WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 3 years ago

#11289 closed defect (bug) (fixed)

Logout Causes Internal Server Error

Reported by: miqrogroove Owned by:
Milestone: 2.9 Priority: high
Severity: critical Version: 2.8.4
Component: General Keywords: has-patch tested
Focuses: Cc:

Description

In IE I'm seeing a generic HTTP 500 page.

Depending on which other browser I use, I'm seeing one of these two responses:

HTTP/1.1 500 Internal Server Error
WordPress Failure Notice
You are attempting to log out of <site name>
Do you really want to log out?

Or:
You are attempting to log out of <site name>
Please try again.

Attachments (2)

ticket-11289-part1.patch (934 bytes) - added by miqrogroove 5 years ago.
Fixes broken function wp_nonce_ays()
ticket-11289-full.patch (2.8 KB) - added by miqrogroove 5 years ago.
Fixes broken patch from #8942 and broken function wp_nonce_ays()

Download all attachments as: .zip

Change History (9)

comment:1 @miqrogroove5 years ago

This might need to be split into multiple tickets.

IE is apparently hiding the "Do you really want to log out" link, which makes the nonce system more of a liability than a helpful security measure. A user unable to logout may be in worse shape than a user unintentionally logged out.

WordPress fails to even provide a nonce in some cases. The "Please try again" link references the previous page, with no nonce or explanation of what happened.

@miqrogroove5 years ago

Fixes broken function wp_nonce_ays()

comment:2 @miqrogroove5 years ago

I had to use HTTPSniffer to get an idea of what else is happening. At random intervals, WordPress dies at the TITLE element, and there is no output after that. o_O

comment:3 @miqrogroove5 years ago

The patch from #8942 fails when certain chunk sizes are emitted after Transfer-Encoding: chunked. Random string output must be moved before any inline function calls to prevent chunking.

@miqrogroove5 years ago

Fixes broken patch from #8942 and broken function wp_nonce_ays()

comment:4 @miqrogroove5 years ago

  • Keywords has-patch tested added

Patched files tested extensively on IE6 to eliminate the random "friendly errors", internal server errors, and missing nonces. Concerns with other browsers boiled down to whether or not a Referer header was sent because I was clicking links vs. pasting URLs in the address bar.

comment:5 @ryan5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [12309]) Fix wp_nonce_ays() for log-out case. Fix IE6 padding. Props miqrogroove. fixes #11289

comment:6 @azizur5 years ago

  • Cc azizur added

I just got this same error using trunk version on Firefox 3.6.10.

comment:7 @GaryJ3 years ago

Is the padding fix still needed for the currently supported set of browsers?

Note: See TracTickets for help on using tickets.