Make WordPress Core


Ignore:
Timestamp:
09/22/2023 07:06:45 PM (10 months ago)
Author:
adamsilverstein
Message:

Security: remove the cron event that checked for https support.

Fix an issue where a cron job ran every 12 hours to check for https support - even when https support was already enabled. The check is now run only when the user visits the Site Health page. Reducing the unneeded requests lowers the impact and load of hosting WordPress sites.

The wp_update_https_detection_errors function is deprecated and the https_detection_errors option that was previously set by the cron job is no longer maintained. The pre_wp_update_https_detection_errors filter is deprecated and replaced by the pre_wp_get_https_detection_errors filter which serves the same function.

Props audrasjb, johnbillion, Michi91.
Fixes #58494.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/https-detection.php

    r56559 r56664  
    5353        update_option( 'https_detection_errors', $wp_error->errors );
    5454        $this->assertFalse( wp_is_https_supported() );
    55     }
    56 
    57     /**
    58      * @ticket 47577
    59      * @ticket 52484
    60      */
    61     public function test_wp_update_https_detection_errors() {
    62         // Set HTTP URL, the request below should use its HTTPS version.
    63         update_option( 'home', 'http://example.com/' );
    64         add_filter( 'pre_http_request', array( $this, 'record_request_url' ), 10, 3 );
    65 
    66         // If initial request succeeds, all good.
    67         add_filter( 'pre_http_request', array( $this, 'mock_success_with_sslverify' ), 10, 2 );
    68         wp_update_https_detection_errors();
    69         $this->assertSame( array(), get_option( 'https_detection_errors' ) );
    70 
    71         // If initial request fails and request without SSL verification succeeds,
    72         // return 'ssl_verification_failed' error.
    73         add_filter( 'pre_http_request', array( $this, 'mock_error_with_sslverify' ), 10, 2 );
    74         add_filter( 'pre_http_request', array( $this, 'mock_success_without_sslverify' ), 10, 2 );
    75         wp_update_https_detection_errors();
    76         $this->assertSame(
    77             array( 'ssl_verification_failed' => array( __( 'SSL verification failed.' ) ) ),
    78             get_option( 'https_detection_errors' )
    79         );
    80 
    81         // If both initial request and request without SSL verification fail,
    82         // return 'https_request_failed' error.
    83         add_filter( 'pre_http_request', array( $this, 'mock_error_with_sslverify' ), 10, 2 );
    84         add_filter( 'pre_http_request', array( $this, 'mock_error_without_sslverify' ), 10, 2 );
    85         wp_update_https_detection_errors();
    86         $this->assertSame(
    87             array( 'https_request_failed' => array( __( 'HTTPS request failed.' ) ) ),
    88             get_option( 'https_detection_errors' )
    89         );
    90 
    91         // If request succeeds, but response is not 200, return error with
    92         // 'bad_response_code' error code.
    93         add_filter( 'pre_http_request', array( $this, 'mock_not_found' ), 10, 2 );
    94         wp_update_https_detection_errors();
    95         $this->assertSame(
    96             array( 'bad_response_code' => array( 'Not Found' ) ),
    97             get_option( 'https_detection_errors' )
    98         );
    99 
    100         // If request succeeds, but response was not generated by this
    101         // WordPress site, return error with 'bad_response_source' error code.
    102         add_filter( 'pre_http_request', array( $this, 'mock_bad_source' ), 10, 2 );
    103         wp_update_https_detection_errors();
    104         $this->assertSame(
    105             array( 'bad_response_source' => array( 'It looks like the response did not come from this site.' ) ),
    106             get_option( 'https_detection_errors' )
    107         );
    108 
    109         // Check that the requests are made to the correct URL.
    110         $this->assertSame( 'https://example.com/', $this->last_request_url );
    111     }
    112 
    113     /**
    114      * @ticket 47577
    115      */
    116     public function test_pre_wp_update_https_detection_errors() {
    117         // Override to enforce no errors being detected.
    118         add_filter(
    119             'pre_wp_update_https_detection_errors',
    120             static function () {
    121                 return new WP_Error();
    122             }
    123         );
    124         wp_update_https_detection_errors();
    125         $this->assertSame( array(), get_option( 'https_detection_errors' ) );
    126 
    127         // Override to enforce an error being detected.
    128         add_filter(
    129             'pre_wp_update_https_detection_errors',
    130             static function () {
    131                 return new WP_Error(
    132                     'ssl_verification_failed',
    133                     'Bad SSL certificate.'
    134                 );
    135             }
    136         );
    137         wp_update_https_detection_errors();
    138         $this->assertSame(
    139             array( 'ssl_verification_failed' => array( 'Bad SSL certificate.' ) ),
    140             get_option( 'https_detection_errors' )
    141         );
    142     }
    143 
    144     /**
    145      * @ticket 47577
    146      */
    147     public function test_wp_schedule_https_detection() {
    148         wp_schedule_https_detection();
    149         $this->assertSame( 'twicedaily', wp_get_schedule( 'wp_https_detection' ) );
    150     }
    151 
    152     /**
    153      * @ticket 47577
    154      */
    155     public function test_wp_cron_conditionally_prevent_sslverify() {
    156         // If URL is not using HTTPS, don't set 'sslverify' to false.
    157         $request = array(
    158             'url'  => 'http://example.com/',
    159             'args' => array( 'sslverify' => true ),
    160         );
    161         $this->assertSame( $request, wp_cron_conditionally_prevent_sslverify( $request ) );
    162 
    163         // If URL is using HTTPS, set 'sslverify' to false.
    164         $request                       = array(
    165             'url'  => 'https://example.com/',
    166             'args' => array( 'sslverify' => true ),
    167         );
    168         $expected                      = $request;
    169         $expected['args']['sslverify'] = false;
    170         $this->assertSame( $expected, wp_cron_conditionally_prevent_sslverify( $request ) );
    17155    }
    17256
Note: See TracChangeset for help on using the changeset viewer.