WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 5 months ago

Last modified 5 months ago

#37266 closed defect (bug) (invalid)

AJAX uploads fail to complete successfully when a cookie named "action" exists

Reported by: pembo13 Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.5.3
Component: Administration Keywords:
Focuses: Cc:

Description (last modified by desrosj)

When a user has a cookie named "action", AJAX uploads to /wp-admin/async-upload.php fail to define DOING_AJAX because the check 'upload-attachment' === $_REQUEST['action'] since $_REQUEST includes $_COOKIES.

As a result, calling wp_die() at the end of wp_ajax_upload_attachment() results in the standard WordPress error HTML being appended to the response, and an HTTP 500 error code being returned.

I'm currently seeing this being triggered by the "Calls To Action" plugin. See http://support.inboundnow.com/support/topic/calls-to-action-breaking-wordpress-image-upload/

This probably affects all versions of Wordpress.

Change History (3)

#1 @pembo13
3 years ago

  • Component changed from General to Administration

#2 @desrosj
5 months ago

  • Description modified (diff)
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi @pembo13,

My apologies that it took so long to receive a response to this ticket.

This seems like an issue with the Calls to Action plugin WordPress Core can't account for plugins overwriting variables with the same names. If I am misinterpreting the issue, feel free to reopen with more details and some code to demonstrate the issue.

#3 @pembo13
5 months ago

@desrosj this really isn't about overwriting variables. I'm not sure that it should be acceptable for WordPress AJAX to break just because a cookie exists with the name "action" even through WordPress itself isn't explicitly looking for a cookie.

Checking $_GET or $_POST would avoid this. Also, it's a very difficult bug to track down once it's triggered.

Note: See TracTickets for help on using tickets.