WordPress.org
Get WordPress

Make WordPress Core

Opened 8 months ago

Closed 7 months ago

Last modified 2 months ago

#62617 closed defect (bug) (reported-upstream)

Infinitive loop on API req in Block editor after wordpress_logged_in cookie is removed

Reported by: mustra's profile mustra Owned by:
Milestone: Priority: normal
Severity: major Version: 6.7.1
Component: Editor Keywords: has-test-info has-screenshots
Focuses: Cc:

Description

When you log into the editor and manually remove the wordpress_logged_in cookie, any attempt to save or perform actions in the editor will trigger an infinite loop of API requests, resulting in a 403 Forbidden response with rest_cookie_invalid_nonce.

Even after refreshing the page, these requests will persist, and the only way to stop them is to manually log out.

This infinite loop of requests can spike your CPU to 100%, rendering your site unresponsive.

Tested:

  • PHP - 8.3 and 7.4
  • Nginx
  • Laravel Herd 1.12.0 (locally) also on Ubuntu server 20.04.2 and 20.04.6
  • WP core - 6.1 - 6.7.1 (I didn't go further)
  • Plugin - none installed
  • Theme - twentytwentyfive, twentytwentyfour

All details can be found here on the video:
https://drive.google.com/file/d/1SpwEp_kg0okedNBe9yfHpAqMb-wQKdPi/view?usp=sharing

Attachments (1)

Screen Recording 2024-11-29 at 14.44.28.mp4 (5.3 MB) - added by mustra 8 months ago.
Bug reproduction

Change History (7)

@mustra
8 months ago

Bug reproduction

#1 @yogeshbhutkar
8 months ago

Hi @mustra,

Thank you for raising the ticket. I have successfully reproduced the bug on my end. As noted in the ticket, the issue persists even after refreshing the page. The only way to resolve it currently is by logging back in.

#2 @abcd95
8 months ago

  • Keywords has-testing-info has-screenshots needs-patch added

Hey @mustra, Welcome to Trac, and thanks for bringing this up.

I can see where the issue is happening. When a rest_cookie_invalid_nonce error occurs, the code automatically tries to refresh the nonce and retry the request without checking if the cookie is actually present.
I'll develop a fix to address this vulnerability.

Reproduction Report

Description

This report validates the issue can be reproduced.

Environment

  • WordPress: 6.8-alpha-59366
  • PHP: 8.2.25
  • Server: Apache/2.4.62 (Debian)
  • Database: mysqli (Server: 11.4.3-MariaDB-ubu2404 / Client: mysqlnd 8.2.25)
  • Browser: Chrome 131.0.0.0
  • OS: macOS
  • Theme: Twenty Twenty-Five 1.0

Actual Results

✅ Error condition occurs.

Supplemental Artifacts

Screenshot:

https://i.postimg.cc/gJDffVGL/image.png

#3 follow-up: @mustra
8 months ago

Turns out this is a duplicate ticket and this is an issues all the way back from the 2019
https://github.com/WordPress/gutenberg/issues/13509

#4 in reply to: ↑ 3 @abcd95
8 months ago

  • Keywords needs-patch removed

Replying to mustra:

Turns out this is a duplicate ticket and this is an issues all the way back from the 2019
https://github.com/WordPress/gutenberg/issues/13509

Yes @mustra, I recently discovered this duplicity and was testing the patch provided there to see if the issue here is being solved. Will contribute to the discussion there for any possible fixes needed.

#5 @Mamaduka
7 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to reported-upstream
  • Status changed from new to closed

I created PR to resolve the bug upstream - https://github.com/WordPress/gutenberg/pull/67812.

I'll close the ticket here.

#6 @wordpressdotorg
2 months ago

  • Keywords has-test-info added; has-testing-info removed
Note: See TracTickets for help on using tickets.