<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[50471] trunk: Security, Site Health: Do not store HTTPS request error messages in an option.</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { white-space: pre-line; overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/50471">50471</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/50471","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>SergeyBiryukov</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2021-03-02 15:06:34 +0000 (Tue, 02 Mar 2021)</dd>
</dl>

<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Security, Site Health: Do not store HTTPS request error messages in an option.

This changes the logic in `update_https_detection_errors()` to never store error messages from the actual request since they could use a different encoding, which would make storing them in an option potentially fail, leading WordPress to then falsely assume that HTTPS is supported.

While this doesn't actually fix the encoding issue, it is not crucial to do so anyway, since these messages are not used anywhere. A simple differentiation between whether the overall HTTPS request or only the SSL verification failed should be sufficient for the purpose of this function.

Props flixos90, tmatsuur, lukecarbis.
Fixes <a href="https://core.trac.wordpress.org/ticket/52484">#52484</a>.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpincludeshttpsdetectionphp">trunk/src/wp-includes/https-detection.php</a></li>
<li><a href="#trunktestsphpunittestshttpsdetectionphp">trunk/tests/phpunit/tests/https-detection.php</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpincludeshttpsdetectionphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/https-detection.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/https-detection.php 2021-03-02 12:53:12 UTC (rev 50470)
+++ trunk/src/wp-includes/https-detection.php   2021-03-02 15:06:34 UTC (rev 50471)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -130,13 +130,13 @@
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                if ( is_wp_error( $unverified_response ) ) {
</span><span class="cx" style="display: block; padding: 0 10px">                        $support_errors->add(
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                                $unverified_response->get_error_code(),
-                               $unverified_response->get_error_message()
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                         'https_request_failed',
+                               __( 'HTTPS request failed.' )
</ins><span class="cx" style="display: block; padding: 0 10px">                         );
</span><span class="cx" style="display: block; padding: 0 10px">                } else {
</span><span class="cx" style="display: block; padding: 0 10px">                        $support_errors->add(
</span><span class="cx" style="display: block; padding: 0 10px">                                'ssl_verification_failed',
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                                $response->get_error_message()
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                         __( 'SSL verification failed.' )
</ins><span class="cx" style="display: block; padding: 0 10px">                         );
</span><span class="cx" style="display: block; padding: 0 10px">                }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span></span></pre></div>
<a id="trunktestsphpunittestshttpsdetectionphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/https-detection.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/https-detection.php     2021-03-02 12:53:12 UTC (rev 50470)
+++ trunk/tests/phpunit/tests/https-detection.php       2021-03-02 15:06:34 UTC (rev 50471)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -56,6 +56,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">        /**
</span><span class="cx" style="display: block; padding: 0 10px">         * @ticket 47577
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         * @ticket 52484
</ins><span class="cx" style="display: block; padding: 0 10px">          */
</span><span class="cx" style="display: block; padding: 0 10px">        public function test_wp_update_https_detection_errors() {
</span><span class="cx" style="display: block; padding: 0 10px">                // Set HTTP URL, the request below should use its HTTPS version.
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -68,22 +69,22 @@
</span><span class="cx" style="display: block; padding: 0 10px">                $this->assertSame( array(), get_option( 'https_detection_errors' ) );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                // If initial request fails and request without SSL verification succeeds,
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                // return error with 'ssl_verification_failed' error code.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         // return 'ssl_verification_failed' error.
</ins><span class="cx" style="display: block; padding: 0 10px">                 add_filter( 'pre_http_request', array( $this, 'mock_error_with_sslverify' ), 10, 2 );
</span><span class="cx" style="display: block; padding: 0 10px">                add_filter( 'pre_http_request', array( $this, 'mock_success_without_sslverify' ), 10, 2 );
</span><span class="cx" style="display: block; padding: 0 10px">                wp_update_https_detection_errors();
</span><span class="cx" style="display: block; padding: 0 10px">                $this->assertSame(
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                        array( 'ssl_verification_failed' => array( 'Bad SSL certificate.' ) ),
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                 array( 'ssl_verification_failed' => array( __( 'SSL verification failed.' ) ) ),
</ins><span class="cx" style="display: block; padding: 0 10px">                         get_option( 'https_detection_errors' )
</span><span class="cx" style="display: block; padding: 0 10px">                );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                // If both initial request and request without SSL verification fail,
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                // return actual error from request.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         // return 'https_request_failed' error.
</ins><span class="cx" style="display: block; padding: 0 10px">                 add_filter( 'pre_http_request', array( $this, 'mock_error_with_sslverify' ), 10, 2 );
</span><span class="cx" style="display: block; padding: 0 10px">                add_filter( 'pre_http_request', array( $this, 'mock_error_without_sslverify' ), 10, 2 );
</span><span class="cx" style="display: block; padding: 0 10px">                wp_update_https_detection_errors();
</span><span class="cx" style="display: block; padding: 0 10px">                $this->assertSame(
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                        array( 'bad_ssl_certificate' => array( 'Bad SSL certificate.' ) ),
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                 array( 'https_request_failed' => array( __( 'HTTPS request failed.' ) ) ),
</ins><span class="cx" style="display: block; padding: 0 10px">                         get_option( 'https_detection_errors' )
</span><span class="cx" style="display: block; padding: 0 10px">                );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span></span></pre>
</div>
</div>

</body>
</html>