Opened 8 weeks ago
Closed 6 weeks ago
#62617 closed defect (bug) (reported-upstream)
Infinitive loop on API req in Block editor after wordpress_logged_in cookie is removed
Reported by: | mustra | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | major | Version: | 6.7.1 |
Component: | Editor | Keywords: | has-testing-info has-screenshots |
Focuses: | Cc: |
Description
When you log into the editor and manually remove the wordpress_logged_in
cookie, any attempt to save or perform actions in the editor will trigger an infinite loop of API requests, resulting in a 403 Forbidden response with rest_cookie_invalid_nonce
.
Even after refreshing the page, these requests will persist, and the only way to stop them is to manually log out.
This infinite loop of requests can spike your CPU to 100%, rendering your site unresponsive.
Tested:
- PHP - 8.3 and 7.4
- Nginx
- Laravel Herd 1.12.0 (locally) also on Ubuntu server 20.04.2 and 20.04.6
- WP core - 6.1 - 6.7.1 (I didn't go further)
- Plugin - none installed
- Theme - twentytwentyfive, twentytwentyfour
All details can be found here on the video:
https://drive.google.com/file/d/1SpwEp_kg0okedNBe9yfHpAqMb-wQKdPi/view?usp=sharing
Attachments (1)
Change History (6)
#1
@
8 weeks ago
Hi @mustra,
Thank you for raising the ticket. I have successfully reproduced the bug on my end. As noted in the ticket, the issue persists even after refreshing the page. The only way to resolve it currently is by logging back in.
#2
@
8 weeks ago
- Keywords has-testing-info has-screenshots needs-patch added
Hey @mustra, Welcome to Trac, and thanks for bringing this up.
I can see where the issue is happening. When a rest_cookie_invalid_nonce
error occurs, the code automatically tries to refresh the nonce and retry the request without checking if the cookie is actually present.
I'll develop a fix to address this vulnerability.
Reproduction Report
Description
This report validates the issue can be reproduced.
Environment
- WordPress: 6.8-alpha-59366
- PHP: 8.2.25
- Server: Apache/2.4.62 (Debian)
- Database: mysqli (Server: 11.4.3-MariaDB-ubu2404 / Client: mysqlnd 8.2.25)
- Browser: Chrome 131.0.0.0
- OS: macOS
- Theme: Twenty Twenty-Five 1.0
Actual Results
✅ Error condition occurs.
Supplemental Artifacts
Screenshot:
#3
follow-up:
↓ 4
@
8 weeks ago
Turns out this is a duplicate ticket and this is an issues all the way back from the 2019
https://github.com/WordPress/gutenberg/issues/13509
#4
in reply to:
↑ 3
@
8 weeks ago
- Keywords needs-patch removed
Replying to mustra:
Turns out this is a duplicate ticket and this is an issues all the way back from the 2019
https://github.com/WordPress/gutenberg/issues/13509
Yes @mustra, I recently discovered this duplicity and was testing the patch provided there to see if the issue here is being solved. Will contribute to the discussion there for any possible fixes needed.
#5
@
6 weeks ago
- Milestone Awaiting Review deleted
- Resolution set to reported-upstream
- Status changed from new to closed
I created PR to resolve the bug upstream - https://github.com/WordPress/gutenberg/pull/67812.
I'll close the ticket here.
Bug reproduction