Make WordPress Core

Opened 15 years ago

Closed 15 years ago

Last modified 8 years ago

#11289 closed defect (bug) (fixed)

Logout Causes Internal Server Error

Reported by: miqrogroove's profile miqrogroove Owned by:
Milestone: 2.9 Priority: high
Severity: critical Version: 2.8.4
Component: General Keywords: has-patch tested
Focuses: Cc:

Description

In IE I'm seeing a generic HTTP 500 page.

Depending on which other browser I use, I'm seeing one of these two responses:

HTTP/1.1 500 Internal Server Error
WordPress Failure Notice
You are attempting to log out of <site name>
Do you really want to log out?

Or:
You are attempting to log out of <site name>
Please try again.

Attachments (2)

ticket-11289-part1.patch (934 bytes) - added by miqrogroove 15 years ago.
Fixes broken function wp_nonce_ays()
ticket-11289-full.patch (2.8 KB) - added by miqrogroove 15 years ago.
Fixes broken patch from #8942 and broken function wp_nonce_ays()

Download all attachments as: .zip

Change History (10)

#1 @miqrogroove
15 years ago

This might need to be split into multiple tickets.

IE is apparently hiding the "Do you really want to log out" link, which makes the nonce system more of a liability than a helpful security measure. A user unable to logout may be in worse shape than a user unintentionally logged out.

WordPress fails to even provide a nonce in some cases. The "Please try again" link references the previous page, with no nonce or explanation of what happened.

@miqrogroove
15 years ago

Fixes broken function wp_nonce_ays()

#2 @miqrogroove
15 years ago

I had to use HTTPSniffer to get an idea of what else is happening. At random intervals, WordPress dies at the TITLE element, and there is no output after that. o_O

#3 @miqrogroove
15 years ago

The patch from #8942 fails when certain chunk sizes are emitted after Transfer-Encoding: chunked. Random string output must be moved before any inline function calls to prevent chunking.

@miqrogroove
15 years ago

Fixes broken patch from #8942 and broken function wp_nonce_ays()

#4 @miqrogroove
15 years ago

  • Keywords has-patch tested added

Patched files tested extensively on IE6 to eliminate the random "friendly errors", internal server errors, and missing nonces. Concerns with other browsers boiled down to whether or not a Referer header was sent because I was clicking links vs. pasting URLs in the address bar.

#5 @ryan
15 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [12309]) Fix wp_nonce_ays() for log-out case. Fix IE6 padding. Props miqrogroove. fixes #11289

#6 @azizur
14 years ago

  • Cc azizur added

I just got this same error using trunk version on Firefox 3.6.10.

#7 follow-up: @GaryJ
12 years ago

Is the padding fix still needed for the currently supported set of browsers?

#8 in reply to: ↑ 7 @rfair404
8 years ago

Replying to GaryJ:

Is the padding fix still needed for the currently supported set of browsers?

I don't think so: submitted a new ticket here to remove this: #37551

Note: See TracTickets for help on using tickets.