#47479 closed enhancement (fixed)
Do not return 5xx for invalid/expired recovery mode cookies
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 5.3 | Priority: | normal |
Severity: | normal | Version: | 5.2 |
Component: | Site Health | Keywords: | servehappy has-patch |
Focuses: | Cc: |
Description
The WP_Recovery_Mode
class dies in certain situations where returning a 5xx status code does not feel appropriate, as the request did not produce a server error, but rather the authentication failed. In such situations, it might be more appropriate to return a 4xx error (presumably 403). The situations in mind here are the following:
- when the recovery mode cookie is expired
- when the recovery mode cookie is invalid
- when the exit recovery mode nonce check failed
As those failures also unset related cookies, the 5xx status may result in an improper handling on certain server configurations (eg.: overriding 5xx responses with a custom response which is not properly passing the cookie headers).
I'm attaching a patch which changes the response codes from default 500 to 403 in the cases mentioned above.
Attachments (2)
Change History (13)
#1
@
6 years ago
- Keywords needs-patch servehappy added
- Owner set to spacedmonkey
- Status changed from new to assigned
#4
@
6 years ago
Thanks for the feedback @spacedmonkey ! I've updated the patch accordingly, please let me know if it works for you :)
This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.
6 years ago
#7
@
6 years ago
- Owner changed from spacedmonkey to SergeyBiryukov
Assigning to @SergeyBiryukov to merge.
@davidbinda This looks good.
For calls to
wp_die
that pass aWP_Error
object. Please add the status code like this.