[wp-trac] [WordPress Trac] #44965: WordPress Core strips $_GET['error'] occasionally

WordPress Trac noreply at wordpress.org
Wed Sep 19 13:30:20 UTC 2018


#44965: WordPress Core strips $_GET['error'] occasionally
--------------------------+-----------------------------
 Reporter:  javorszky     |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 I have a plugin that is an OAuth2 consumer for integrating with Stripe
 Connect.

 I created a new custom endpoint by adding a query var, and a rewrite rule,
 so everything that lands on `/stripe_connect` will get dealt with by my
 plugin's code.

 If user denies the connection request at Stripe, they are redirected back
 to my site with roughly the following URL params in tow:

 `/stripe_connect?state=3__5e4e4d4c9df8e6948a33fdfb44f75c0f&error=access_denied&error_description=The+user+denied+your+request`

 * `state` is a custom param I set that gets replayed to me
 * `error` is `access_denied`, which is the standard that Stripe will do in
 this case, see https://stripe.com/docs/connect/oauth-reference#get-
 authorize-errors
 * `error_description` is a human readable problem

 However in `parse_request`, a variable by the name of `$error` gets set to
 `404` at the beginning, and as it matches the rules, if it's still 404 (ie
 no other error popped up, it will then unset `$_GET['error']`.

 Link to code: https://core.trac.wordpress.org/browser/trunk/src/wp-
 includes/class-wp.php#L260

 Which is something I'd actually need to deal with.

 Currently the way to get around it is to use `$_REQUEST` instead of
 `$_GET`, however `$_REQUEST` also has POST variables in it, so I can't
 make sure that the `error` I'm getting is actually due to a query param.

 I also haven't found a ticket that had this listed as a problem.

 What was the reasoning for unsetting that $_GET var?

 I see that they were added originally in
 https://core.trac.wordpress.org/changeset/1570 (14 years ago), however is
 that still a valid reason?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44965>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list