WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 4 months ago

#11289 closed defect (bug) (fixed)

Logout Causes Internal Server Error

Reported by: miqrogroove Owned by:
Milestone: 2.9 Priority: high
Severity: critical Version: 2.8.4
Component: General Keywords: has-patch tested
Focuses: Cc:

Description

In IE I'm seeing a generic HTTP 500 page.

Depending on which other browser I use, I'm seeing one of these two responses:

HTTP/1.1 500 Internal Server Error
WordPress Failure Notice
You are attempting to log out of <site name>
Do you really want to log out?

Or:
You are attempting to log out of <site name>
Please try again.

Attachments (2)

ticket-11289-part1.patch (934 bytes) - added by miqrogroove 7 years ago.
Fixes broken function wp_nonce_ays()
ticket-11289-full.patch (2.8 KB) - added by miqrogroove 7 years ago.
Fixes broken patch from #8942 and broken function wp_nonce_ays()

Download all attachments as: .zip

Change History (10)

#1 @miqrogroove
7 years ago

This might need to be split into multiple tickets.

IE is apparently hiding the "Do you really want to log out" link, which makes the nonce system more of a liability than a helpful security measure. A user unable to logout may be in worse shape than a user unintentionally logged out.

WordPress fails to even provide a nonce in some cases. The "Please try again" link references the previous page, with no nonce or explanation of what happened.

@miqrogroove
7 years ago

Fixes broken function wp_nonce_ays()

#2 @miqrogroove
7 years ago

I had to use HTTPSniffer to get an idea of what else is happening. At random intervals, WordPress dies at the TITLE element, and there is no output after that. o_O

#3 @miqrogroove
7 years ago

The patch from #8942 fails when certain chunk sizes are emitted after Transfer-Encoding: chunked. Random string output must be moved before any inline function calls to prevent chunking.

@miqrogroove
7 years ago

Fixes broken patch from #8942 and broken function wp_nonce_ays()

#4 @miqrogroove
7 years ago

  • Keywords has-patch tested added

Patched files tested extensively on IE6 to eliminate the random "friendly errors", internal server errors, and missing nonces. Concerns with other browsers boiled down to whether or not a Referer header was sent because I was clicking links vs. pasting URLs in the address bar.

#5 @ryan
7 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [12309]) Fix wp_nonce_ays() for log-out case. Fix IE6 padding. Props miqrogroove. fixes #11289

#6 @azizur
6 years ago

  • Cc azizur added

I just got this same error using trunk version on Firefox 3.6.10.

#7 follow-up: @GaryJ
5 years ago

Is the padding fix still needed for the currently supported set of browsers?

#8 in reply to: ↑ 7 @rfair404
4 months ago

Replying to GaryJ:

Is the padding fix still needed for the currently supported set of browsers?

I don't think so: submitted a new ticket here to remove this: #37551

Note: See TracTickets for help on using tickets.