#45940 closed defect (bug) (invalid)
WSOD protection should disable plugins in fewer situations
Reported by: | markjaquith | Owned by: | TimothyBlynJacobs |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | critical | Version: | 5.1 |
Component: | Site Health | Keywords: | needs-patch servehappy |
Focuses: | Cc: |
Description (last modified by )
[44524] implemented WSOD protection, for #44458. I have concerns about how aggressively it pauses plugins.
It is possible to get a plugin paused in the admin by triggering a fatal error on the front of the site. Furthermore, that fatal error could be triggered by specific user input (maliciously, even). If this is a plugin that implements 2FA or SAML or admin event logging or permissions filtering or login attempt limiting or any other security- or authentication-related function, this could have dire effects on the site. Bad actors could have a way of targeting and disabling critical site functionality.
I think the scenarios where this pausing occurs should be narrowed. To start, I propose that pausing not happen for:
- POST requests (on the front end).
- Requests with a query string other than
?p=X
(or a few other standard WordPress query strings we can whitelist).
For example, if a contact form submission, in certain circumstances, can result in a fatal error, this should not pause that plugin. If some ?obscure-query-arg=BAD_INPUT
URL on a site can result in a fatal error, this should not pause the plugin.
If a plugin is taking down the entire site, or preventing a user from logging in, that is the dead end scenario we'd like to prevent, and those are the situations in which it's an acceptable trade-off to pause that functionality so that the site owner can take steps to recover more gracefully than they could in the past.
See also #45888 which proposes that critical plugins (where the plugin itself knows that it's better to take the site down than have its functionality disabled) have a way of opting out of WSOD protection.
Attachments (1)
Change History (24)
This ticket was mentioned in Slack in #core-php by timothybjacobs. View the logs.
6 years ago
#4
@
6 years ago
- Keywords needs-patch added
- Milestone changed from Awaiting Review to 5.1
- Owner set to flixos90
- Status changed from new to assigned
#5
@
6 years ago
- Keywords has-patch added; needs-patch removed
45940.diff separates the processes of detecting an error to handle and actually storing it (and by that pausing the extension). This provides us with the baseline to pause extensions more granularly. I also included the suggestion by @TimothyBlynJacobs already since that enhancement makes sense and is rather trivial to implement.
I will commit this now to have it in the next Beta, and we can continue working from there, also considering "irregular" requests for not pausing extensions, as suggested by @markjaquith.
#7
@
6 years ago
- Keywords needs-patch added; has-patch removed
Flagging this for a follow-up patch to implement the initial concerns outlined in the ticket description.
#9
@
6 years ago
Note that by not always pausing extensions when an error occurs, there currently is no longer any awareness of the error either. I wonder whether we should decouple pausing extensions from still storing the error in other cases so that the site owner can be informed by it.
Due to the time constraints, this specific part could be an enhancement for 5.2 (or possibly even a 5.1.x) though, as the other fixes are more critical.
#12
@
6 years ago
I wonder whether we should decouple pausing extensions from still storing the error in other cases so that the site owner can be informed by it.
Isn't this already handled by WP_DEBUG_LOG
? I don't think we should build a complete developer/debugger tool here, just make sure people can run updates/removals on their plugins/themes.
This ticket was mentioned in Slack in #core-php by flixos90. View the logs.
6 years ago
This ticket was mentioned in Slack in #core-php by timothybjacobs. View the logs.
6 years ago
#16
@
6 years ago
Added a mechanism to only paused plugins/themes after an initial redirect, to make sure the error is persistent: https://core.trac.wordpress.org/ticket/46066
I think we can also limit pausing extensions to only errors that occurred on pages where
is_protected_endpoint()
is true. We could continue to log these errors but display them differently in the admin.