WordPress.org

Make WordPress Core

Changeset 50471 for trunk


Ignore:
Timestamp:
03/02/2021 03:06:34 PM (7 weeks ago)
Author:
SergeyBiryukov
Message:

Security, Site Health: Do not store HTTPS request error messages in an option.

This changes the logic in update_https_detection_errors() to never store error messages from the actual request since they could use a different encoding, which would make storing them in an option potentially fail, leading WordPress to then falsely assume that HTTPS is supported.

While this doesn't actually fix the encoding issue, it is not crucial to do so anyway, since these messages are not used anywhere. A simple differentiation between whether the overall HTTPS request or only the SSL verification failed should be sufficient for the purpose of this function.

Props flixos90, tmatsuur, lukecarbis.
Fixes #52484.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/https-detection.php

    r50391 r50471  
    131131        if ( is_wp_error( $unverified_response ) ) {
    132132            $support_errors->add(
    133                 $unverified_response->get_error_code(),
    134                 $unverified_response->get_error_message()
     133                'https_request_failed',
     134                __( 'HTTPS request failed.' )
    135135            );
    136136        } else {
    137137            $support_errors->add(
    138138                'ssl_verification_failed',
    139                 $response->get_error_message()
     139                __( 'SSL verification failed.' )
    140140            );
    141141        }
  • trunk/tests/phpunit/tests/https-detection.php

    r50391 r50471  
    5757    /**
    5858     * @ticket 47577
     59     * @ticket 52484
    5960     */
    6061    public function test_wp_update_https_detection_errors() {
     
    6970
    7071        // If initial request fails and request without SSL verification succeeds,
    71         // return error with 'ssl_verification_failed' error code.
     72        // return 'ssl_verification_failed' error.
    7273        add_filter( 'pre_http_request', array( $this, 'mock_error_with_sslverify' ), 10, 2 );
    7374        add_filter( 'pre_http_request', array( $this, 'mock_success_without_sslverify' ), 10, 2 );
    7475        wp_update_https_detection_errors();
    7576        $this->assertSame(
    76             array( 'ssl_verification_failed' => array( 'Bad SSL certificate.' ) ),
     77            array( 'ssl_verification_failed' => array( __( 'SSL verification failed.' ) ) ),
    7778            get_option( 'https_detection_errors' )
    7879        );
    7980
    8081        // If both initial request and request without SSL verification fail,
    81         // return actual error from request.
     82        // return 'https_request_failed' error.
    8283        add_filter( 'pre_http_request', array( $this, 'mock_error_with_sslverify' ), 10, 2 );
    8384        add_filter( 'pre_http_request', array( $this, 'mock_error_without_sslverify' ), 10, 2 );
    8485        wp_update_https_detection_errors();
    8586        $this->assertSame(
    86             array( 'bad_ssl_certificate' => array( 'Bad SSL certificate.' ) ),
     87            array( 'https_request_failed' => array( __( 'HTTPS request failed.' ) ) ),
    8788            get_option( 'https_detection_errors' )
    8889        );
Note: See TracChangeset for help on using the changeset viewer.