Opened 6 years ago
Closed 6 years ago
#44711 closed defect (bug) (wontfix)
Try Gutenberg: Clicking the "Try" button can result in a 500 error
Reported by: | pento | Owned by: | pento |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.9.8 |
Component: | Administration | Keywords: | |
Focuses: | administration | Cc: |
Description
From the Gutenberg repo:
Try Gutenberg results in a 500 Server Internal Error
Steps to reproduce the behavior:
- Install Gutenberg plugin
- Activate Gutenberg plugin
- Click on Try Gutenberg
- Results in 500 Server Internal Error
Change History (11)
#2
@
6 years ago
This also just happened to me when I went to investigate this report.
The following is just an educated guess, but it fixed the problem for me.
Prior to using using Gutenberg I had no need for the REST-API on the site I tested this on, so I had rule in the Application Firewall (WAF) of the security plugin I use to block all accesses to /wp-json/*
. D'oh!
Once I removed that WAF rule I no longer get the 500 error.
#3
@
6 years ago
@pbiron: Is this Cloudflare's WAF, or someone else?
Also, can you confirm if you getting the 500 error when clicking the Install button from the Try Gutenberg callout, or when you opened Gutenberg itself?
#4
@
6 years ago
https://wordpress.org/plugins/wordfence/
And I didn't get the error until I clicked the Try Gutenberg
button, which is when the OP said it happened to him.
#5
@
6 years ago
Many/most other WAF's have a similar setting, but the WordFence setting in question is on the wp-admin/admin.php?page=WordfenceWAF&subpage=waf_options
screen, in the Advanced Firewall Options
section:
- Immediately block IPs that access these URLs
in which I'd entered (among other things) /wp-json/*
#6
follow-up:
↓ 7
@
6 years ago
Oh, I see how that's happening. Is /wp-json/*
a default setting there?
#7
in reply to:
↑ 6
;
follow-up:
↓ 9
@
6 years ago
Replying to pento:
Oh, I see how that's happening. Is
/wp-json/*
a default setting there?
No.
I had a number of malicious attacks against several sites I manage by bots probing for various REST-API vulnerabilities. And since "normal" usage of these sites had no need for the REST-API, I added that rule.
This may not be what is causing the problem for OP, but I suspect it (or some similar reason that REST-API is being blocked) might be.
#8
@
6 years ago
Okay, thanks for confirming that.
@mmaunder: Given that this issue is likely to escalate fairly quickly with the release of WordPress 4.9.8 and the Try Gutenberg callout, could you see if Wordfence can handle this kind of block in a friendlier manner? 🙂
#9
in reply to:
↑ 7
@
6 years ago
Replying to pbiron:
Replying to pento:
Oh, I see how that's happening. Is
/wp-json/*
a default setting there?
No.
I had a number of malicious attacks against several sites I manage by bots probing for various REST-API vulnerabilities. And since "normal" usage of these sites had no need for the REST-API, I added that rule.
Adding that rule was kind of the lazy way out.
What I should have done was something like:
add_filter( 'rest_authentication_errors', 'shc_rest_authentication_errors' );
/**
* Restrict REST-API requests to logged in users
*
* @param string $error Authentication error
* @return string|WP_Error
*/
function shc_rest_authentication_errors( $error ) {
if ( ! empty( $error ) || is_user_logged_in() ) {
return $error;
}
return new WP_Error(
'rest_not_logged_in',
'You must be logged in to access this resource.',
array( 'status' => 401 )
);
}
which I will change all my sites to in the morning when I've had a chance to test it a little bit.
Extra information requested on the GitHub issue: