WordPress.org

Make WordPress Core

Opened 5 years ago

Last modified 5 days ago

#28630 new defect (bug)

wordpress "check for updates" fails silently behind proxy server with https POST 501 Error

Reported by: manikb Owned by:
Milestone: Priority: normal
Severity: major Version: 3.8.1
Component: Upgrade/Install Keywords: needs-patch
Focuses: administration Cc:
PR Number:

Description

I was running wordpress 3.8.1 on a webserver inside a LAN where wordpress needs to use a proxy to access the web. This is taken care of by defining WP_PROXY_HOST and WP_PROXY_PORT in wp-config.php, so Wordpress and plugins worked correctly.

When checking the dashboard for updates, Wordpress and all plugins were always shown as up-to-date even as WP 3.9 and 3.9.1 were out.
I checked the network traffic when forcing an update check, and it turns out that in wp-includes/update.php, if ssl is available, the url used to check for updates is transformed from http url to https url. This happens in three places, e.g. :

$url = $http_url = 'http://api.wordpress.org/themes/update-check/1.1/';
if ( $ssl = wp_http_supports( array( 'ssl' ) ) )
                $url = set_url_scheme( $url, 'https' );

Thus a HTTPS POST request is sent, and the proxy we have here (Squid) answers with an error 501 “Unsupported Request Method and Protocol”

It seems HTTP GET and POST works, I know HTTPS GET works with the proxy, but not HTTPS POST from WP.

After that, WP display that everything is up-to-date, no error message, even with WP_DEBUG set to true.

I commented the lines that switch to ssl if it is available, and everything worked fine : the updates were detected and installed with no further problem.
Unfortunately my 'fix' isn't one as I will have to do it again after each WP update.

Fixing this:

  • At the minimum : If the update check fails (error 501 here) WP should NOT say there is no update, but display an error message to let the user know there may be updates available but that it could not check for it (displaying the error itself would be even better).
  • Better : Maybe this is due to the way WP connects to the server using the proxy, as SQUID should work with HTTPS POST (at least it does from my browser). It seems a similar problem is described in http://www.perlmonks.org/?node_id=78114 and is due to the connection : apparently it should be : create TCP connection to proxy, send "CONNECT xyz\r\n", and only then establish SSL connection.. If this can be fixed in proxy support for https (not sure this is the problem), that's the best solution.
  • fast and unsecure fix: There could be a way (a wp-config var ?) to disable SSL when checking for updates but there are security implications as I assume SSL is used to confirm that the server is getting the updates from a legitimate WP server.

Change History (7)

#1 @tellyworth
5 years ago

  • Version changed from trunk to 3.8.1

#2 @DrewAPicture
5 years ago

  • Component changed from General to Upgrade/Install

#3 @paulosborne
5 years ago

  • Severity changed from normal to major

Hi,

I can confirm that I am seeing the same issues and have done for a while, certainly from 3.9.1 onwards which fundamentally means that some users (particularly behind Squid proxies) are effectively unable to update core, plugins or themes in the normal manner.

Commenting 9 lines of code (the 3 instances) is certainly a temporary fix, but is not optimal as when a WP upgrade takes place this will get trampled.

I do have an alternative suggestion and that is to make these three URL scheme re-writes sit behind a configuration option, such as WP_PROXY_SUPPORTS_HTTPS_POST; so at least then it is a configurable option.

Is there any timescale on a permanent fix for this?

Thanks

Paul

#4 @manikb
5 years ago

Someone told me (don't remember who) that installing php-curl would solve this as wordpress will use curl to connect if it is available on the server, and curl will correctly use the proxy.
I installed php-curl but no wordpress update since then, so I cannot confirme if it works.

#5 @paulosborne
5 years ago

Hi,

Aha!

Having tested this on another Wordpress installation I can confirm that installing php5-curl enables updating to work for themes/plugins/core.

Perhaps a check could/should be put in place in WP to throw an error if php5-curl is not installed, or at the least a note in the documentation saying that it is recommended?

Many thanks

Paul

#6 @chriscct7
4 years ago

  • Focuses administration added
  • Keywords needs-patch added

#7 @xani666
5 days ago

Still happens in latest version and on PHP 7.3

Note: See TracTickets for help on using tickets.