	require( $locale_file );
unset( $locale_file );

/**
 * WordPress Locale object for loading locale domain date and various strings.
 * @global WP_Locale $wp_locale
 * @since 2.1.0
 */
$GLOBALS['wp_locale'] = new WP_Locale();

/**
 *  WordPress Locale Switcher object for switching locales.
 *
 * @since 4.7.0
 *
 * @global WP_Locale_Switcher $wp_locale_switcher WordPress locale switcher object.
 */
$GLOBALS['wp_locale_switcher'] = new WP_Locale_Switcher();
$GLOBALS['wp_locale_switcher']->init();

// Load the functions for the active theme, for both parent and child theme if applicable.
if ( ! wp_installing() || 'wp-activate.php' === $pagenow ) {
	if ( TEMPLATEPATH !== STYLESHEETPATH && file_exists( STYLESHEETPATH . '/functions.php' ) )
		include( STYLESHEETPATH . '/functions.php' );
	if ( file_exists( TEMPLATEPATH . '/functions.php' ) )
		include( TEMPLATEPATH . '/functions.php' );
}

/**
 * Fires after the theme is loaded.
 *
 * @since 3.0.0
 */
do_action( 'after_setup_theme' );

// Set up current user.
$GLOBALS['wp']->init();

/**
 * Fires after WordPress has finished loading but before any headers are sent.
 *
 * Most of WP is loaded at this stage, and the user is authenticated. WP continues
 * to load on the {@see 'init'} hook that follows (e.g. widgets), and many plugins instantiate
 * themselves on it for all sorts of reasons (e.g. they need a user, a taxonomy, etc.).
 *
 * If you wish to plug an action once WP is loaded, use the {@see 'wp_loaded'} hook below.
 *
 * @since 1.5.0
 */
do_action( 'init' );

// Check site status
if ( is_multisite() ) {
	if ( true !== ( $file = ms_site_check() ) ) {
		require( $file );
		die();
	}
	unset($file);
}

/**
 * This hook is fired once WP, all plugins, and the theme are fully loaded and instantiated.
 *
 * Ajax requests should use wp-admin/admin-ajax.php. admin-ajax.php can handle requests for
 * users not logged in.
 *
 * @link https://codex.wordpress.org/AJAX_in_Plugins
 *
 * @since 3.0.0
 */
do_action( 'wp_loaded' );


1			<?php
2			/**
3			* Used to set up and fix common variables and include
4			* the WordPress procedural and class library.
5			*
6			* Allows for some configuration in wp-config.php (see default-constants.php)
7			*
8			* @package WordPress
9			*/
10
11			/**
12			* Stores the location of the WordPress directory of functions, classes, and core content.
13			*
14			* @since 1.0.0
15			*/
16			define( 'WPINC', 'wp-includes' );
17
18			// Include files required for initialization.
19			require( ABSPATH . WPINC . '/load.php' );
20			require( ABSPATH . WPINC . '/default-constants.php' );
21			require_once( ABSPATH . WPINC . '/plugin.php' );
22
23			/*
24			* These can't be directly globalized in version.php. When updating,
25			* we're including version.php from another install and don't want
26			* these values to be overridden if already set.
27			*/
28			global $wp_version, $wp_db_version, $tinymce_version, $required_php_version, $required_mysql_version, $wp_local_package;
29			require( ABSPATH . WPINC . '/version.php' );
30
31			/**
32			* If not already configured, `$blog_id` will default to 1 in a single site
33			* configuration. In multisite, it will be overridden by default in ms-settings.php.
34			*
35			* @global int $blog_id
36			* @since 2.0.0
37			*/
38			global $blog_id;
39
40			// Set initial default constants including WP_MEMORY_LIMIT, WP_MAX_MEMORY_LIMIT, WP_DEBUG, SCRIPT_DEBUG, WP_CONTENT_DIR and WP_CACHE.
41			wp_initial_constants();
42
43			// Check for the required PHP version and for the MySQL extension or a database drop-in.
44			wp_check_php_mysql_versions();
45
46			// Disable magic quotes at runtime. Magic quotes are added using wpdb later in wp-settings.php.
47			@ini_set( 'magic_quotes_runtime', 0 );
			0 ignored issues – show Security Best Practice introduced 2015-12-17 04:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
48			@ini_set( 'magic_quotes_sybase', 0 );
			0 ignored issues – show Security Best Practice introduced 2015-12-17 04:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
49
50			// WordPress calculates offsets from UTC.
51			date_default_timezone_set( 'UTC' );
52
53			// Turn register_globals off.
54			wp_unregister_GLOBALS();
55
56			// Standardize $_SERVER variables across setups.
57			wp_fix_server_vars();
58
59			// Check if we have received a request due to missing favicon.ico
60			wp_favicon_request();
61
62			// Check if we're in maintenance mode.
63			wp_maintenance();
64
65			// Start loading timer.
66			timer_start();
67
68			// Check if we're in WP_DEBUG mode.
69			wp_debug_mode();
70
71			/**
72			* Filters whether to enable loading of the advanced-cache.php drop-in.
73			*
74			* This filter runs before it can be used by plugins. It is designed for non-web
75			* run-times. If false is returned, advanced-cache.php will never be loaded.
76			*
77			* @since 4.6.0
78			*
79			* @param bool $enable_advanced_cache Whether to enable loading advanced-cache.php (if present).
80			* Default true.
81			*/
82			if ( WP_CACHE && apply_filters( 'enable_loading_advanced_cache_dropin', true ) ) {
83			// For an advanced caching plugin to use. Uses a static drop-in because you would only want one.
84			WP_DEBUG ? include( WP_CONTENT_DIR . '/advanced-cache.php' ) : @include( WP_CONTENT_DIR . '/advanced-cache.php' );
85
86			// Re-initialize any hooks added manually by advanced-cache.php
87			if ( $wp_filter ) {
88			$wp_filter = WP_Hook::build_preinitialized_hooks( $wp_filter );
89			}
90			}
91
92			// Define WP_LANG_DIR if not set.
93			wp_set_lang_dir();
94
95			// Load early WordPress files.
96			require( ABSPATH . WPINC . '/compat.php' );
97			require( ABSPATH . WPINC . '/class-wp-list-util.php' );
98			require( ABSPATH . WPINC . '/functions.php' );
99			require( ABSPATH . WPINC . '/class-wp-matchesmapregex.php' );
100			require( ABSPATH . WPINC . '/class-wp.php' );
101			require( ABSPATH . WPINC . '/class-wp-error.php' );
102			require( ABSPATH . WPINC . '/pomo/mo.php' );
103
104			// Include the wpdb class and, if present, a db.php database drop-in.
105			global $wpdb;
106			require_wp_db();
107
108			// Set the database table prefix and the format specifiers for database table columns.
109			$GLOBALS['table_prefix'] = $table_prefix;
110			wp_set_wpdb_vars();
111
112			// Start the WordPress object cache, or an external object cache if the drop-in is present.
113			wp_start_object_cache();
114
115			// Attach the default filters.
116			require( ABSPATH . WPINC . '/default-filters.php' );
117
118			// Initialize multisite if enabled.
119			if ( is_multisite() ) {
120			require( ABSPATH . WPINC . '/class-wp-site-query.php' );
121			require( ABSPATH . WPINC . '/class-wp-network-query.php' );
122			require( ABSPATH . WPINC . '/ms-blogs.php' );
123			require( ABSPATH . WPINC . '/ms-settings.php' );
124			} elseif ( ! defined( 'MULTISITE' ) ) {
125			define( 'MULTISITE', false );
126			}
127
128			register_shutdown_function( 'shutdown_action_hook' );
129
130			// Stop most of WordPress from being loaded if we just want the basics.
131			if ( SHORTINIT )
132			return false;
133
134			// Load the L10n library.
135			require_once( ABSPATH . WPINC . '/l10n.php' );
136			require_once( ABSPATH . WPINC . '/class-wp-locale.php' );
137			require_once( ABSPATH . WPINC . '/class-wp-locale-switcher.php' );
138
139			// Run the installer if WordPress is not installed.
140			wp_not_installed();
141
142			// Load most of WordPress.
143			require( ABSPATH . WPINC . '/class-wp-walker.php' );
144			require( ABSPATH . WPINC . '/class-wp-ajax-response.php' );
145			require( ABSPATH . WPINC . '/formatting.php' );
146			require( ABSPATH . WPINC . '/capabilities.php' );
147			require( ABSPATH . WPINC . '/class-wp-roles.php' );
148			require( ABSPATH . WPINC . '/class-wp-role.php' );
149			require( ABSPATH . WPINC . '/class-wp-user.php' );
150			require( ABSPATH . WPINC . '/class-wp-query.php' );
151			require( ABSPATH . WPINC . '/query.php' );
152			require( ABSPATH . WPINC . '/date.php' );
153			require( ABSPATH . WPINC . '/theme.php' );
154			require( ABSPATH . WPINC . '/class-wp-theme.php' );
155			require( ABSPATH . WPINC . '/template.php' );
156			require( ABSPATH . WPINC . '/user.php' );
157			require( ABSPATH . WPINC . '/class-wp-user-query.php' );
158			require( ABSPATH . WPINC . '/class-wp-session-tokens.php' );
159			require( ABSPATH . WPINC . '/class-wp-user-meta-session-tokens.php' );
160			require( ABSPATH . WPINC . '/meta.php' );
161			require( ABSPATH . WPINC . '/class-wp-meta-query.php' );
162			require( ABSPATH . WPINC . '/class-wp-metadata-lazyloader.php' );
163			require( ABSPATH . WPINC . '/general-template.php' );
164			require( ABSPATH . WPINC . '/link-template.php' );
165			require( ABSPATH . WPINC . '/author-template.php' );
166			require( ABSPATH . WPINC . '/post.php' );
167			require( ABSPATH . WPINC . '/class-walker-page.php' );
168			require( ABSPATH . WPINC . '/class-walker-page-dropdown.php' );
169			require( ABSPATH . WPINC . '/class-wp-post-type.php' );
170			require( ABSPATH . WPINC . '/class-wp-post.php' );
171			require( ABSPATH . WPINC . '/post-template.php' );
172			require( ABSPATH . WPINC . '/revision.php' );
173			require( ABSPATH . WPINC . '/post-formats.php' );
174			require( ABSPATH . WPINC . '/post-thumbnail-template.php' );
175			require( ABSPATH . WPINC . '/category.php' );
176			require( ABSPATH . WPINC . '/class-walker-category.php' );
177			require( ABSPATH . WPINC . '/class-walker-category-dropdown.php' );
178			require( ABSPATH . WPINC . '/category-template.php' );
179			require( ABSPATH . WPINC . '/comment.php' );
180			require( ABSPATH . WPINC . '/class-wp-comment.php' );
181			require( ABSPATH . WPINC . '/class-wp-comment-query.php' );
182			require( ABSPATH . WPINC . '/class-walker-comment.php' );
183			require( ABSPATH . WPINC . '/comment-template.php' );
184			require( ABSPATH . WPINC . '/rewrite.php' );
185			require( ABSPATH . WPINC . '/class-wp-rewrite.php' );
186			require( ABSPATH . WPINC . '/feed.php' );
187			require( ABSPATH . WPINC . '/bookmark.php' );
188			require( ABSPATH . WPINC . '/bookmark-template.php' );
189			require( ABSPATH . WPINC . '/kses.php' );
190			require( ABSPATH . WPINC . '/cron.php' );
191			require( ABSPATH . WPINC . '/deprecated.php' );
192			require( ABSPATH . WPINC . '/script-loader.php' );
193			require( ABSPATH . WPINC . '/taxonomy.php' );
194			require( ABSPATH . WPINC . '/class-wp-taxonomy.php' );
195			require( ABSPATH . WPINC . '/class-wp-term.php' );
196			require( ABSPATH . WPINC . '/class-wp-term-query.php' );
197			require( ABSPATH . WPINC . '/class-wp-tax-query.php' );
198			require( ABSPATH . WPINC . '/update.php' );
199			require( ABSPATH . WPINC . '/canonical.php' );
200			require( ABSPATH . WPINC . '/shortcodes.php' );
201			require( ABSPATH . WPINC . '/embed.php' );
202			require( ABSPATH . WPINC . '/class-wp-embed.php' );
203			require( ABSPATH . WPINC . '/class-oembed.php' );
204			require( ABSPATH . WPINC . '/class-wp-oembed-controller.php' );
205			require( ABSPATH . WPINC . '/media.php' );
206			require( ABSPATH . WPINC . '/http.php' );
207			require( ABSPATH . WPINC . '/class-http.php' );
208			require( ABSPATH . WPINC . '/class-wp-http-streams.php' );
209			require( ABSPATH . WPINC . '/class-wp-http-curl.php' );
210			require( ABSPATH . WPINC . '/class-wp-http-proxy.php' );
211			require( ABSPATH . WPINC . '/class-wp-http-cookie.php' );
212			require( ABSPATH . WPINC . '/class-wp-http-encoding.php' );
213			require( ABSPATH . WPINC . '/class-wp-http-response.php' );
214			require( ABSPATH . WPINC . '/class-wp-http-requests-response.php' );
215			require( ABSPATH . WPINC . '/class-wp-http-requests-hooks.php' );
216			require( ABSPATH . WPINC . '/widgets.php' );
217			require( ABSPATH . WPINC . '/class-wp-widget.php' );
218			require( ABSPATH . WPINC . '/class-wp-widget-factory.php' );
219			require( ABSPATH . WPINC . '/nav-menu.php' );
220			require( ABSPATH . WPINC . '/nav-menu-template.php' );
221			require( ABSPATH . WPINC . '/admin-bar.php' );
222			require( ABSPATH . WPINC . '/rest-api.php' );
223			require( ABSPATH . WPINC . '/rest-api/class-wp-rest-server.php' );
224			require( ABSPATH . WPINC . '/rest-api/class-wp-rest-response.php' );
225			require( ABSPATH . WPINC . '/rest-api/class-wp-rest-request.php' );
226			require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-controller.php' );
227			require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-posts-controller.php' );
228			require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-attachments-controller.php' );
229			require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-post-types-controller.php' );
230			require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-post-statuses-controller.php' );
231			require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-revisions-controller.php' );
232			require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-taxonomies-controller.php' );
233			require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-terms-controller.php' );
234			require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-users-controller.php' );
235			require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-comments-controller.php' );
236			require( ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-settings-controller.php' );
237			require( ABSPATH . WPINC . '/rest-api/fields/class-wp-rest-meta-fields.php' );
238			require( ABSPATH . WPINC . '/rest-api/fields/class-wp-rest-comment-meta-fields.php' );
239			require( ABSPATH . WPINC . '/rest-api/fields/class-wp-rest-post-meta-fields.php' );
240			require( ABSPATH . WPINC . '/rest-api/fields/class-wp-rest-term-meta-fields.php' );
241			require( ABSPATH . WPINC . '/rest-api/fields/class-wp-rest-user-meta-fields.php' );
242
243			$GLOBALS['wp_embed'] = new WP_Embed();
244
245			// Load multisite-specific files.
246			if ( is_multisite() ) {
247			require( ABSPATH . WPINC . '/ms-functions.php' );
248			require( ABSPATH . WPINC . '/ms-default-filters.php' );
249			require( ABSPATH . WPINC . '/ms-deprecated.php' );
250			}
251
252			// Define constants that rely on the API to obtain the default value.
253			// Define must-use plugin directory constants, which may be overridden in the sunrise.php drop-in.
254			wp_plugin_directory_constants();
255
256			$GLOBALS['wp_plugin_paths'] = array();
257
258			// Load must-use plugins.
259			foreach ( wp_get_mu_plugins() as $mu_plugin ) {
260			include_once( $mu_plugin );
261			}
262			unset( $mu_plugin );
263
264			// Load network activated plugins.
265			if ( is_multisite() ) {
266			foreach ( wp_get_active_network_plugins() as $network_plugin ) {
267			wp_register_plugin_realpath( $network_plugin );
268			include_once( $network_plugin );
269			}
270			unset( $network_plugin );
271			}
272
273			/**
274			* Fires once all must-use and network-activated plugins have loaded.
275			*
276			* @since 2.8.0
277			*/
278			do_action( 'muplugins_loaded' );
279
280			if ( is_multisite() )
281			ms_cookie_constants( );
282
283			// Define constants after multisite is loaded.
284			wp_cookie_constants();
285
286			// Define and enforce our SSL constants
287			wp_ssl_constants();
288
289			// Create common globals.
290			require( ABSPATH . WPINC . '/vars.php' );
291
292			// Make taxonomies and posts available to plugins and themes.
293			// @plugin authors: warning: these get registered again on the init hook.
294			create_initial_taxonomies();
295			create_initial_post_types();
296
297			// Register the default theme directory root
298			register_theme_directory( get_theme_root() );
299
300			// Load active plugins.
301			foreach ( wp_get_active_and_valid_plugins() as $plugin ) {
302			wp_register_plugin_realpath( $plugin );
303			include_once( $plugin );
304			}
305			unset( $plugin );
306
307			// Load pluggable functions.
308			require( ABSPATH . WPINC . '/pluggable.php' );
309			require( ABSPATH . WPINC . '/pluggable-deprecated.php' );
310
311			// Set internal encoding.
312			wp_set_internal_encoding();
313
314			// Run wp_cache_postload() if object cache is enabled and the function exists.
315			if ( WP_CACHE && function_exists( 'wp_cache_postload' ) )
316			wp_cache_postload();
317
318			/**
319			* Fires once activated plugins have loaded.
320			*
321			* Pluggable functions are also available at this point in the loading order.
322			*
323			* @since 1.5.0
324			*/
325			do_action( 'plugins_loaded' );
326
327			// Define constants which affect functionality if not already defined.
328			wp_functionality_constants();
329
330			// Add magic quotes and set up $_REQUEST ( $_GET + $_POST )
331			wp_magic_quotes();
332
333			/**
334			* Fires when comment cookies are sanitized.
335			*
336			* @since 2.0.11
337			*/
338			do_action( 'sanitize_comment_cookies' );
339
340			/**
341			* WordPress Query object
342			* @global WP_Query $wp_the_query
343			* @since 2.0.0
344			*/
345			$GLOBALS['wp_the_query'] = new WP_Query();
346
347			/**
348			* Holds the reference to @see $wp_the_query
349			* Use this global for WordPress queries
350			* @global WP_Query $wp_query
351			* @since 1.5.0
352			*/
353			$GLOBALS['wp_query'] = $GLOBALS['wp_the_query'];
354
355			/**
356			* Holds the WordPress Rewrite object for creating pretty URLs
357			* @global WP_Rewrite $wp_rewrite
358			* @since 1.5.0
359			*/
360			$GLOBALS['wp_rewrite'] = new WP_Rewrite();
361
362			/**
363			* WordPress Object
364			* @global WP $wp
365			* @since 2.0.0
366			*/
367			$GLOBALS['wp'] = new WP();
368
369			/**
370			* WordPress Widget Factory Object
371			* @global WP_Widget_Factory $wp_widget_factory
372			* @since 2.8.0
373			*/
374			$GLOBALS['wp_widget_factory'] = new WP_Widget_Factory();
375
376			/**
377			* WordPress User Roles
378			* @global WP_Roles $wp_roles
379			* @since 2.0.0
380			*/
381			$GLOBALS['wp_roles'] = new WP_Roles();
382
383			/**
384			* Fires before the theme is loaded.
385			*
386			* @since 2.6.0
387			*/
388			do_action( 'setup_theme' );
389
390			// Define the template related constants.
391			wp_templating_constants( );
392
393			// Load the default text localization domain.
394			load_default_textdomain();
395
396			$locale = get_locale();
397			$locale_file = WP_LANG_DIR . "/$locale.php";
398			if ( ( 0 === validate_file( $locale ) ) && is_readable( $locale_file ) )
399			require( $locale_file );
400			unset( $locale_file );
401
402			/**
403			* WordPress Locale object for loading locale domain date and various strings.
404			* @global WP_Locale $wp_locale
405			* @since 2.1.0
406			*/
407			$GLOBALS['wp_locale'] = new WP_Locale();
408
409			/**
410			* WordPress Locale Switcher object for switching locales.
411			*
412			* @since 4.7.0
413			*
414			* @global WP_Locale_Switcher $wp_locale_switcher WordPress locale switcher object.
415			*/
416			$GLOBALS['wp_locale_switcher'] = new WP_Locale_Switcher();
417			$GLOBALS['wp_locale_switcher']->init();
418
419			// Load the functions for the active theme, for both parent and child theme if applicable.
420			if ( ! wp_installing() \|\| 'wp-activate.php' === $pagenow ) {
421			if ( TEMPLATEPATH !== STYLESHEETPATH && file_exists( STYLESHEETPATH . '/functions.php' ) )
422			include( STYLESHEETPATH . '/functions.php' );
423			if ( file_exists( TEMPLATEPATH . '/functions.php' ) )
424			include( TEMPLATEPATH . '/functions.php' );
425			}
426
427			/**
428			* Fires after the theme is loaded.
429			*
430			* @since 3.0.0
431			*/
432			do_action( 'after_setup_theme' );
433
434			// Set up current user.
435			$GLOBALS['wp']->init();
436
437			/**
438			* Fires after WordPress has finished loading but before any headers are sent.
439			*
440			* Most of WP is loaded at this stage, and the user is authenticated. WP continues
441			* to load on the {@see 'init'} hook that follows (e.g. widgets), and many plugins instantiate
442			* themselves on it for all sorts of reasons (e.g. they need a user, a taxonomy, etc.).
443			*
444			* If you wish to plug an action once WP is loaded, use the {@see 'wp_loaded'} hook below.
445			*
446			* @since 1.5.0
447			*/
448			do_action( 'init' );
449
450			// Check site status
451			if ( is_multisite() ) {
452			if ( true !== ( $file = ms_site_check() ) ) {
453			require( $file );
454			die();
455			}
456			unset($file);
457			}
458
459			/**
460			* This hook is fired once WP, all plugins, and the theme are fully loaded and instantiated.
461			*
462			* Ajax requests should use wp-admin/admin-ajax.php. admin-ajax.php can handle requests for
463			* users not logged in.
464			*
465			* @link https://codex.wordpress.org/AJAX_in_Plugins
466			*
467			* @since 3.0.0
468			*/
469			do_action( 'wp_loaded' );
470

ntwb / wordpress

Issues (4967)

Security Analysis not enabled

src/wp-settings.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like