WordPress.org

Make WordPress Core

Opened 8 weeks ago

Last modified 4 days ago

#50781 new defect (bug)

500 error caused by customize_changeset_uuid for non-authenticated users

Reported by: bacardy4 Owned by:
Milestone: 5.6 Priority: normal
Severity: normal Version: 4.7
Component: Customize Keywords: has-patch
Focuses: Cc:

Description

Hello,

I have noticed that if a non-authenticated user visits a URL containing the following get parameter: ?customize_changeset_uuid=SOME_ID_HERE WordPress returns 500 error.

There should be no reason to allow bots to flood someones Apache log with 500 errors by simply adding a get parameter.

If a user is not authenticated and they add the ?customize_changeset_uuid=ID_HERE parameter they should either be redirected or the get parameter should be ignored rather than getting a 500 error.

Thanks for the consideration.

Attachments (3)

50781_1.patch (1.4 KB) - added by sumanm 2 weeks ago.
This patch sets 404 page instead of 500 error for non existing changeset UUID if unauthenticated user
50781.patch (1.7 KB) - added by sumanm 2 weeks ago.
In addition to 404 page instead of 500 error, it also adds nocache headers and noindex for robots
50781.2.diff (1.7 KB) - added by audrasjb 4 days ago.
Customizer: Redirects URLs to 404 if changeset UUID does not exists for unauthenticated users

Download all attachments as: .zip

Change History (7)

#1 @SergeyBiryukov
8 weeks ago

  • Component changed from General to Customize

#2 follow-up: @dlh
7 weeks ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to 5.6
  • Version changed from 5.4.2 to 4.7

Hi @bacardy4, and welcome to WordPress Trac! Thanks for the report.

I agree: A 500 response does seem out-of-place in this situation. I'm not sure about redirecting the request or ignoring the provided UUID. That isn't what happens when requesting an invalid post ID or term ID, as far as I know. Instead, perhaps the response should be a 404?

Adding this to the 5.6 milestone to see whether a decision can be made.

#3 in reply to: ↑ 2 @bacardy4
7 weeks ago

Hi there,

Yes indeed 404 sounds better than 500.

Thank you and regards!

Replying to dlh:

Hi @bacardy4, and welcome to WordPress Trac! Thanks for the report.

I agree: A 500 response does seem out-of-place in this situation. I'm not sure about redirecting the request or ignoring the provided UUID. That isn't what happens when requesting an invalid post ID or term ID, as far as I know. Instead, perhaps the response should be a 404?

Adding this to the 5.6 milestone to see whether a decision can be made.

@sumanm
2 weeks ago

This patch sets 404 page instead of 500 error for non existing changeset UUID if unauthenticated user

@sumanm
2 weeks ago

In addition to 404 page instead of 500 error, it also adds nocache headers and noindex for robots

@audrasjb
4 days ago

Customizer: Redirects URLs to 404 if changeset UUID does not exists for unauthenticated users

#4 @audrasjb
4 days ago

  • Keywords has-patch added; needs-patch removed

50781.2.diff refreshes the patch against trunk with correct path to the modified file, updated @since mentions and it also fixes few coding standards issues.

Note: See TracTickets for help on using tickets.