[wp-trac] [WordPress Trac] #44815: Remove deflate/gzip compression from load-scripts.php / load-styles.php
WordPress Trac
noreply at wordpress.org
Wed Aug 22 20:09:57 UTC 2018
#44815: Remove deflate/gzip compression from load-scripts.php / load-styles.php
--------------------------------+---------------------------------
Reporter: LucasRolff | Owner: azaozz
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 4.9.9
Component: Administration | Version: trunk
Severity: normal | Resolution:
Keywords: fixed-major commit | Focuses: ui, administration
--------------------------------+---------------------------------
Description changed by SergeyBiryukov:
Old description:
> In WordPress trunk (and other WP versions after 2.8) the load-styles.php
> and load-scripts.php does deflate or gzip compression based on the
> Accept-Encoding header.
>
> In the recent times where Brotli compression got introduced in various
> web servers, it can often result in double compression leading to bugs in
> browsers such as Safari that doesn't handle double compression at all.
>
> Chrome, Firefox and Opera seem to decompress double compressed content
> over two steps and causes no issues (other than making the browser
> decompress twice).
>
> However, safari will end up with the error "cannot decode raw data".
>
> My suggestion would be to remove the whole compression part from wp-admin
> /load-styles.php and wp-admin/load-scripts.php
>
> There's no reason to keep this around anymore, the majority of web
> servers these days already do the needed compression (deflate,gzip,br)
> and it's a lot better to handle on the web server level instead of within
> the application.
>
> I can see that @azaozz submitted a patch in ticket
> [https://core.trac.wordpress.org/ticket/43308 #43308] in regards to
> CVE-2018-6389 - however, that patch never made it into a release.
New description:
In WordPress trunk (and other WP versions after 2.8) the load-styles.php
and load-scripts.php does deflate or gzip compression based on the Accept-
Encoding header.
In the recent times where Brotli compression got introduced in various web
servers, it can often result in double compression leading to bugs in
browsers such as Safari that doesn't handle double compression at all.
Chrome, Firefox and Opera seem to decompress double compressed content
over two steps and causes no issues (other than making the browser
decompress twice).
However, safari will end up with the error "cannot decode raw data".
My suggestion would be to remove the whole compression part from wp-admin
/load-styles.php and wp-admin/load-scripts.php
There's no reason to keep this around anymore, the majority of web servers
these days already do the needed compression (deflate,gzip,br) and it's a
lot better to handle on the web server level instead of within the
application.
I can see that @azaozz submitted a patch in ticket #43308 in regards to
CVE-2018-6389 - however, that patch never made it into a release.
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44815#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list