WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#44711 closed defect (bug) (wontfix)

Try Gutenberg: Clicking the "Try" button can result in a 500 error

Reported by: pento Owned by: pento
Milestone: Priority: normal
Severity: normal Version: 4.9.8
Component: Administration Keywords:
Focuses: administration Cc:

Description

From the Gutenberg repo:

Try Gutenberg results in a 500 Server Internal Error

Steps to reproduce the behavior:

  1. Install Gutenberg plugin
  2. Activate Gutenberg plugin
  3. Click on Try Gutenberg
  4. Results in 500 Server Internal Error

Change History (11)

#1 @pento
3 years ago

Extra information requested on the GitHub issue:

  • When you install a plugin, do you usually need to type your FTP username/password (or do you have FTP_* settings in your wp-config.php file)?
  • Do you have access to your web server error log? If so, could you attach a copy of it?

#2 @pbiron
3 years ago

This also just happened to me when I went to investigate this report.

The following is just an educated guess, but it fixed the problem for me.

Prior to using using Gutenberg I had no need for the REST-API on the site I tested this on, so I had rule in the Application Firewall (WAF) of the security plugin I use to block all accesses to /wp-json/*. D'oh!

Once I removed that WAF rule I no longer get the 500 error.

#3 @pento
3 years ago

@pbiron: Is this Cloudflare's WAF, or someone else?

Also, can you confirm if you getting the 500 error when clicking the Install button from the Try Gutenberg callout, or when you opened Gutenberg itself?

#4 @pbiron
3 years ago

https://wordpress.org/plugins/wordfence/

And I didn't get the error until I clicked the Try Gutenberg button, which is when the OP said it happened to him.

#5 @pbiron
3 years ago

Many/most other WAF's have a similar setting, but the WordFence setting in question is on the wp-admin/admin.php?page=WordfenceWAF&subpage=waf_options screen, in the Advanced Firewall Options section:

  • Immediately block IPs that access these URLs

in which I'd entered (among other things) /wp-json/*

#6 follow-up: @pento
3 years ago

Oh, I see how that's happening. Is /wp-json/* a default setting there?

#7 in reply to: ↑ 6 ; follow-up: @pbiron
3 years ago

Replying to pento:

Oh, I see how that's happening. Is /wp-json/* a default setting there?

No.

I had a number of malicious attacks against several sites I manage by bots probing for various REST-API vulnerabilities. And since "normal" usage of these sites had no need for the REST-API, I added that rule.

This may not be what is causing the problem for OP, but I suspect it (or some similar reason that REST-API is being blocked) might be.

Last edited 3 years ago by pbiron (previous) (diff)

#8 @pento
3 years ago

Okay, thanks for confirming that.

@mmaunder: Given that this issue is likely to escalate fairly quickly with the release of WordPress 4.9.8 and the Try Gutenberg callout, could you see if Wordfence can handle this kind of block in a friendlier manner? 🙂

#9 in reply to: ↑ 7 @pbiron
3 years ago

Replying to pbiron:

Replying to pento:

Oh, I see how that's happening. Is /wp-json/* a default setting there?

No.

I had a number of malicious attacks against several sites I manage by bots probing for various REST-API vulnerabilities. And since "normal" usage of these sites had no need for the REST-API, I added that rule.

Adding that rule was kind of the lazy way out.

What I should have done was something like:

add_filter( 'rest_authentication_errors', 'shc_rest_authentication_errors' );

/**
 * Restrict REST-API requests to logged in users
 *
 * @param string $error Authentication error
 * @return string|WP_Error
 */
function shc_rest_authentication_errors( $error ) {
        if ( ! empty( $error ) || is_user_logged_in() ) {
                return $error;
        }

        return new WP_Error(
                'rest_not_logged_in',
                'You must be logged in to access this resource.',
                array( 'status' => 401 )
         );
}

which I will change all my sites to in the morning when I've had a chance to test it a little bit.

#10 @pento
3 years ago

  • Summary changed from Try Gutenberg: Clicking Install can result in a 500 error to Try Gutenberg: Clicking the "Try" button can result in a 500 error

#11 @pento
3 years ago

  • Keywords reporter-feedback removed
  • Milestone 4.9.9 deleted
  • Resolution set to wontfix
  • Status changed from assigned to closed

Closing, as Try Gutenberg will be removed from the 4.9 branch.

Note: See TracTickets for help on using tickets.