WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 22 months ago

#44815 closed defect (bug) (fixed)

Remove deflate/gzip compression from load-scripts.php / load-styles.php

Reported by: LucasRolff Owned by: azaozz
Milestone: 4.9.9 Priority: normal
Severity: normal Version: 5.1
Component: Administration Keywords: commit
Focuses: ui, administration Cc:

Description (last modified by SergeyBiryukov)

In WordPress trunk (and other WP versions after 2.8) the load-styles.php and load-scripts.php does deflate or gzip compression based on the Accept-Encoding header.

In the recent times where Brotli compression got introduced in various web servers, it can often result in double compression leading to bugs in browsers such as Safari that doesn't handle double compression at all.

Chrome, Firefox and Opera seem to decompress double compressed content over two steps and causes no issues (other than making the browser decompress twice).

However, safari will end up with the error "cannot decode raw data".

My suggestion would be to remove the whole compression part from wp-admin/load-styles.php and wp-admin/load-scripts.php

There's no reason to keep this around anymore, the majority of web servers these days already do the needed compression (deflate,gzip,br) and it's a lot better to handle on the web server level instead of within the application.

I can see that @azaozz submitted a patch in ticket #43308 in regards to CVE-2018-6389 - however, that patch never made it into a release.

Attachments (1)

44815.diff (2.7 KB) - added by LucasRolff 2 years ago.
patch for ticket #44815

Download all attachments as: .zip

Change History (10)

#1 @azaozz
2 years ago

Brotli compression got introduced in various web servers, it can often result in double compression...

This is (generally) a problem with the compressor or its configuration. It shouldn't double-compress anything.

However we still need to remove the PHP based compression from load-styles.php and load-scripts.php as an improvement to the problems described in #43308. It is just too slow and takes a lot of server resources.

#2 @azaozz
2 years ago

  • Milestone changed from Awaiting Review to 4.9.9

#3 @LucasRolff
2 years ago

Thanks for the quick reply @azaozz !

I've also opened a bug report with the web server software, so they'll handle the deflate issue - it seems that gzip <> Brotli conversion works fine, but deflate breaks it (which is the first one that the if condition checks for).

If it could already get into 4.9.9 that would be awesome!

Have an awesome day :)

@LucasRolff
2 years ago

patch for ticket #44815

#4 @azaozz
2 years ago

  • Owner set to azaozz
  • Resolution set to fixed
  • Status changed from new to closed

In 43580:

Script loader: remove (PHP based) compression from load-styles.php and load-scripts.php. WIth the amount of scripts and stylesheets grown a lot over the years, it has become pretty slow and consumes a lot of server resources. Also, most servers are set to compress PHP output anyway.

Props LucasRolff, azaozz.

Fixes #44815.
See #43308.

#5 @azaozz
2 years ago

  • Keywords fixed-major commit added; needs-patch removed
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopen for 4.9.9.

#6 @SergeyBiryukov
2 years ago

  • Description modified (diff)

#7 @SergeyBiryukov
2 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 43618:

Script loader: remove (PHP based) compression from load-styles.php and load-scripts.php. WIth the amount of scripts and stylesheets grown a lot over the years, it has become pretty slow and consumes a lot of server resources. Also, most servers are set to compress PHP output anyway.

Props LucasRolff, azaozz.
Merges [43580] to the 4.9 branch.
Fixes #44815. See #43308.

#8 @pento
22 months ago

  • Keywords fixed-major removed
  • Resolution fixed deleted
  • Status changed from closed to reopened

Let's leave this in 4.9.9, it just needs to be merged into the 5.0 branch.

#9 @SergeyBiryukov
22 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 43697:

Script loader: remove (PHP based) compression from load-styles.php and load-scripts.php. WIth the amount of scripts and stylesheets grown a lot over the years, it has become pretty slow and consumes a lot of server resources. Also, most servers are set to compress PHP output anyway.

Props LucasRolff, azaozz.
Merges [43580] to the 5.0 branch.
Fixes #44815. See #43308.

Note: See TracTickets for help on using tickets.