[wp-trac] [WordPress Trac] #45888: Provide Opt-Out for WSOD Protection

WordPress Trac noreply at wordpress.org
Wed Jan 9 20:28:58 UTC 2019 

#45888: Provide Opt-Out for WSOD Protection
-------------------------------+-----------------------------
 Reporter:  TimothyBlynJacobs  |      Owner:  (none)
     Type:  enhancement        |     Status:  new
 Priority:  normal             |  Milestone:  Awaiting Review
Component:  Bootstrap/Load     |    Version:  trunk
 Severity:  major              |   Keywords:  has-patch
  Focuses:                     |
-------------------------------+-----------------------------
 [44524] introduced WSOD protection. Security related plugins need a way to
 opt-out of this behavior.

 Without an opt-out mechanism, a fatal error caused by an edge case can be
 used to completely disable security protections provided by a plugin. Even
 if that fatal error is not preventing the user from logging into or
 accessing their site. This opens up a wide surface for attackers to bypass
 security protections provided by plugins.

 A drop-in was added in the WSOD protection, but another plugin shouldn't
 be adding or modifying a drop-in unless that is its main purpose.

 Instead, plugins should be able to opt-out by specifying a plugin header.
 For instance `Allow Pausing: false`.

 There were concerns about providing a way for plugins to opt-out. But if
 the original intention of WSOD protection is to allow people to safely
 upgrade PHP versions without worrying about crashing their site, then it
 stands to reason that the majority of the offending plugins won't have
 specified this header since they haven't updated their codebases in quite
 some time.

 Another concern was that "proper" plugins shouldn't be causing fatal
 errors. This is untenable. Any plugin of substantial size can have fatal
 errors. Particularly when there are millions of different ways WordPress
 sites can be configured.

 I was requested to upload a PR to GitHub: https://github.com/wp-core-php
 /wordpress-develop/pull/4

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/45888>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list