Opened 5 years ago
Closed 5 years ago
#44815 closed defect (bug) (fixed)
Remove deflate/gzip compression from load-scripts.php / load-styles.php
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 4.9.9 | Priority: | normal |
Severity: | normal | Version: | 5.1 |
Component: | Administration | Keywords: | commit |
Focuses: | ui, administration | Cc: |
Description (last modified by )
In WordPress trunk (and other WP versions after 2.8) the load-styles.php and load-scripts.php does deflate or gzip compression based on the Accept-Encoding header.
In the recent times where Brotli compression got introduced in various web servers, it can often result in double compression leading to bugs in browsers such as Safari that doesn't handle double compression at all.
Chrome, Firefox and Opera seem to decompress double compressed content over two steps and causes no issues (other than making the browser decompress twice).
However, safari will end up with the error "cannot decode raw data".
My suggestion would be to remove the whole compression part from wp-admin/load-styles.php and wp-admin/load-scripts.php
There's no reason to keep this around anymore, the majority of web servers these days already do the needed compression (deflate,gzip,br) and it's a lot better to handle on the web server level instead of within the application.
I can see that @azaozz submitted a patch in ticket #43308 in regards to CVE-2018-6389 - however, that patch never made it into a release.
Attachments (1)
Change History (10)
#3
@
5 years ago
Thanks for the quick reply @azaozz !
I've also opened a bug report with the web server software, so they'll handle the deflate issue - it seems that gzip <> Brotli conversion works fine, but deflate breaks it (which is the first one that the if condition checks for).
If it could already get into 4.9.9 that would be awesome!
Have an awesome day :)
#4
@
5 years ago
- Owner set to azaozz
- Resolution set to fixed
- Status changed from new to closed
In 43580:
#5
@
5 years ago
- Keywords fixed-major commit added; needs-patch removed
- Resolution fixed deleted
- Status changed from closed to reopened
Reopen for 4.9.9.
This is (generally) a problem with the compressor or its configuration. It shouldn't double-compress anything.
However we still need to remove the PHP based compression from
load-styles.php
andload-scripts.php
as an improvement to the problems described in #43308. It is just too slow and takes a lot of server resources.