WordPress.org

Make WordPress Core

Opened 6 weeks ago

Closed 4 weeks ago

Last modified 3 weeks ago

#47479 closed enhancement (fixed)

Do not return 5xx for invalid/expired recovery mode cookies

Reported by: david.binda Owned by: SergeyBiryukov
Milestone: 5.3 Priority: normal
Severity: normal Version: 5.2
Component: Site Health Keywords: servehappy has-patch
Focuses: Cc:

Description

The WP_Recovery_Mode class dies in certain situations where returning a 5xx status code does not feel appropriate, as the request did not produce a server error, but rather the authentication failed. In such situations, it might be more appropriate to return a 4xx error (presumably 403). The situations in mind here are the following:

  1. when the recovery mode cookie is expired
  2. when the recovery mode cookie is invalid
  3. when the exit recovery mode nonce check failed

As those failures also unset related cookies, the 5xx status may result in an improper handling on certain server configurations (eg.: overriding 5xx responses with a custom response which is not properly passing the cookie headers).

I'm attaching a patch which changes the response codes from default 500 to 403 in the cases mentioned above.

Attachments (2)

47479.diff (983 bytes) - added by david.binda 6 weeks ago.
47479-2.diff (1.0 KB) - added by david.binda 6 weeks ago.

Download all attachments as: .zip

Change History (13)

@david.binda
6 weeks ago

#1 @spacedmonkey
6 weeks ago

  • Keywords needs-patch servehappy added
  • Owner set to spacedmonkey
  • Status changed from new to assigned

#2 @SergeyBiryukov
6 weeks ago

  • Component changed from General to Bootstrap/Load

#3 @spacedmonkey
6 weeks ago

@davidbinda This looks good.

For calls to wp_die that pass a WP_Error object. Please add the status code like this.

@david.binda
6 weeks ago

#4 @david.binda
6 weeks ago

Thanks for the feedback @spacedmonkey ! I've updated the patch accordingly, please let me know if it works for you :)

#5 @SergeyBiryukov
6 weeks ago

  • Milestone changed from Awaiting Review to 5.3

This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.


5 weeks ago

#7 @spacedmonkey
5 weeks ago

  • Owner changed from spacedmonkey to SergeyBiryukov

Assigning to @SergeyBiryukov to merge.

This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.


4 weeks ago

#9 @SergeyBiryukov
4 weeks ago

  • Keywords has-patch added; needs-patch removed

#10 @SergeyBiryukov
4 weeks ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 45544:

Bootstrap/Load: Return a 403 error code when the recovery mode cookie is invalid or expired, or the exit recovery mode nonce check failed.

Props david.binda, spacedmonkey.
Fixes #47479.

#11 @spacedmonkey
3 weeks ago

  • Component changed from Bootstrap/Load to Site Health
Note: See TracTickets for help on using tickets.