Make WordPress Core

Opened 2 years ago

Last modified 39 hours ago

#43358 accepted defect (bug)

The theme/plugin editor sandbox does not play well with PHP sessions

Reported by: bruandet Owned by: SergeyBiryukov
Milestone: Future Release Priority: normal
Severity: normal Version: 4.9.4
Component: Administration Keywords: dev-feedback
Focuses: Cc:


The theme/plugin editor sandbox does not work with some plugins (or themes) using PHP sessions. Because of the session exclusive lock, cURL will time out when attempting to connect back to the site and the request will fail.
Checking if a session was started and then calling session_write_close() before the first wp_remote_get() call in wp-admin/includes/file.php seems to solve the issue.

Attachments (1)

session-site-health-bug.php (71 bytes) - added by vjik 4 months ago.
Simple plugin for reproducing the problem

Download all attachments as: .zip

Change History (4)

#1 @SergeyBiryukov
4 months ago

  • Milestone changed from Awaiting Review to 5.4
  • Owner set to SergeyBiryukov
  • Status changed from new to accepted

@vjik reported that this issue also affects Site Health checks, specifically causing these warnings:

  • The REST API encountered an error
  • Your site could not complete a loopback request

4 months ago

Simple plugin for reproducing the problem

#2 @donmhico
4 weeks ago

  • Keywords dev-feedback added

+1 to @bruandet. Adding session_write_close() before the first wp_remote_get() specifically here - https://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/file.php#L554 - fixes the issue for the Plugin and Theme editor. However it does not fix the issue found in Site Health checks.

Do you guys think that closing the session during the Site Health checks is the proper solution? It feels kinda hacky if you ask me. Any other ideas / approach?

#3 @audrasjb
39 hours ago

  • Milestone changed from 5.4 to Future Release


With 5.4 Beta 3 approaching and the Beta period reserved for bugs introduced during the cycle, this is being moved to Future Release. If any maintainer or committer feels this should be included or wishes to assume ownership during a specific cycle, feel free to update the milestone accordingly.

Note: See TracTickets for help on using tickets.