Worthwhile to restrict direct access of theme files?

Usually, you don’t need it. But … there is at least one edge case:

  • If a theme file is a template part,
  • and it is using global variables from the calling context (parent file),
  • and register_globals is on,
  • and it is just using these variables without any security check …

… an attacker can call this file, set the missing variables with GET or POST and make the theme file print those out. And then there is a security problem.

So … the best option is not a context check like the one from your example, but good code: avoid global variables, check their content before you print it out.

Related Posts:

  1. Worthwhile to restrict direct access of theme files?
  2. Should `get_template_directory_uri()` be escaped?
  3. Is it good to rename theme folder downloaded from WordPress.org?
  4. How to sanitize select box values in post meta?
  5. When to use esc_url, esc_html, esc_attr, and friends?
  6. Where i should not use if (!defined(‘ABSPATH’)) { exit; }?
  7. Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
  8. Is it safe to enqueue a font style without putting http or https?
  9. Using esc_url with a hard coded url
  10. What is the safe way to print tracking code / pixel code before tag or tag
  11. Underscore Based Theme File Permissions in Git
  12. correct tags for validating input types
  13. How to escape multiple attribute at once in WordPress?
  14. Contact Form Security
  15. Do I need to escape get_the_post_thumbnail function?
  16. Strict Folder and File Permissions for WordPress Themes Folder
  17. hide theme files for admin beneath root
  18. Should we escape the values of constants?
  19. If necessary, how should wp_get_attachment_image() and its parameters be escaped?
  20. How do I add version control to my workflow?
  21. Using classes instead of global functions in functions.php
  22. Child Theme vs Duplicate Theme Renamed
  23. Setting multiple default background images?
  24. How to make a theme with more than one CSS file?
  25. Is it feasible to build and update a WordPress website offline?
  26. Theme Review: post thumbnail, header image, content width
  27. How to determine if a category is empty?
  28. The seventh parameter passed to add_submenu_page()
  29. What would happen if the admin installs a plugin when the plugin is included in the theme?
  30. How do I get my child-theme to work with my theme’s includes folder?
  31. wp_insert_post breaks rewrite rules
  32. Where can I find a good reviewed collection of Twenty Ten child themes?
  33. how to create theme based widget that can be drop in sider bar or footer
  34. CSS in child theme not overriding the parent theme [closed]
  35. Template Hierarchy for get_header()
  36. Remove frameborder attribute from iframes
  37. how do I get a sidebar’s id or number for use with is_active_sidebar()
  38. Looking for the code in twentyten that allows users to select images for the header/banner
  39. WordPress as a data intensive web app
  40. How to determine which custom header image is being shown
  41. using wordpress without javascript
  42. Theme Check: Could not find post_class
  43. Override theme programmatically
  44. Custom URL parameters in template files
  45. How do I remove TinyMCE text format
  46. can’t understand _e function well
  47. WP 3.1 upgrade breaks AutoFocus+ theme
  48. Change content layout based on menu hierarchy
  49. Theme Loading Into Dashboard
  50. How to make theme elements customizable in wordpress?
  51. How to filter or remove the “title” attribute from category links
  52. Change “Thumbnail”, “Medium” and “Large” image sizes using functions.php?
  53. How to obtain a reference to the_excerpt() from custom loop
  54. defining a folder location in order to recall it
  55. Remove CPT slug from URL WordPress
  56. JavaScript stops working on selectively refreshed sections one inside the other
  57. Why doesn’t my css work when I check my theme on mobile devices? [closed]
  58. WooCommerce: multiple input field for multiple product variations
  59. Where WordPress Stores The Custom Fields Values
  60. How to unset a set query variable?
  61. Theming Using Bootstrap Glyphicons and WordPress Dashicons
  62. Overide enqueue in non plugable function via child theme
  63. Overrride buddypress theme function [closed]
  64. Custom Post Type Query issue
  65. WP_editor doesnt apply wpautop on single line content
  66. Starting point for custom Themes [closed]
  67. How to order by multiple date meta_values?
  68. How to safely return the HTML?
  69. How do I modify the ‘more’ link in a feed
  70. Create something that can be added or removed in Customizer
  71. Menu dispareing when visititing current page [closed]
  72. I need to develop a one-page design
  73. index.php file in wp-content/themes/ folder
  74. WordPress dashboard
  75. Implementing HTML/CSS menu in WordPress theme
  76. show_option_none not working in meta box
  77. Is there a template tag I can use to link to the archive page corresponding to the month that a post was published on?
  78. Hide/disable sidebar using shortcode?
  79. Where are the options “template” and “current_theme” derived from
  80. How do I open a post in a custom page in wordpress?
  81. A Reviews Page is Showing root Index.php instead of Template-Page
  82. Pages not displaying as sections on static page
  83. How to test another theme in a live WordPress website instead of live preview?
  84. custom js script is not loading
  85. Template for front page (latest posts)
  86. Theme option page doesn’t save options
  87. Can’t upload images on new theme
  88. footer menu changes primary menu
  89. Primary Menu Showing All Pages With No Sub-Nav
  90. wp_update_comment not working
  91. WordPress 3.9 two menus in same position?
  92. Image load issue with custom page template on Internet Explorer
  93. Custom widgets in theme option page
  94. Showcase your wordpress themes [closed]
  95. Develop theme with demo default content, programmatically create pages
  96. the_author() str_replace error
  97. Block to show posts from same category
  98. How can I enforce user to use Application password to generate JWT token? [closed]
  99. Only show read more text when when wp:post-excerpt meets excerptLength
  100. Which is recommended to learn first: classic themes or block themes?

Leave a Comment