[wp-trac] [WordPress Trac] #47479: Do not return 5xx for invalid/expired recovery mode cookies
WordPress Trac
noreply at wordpress.org
Tue Jun 4 14:49:26 UTC 2019
#47479: Do not return 5xx for invalid/expired recovery mode cookies
-------------------------+-----------------------------
Reporter: david.binda | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 5.2
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
The `WP_Recovery_Mode` class dies in certain situations where returning a
5xx status code does not feel appropriate, as the request did not produce
a server error, but rather the authentication failed. In such situations,
it might be more appropriate to return a 4xx error (presumably 403). The
situations in mind here are the following:
1. when the recovery mode cookie is expired
1. when the recovery mode cookie is invalid
1. when the exit recovery mode nonce check failed
As those failures also unset related cookies, the 5xx status may result in
an improper handling on certain server configurations (eg.: overriding 5xx
responses with a custom response which is not properly passing the cookie
headers).
I'm attaching a patch which changes the response codes from default 500 to
403 in the cases mentioned above.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47479>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list