#46026 closed defect (bug) (fixed)
WSODs protection returns incorrect content type for XML Requests
Reported by: | spacedmonkey | Owned by: | spacedmonkey |
---|---|---|---|
Milestone: | 5.2 | Priority: | normal |
Severity: | normal | Version: | 5.1 |
Component: | Site Health | Keywords: | has-patch needs-testing servehappy |
Focuses: | multisite | Cc: |
Description
Similar to #45933, calls to wp_die
do not return the correct content type, when the requests resource in xml, such RSS feeds, trackbacks and other xml requests such as sitemaps (via a plugin like yoast). Returning the correct content type can have serious issues for third party tools that request say a feed and get a html page in return.
Attachments (3)
Change History (30)
This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.
6 years ago
#4
@
6 years ago
Thanks @spacedmonkey
@afragen What about using <![CDATA[...]]>
for e.g. the external input of $message
?
Some minor things I noticed in 46026.diff:
- It would be nice to add more information to the parameter's description of
_wp_wrap_xml()
, like the type and description.
- Missing dot at the end of the
_wp_wrap_xml()
description.
- Extra new lines at the end of
wp_is_xml_request()
and the indentation might need some adjustments.
- Should we format the
wp_die
in the description of_xml_wp_die_handler()
, e.g. add a link for the doc parsing, like{@see wp_die
} ?
- The function
wp_is_xml_request()
is not complicated, but it will be a part of the public API, so should unit tests be added for it?
I would also have suggested using e.g. "halt" instead of "kill", but I see that the latter is already used by core :-)
Not related to this ticket, but I don't see any is_callable()
on the filterable callbacks in wp_die()
.
This ticket was mentioned in Slack in #core-php by flixos90. View the logs.
6 years ago
This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.
6 years ago
#9
@
6 years ago
In 46026.2.diff there's a typo in _xml_wp_die_handler()
regarding the content type. Should be e.g. text/xml
rather than application/json
.
The optional error title input is not used in the output of _xml_wp_die_handler()
, so I wonder if the error title input should be handled in a similar way as the error message, i.e. with it's own element:
<error> <title>...</title> <message>...</message> ... </error>
I also wonder if _json_wp_die_handler()
should add the error title
to the output.
I like the simplification in 46026.2.diff compared to 46026.diff regarding skipping the array2xml processing and just construct the xml directly.
#10
@
6 years ago
Thanks for your feedback @birgire
In 46026.3.diff are the following changes
- Now returns <title> node.
- Now returns content type xml/text
- Also checks
is_comment_feed
- Load.php now has a empty line at the end.
This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.
6 years ago
This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.
6 years ago
This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.
6 years ago
#16
@
6 years ago
- Milestone 5.3 deleted
- Resolution set to invalid
- Status changed from assigned to closed
This ticket is based on the old fatal error recovery mode implementation and will be covered as part of #46130.
This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.
6 years ago
#18
@
6 years ago
- Resolution invalid deleted
- Status changed from closed to reopened
Reopening as still valid and not part of #46130.
@birgire Thanks for the feedback, I have fixed those issues in my latest patch here.
I have also added, the following changes.
is_feed
andis_trackback
return true.