Make WordPress Core

Changeset 50075


Ignore:
Timestamp:
01/29/2021 07:58:39 PM (4 years ago)
Author:
flixos90
Message:

Security: Allow short-circuiting the wp_update_https_detection_errors() process.

This changeset introduces a pre_wp_update_https_detection_errors filter which can be used to short-circuit the default logic for detecting problems with HTTPS support for the site, by returning a WP_Error object.

Props timothyblynjacobs.
See #47577.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/https-detection.php

    r50072 r50075  
    8989 */
    9090function wp_update_https_detection_errors() {
     91    /**
     92     * Short-circuits the process of detecting errors related to HTTPS support.
     93     *
     94     * Returning a `WP_Error` from the filter will effectively short-circuit the default logic of trying a remote
     95     * request to the site over HTTPS, storing the errors array from the returned `WP_Error` instead.
     96     *
     97     * @since 5.7.0
     98     *
     99     * @param null|WP_Error $pre Error object to short-circuit detection,
     100     *                           or null to continue with the default behavior.
     101     */
     102    $support_errors = apply_filters( 'pre_wp_update_https_detection_errors', null );
     103    if ( is_wp_error( $support_errors ) ) {
     104        update_option( 'https_detection_errors', $support_errors->errors );
     105        return;
     106    }
     107
    91108    $support_errors = new WP_Error();
    92109
  • trunk/tests/phpunit/tests/https-detection.php

    r50072 r50075  
    108108        // Check that the requests are made to the correct URL.
    109109        $this->assertEquals( 'https://example.com/', $this->last_request_url );
     110    }
     111
     112    /**
     113     * @ticket 47577
     114     */
     115    public function test_pre_wp_update_https_detection_errors() {
     116        // Override to enforce no errors being detected.
     117        add_filter(
     118            'pre_wp_update_https_detection_errors',
     119            function() {
     120                return new WP_Error();
     121            }
     122        );
     123        wp_update_https_detection_errors();
     124        $this->assertEquals( array(), get_option( 'https_detection_errors' ) );
     125
     126        // Override to enforce an error being detected.
     127        add_filter(
     128            'pre_wp_update_https_detection_errors',
     129            function() {
     130                return new WP_Error(
     131                    'ssl_verification_failed',
     132                    'Bad SSL certificate.'
     133                );
     134            }
     135        );
     136        wp_update_https_detection_errors();
     137        $this->assertEquals(
     138            array( 'ssl_verification_failed' => array( 'Bad SSL certificate.' ) ),
     139            get_option( 'https_detection_errors' )
     140        );
    110141    }
    111142
Note: See TracChangeset for help on using the changeset viewer.