[wp-trac] [WordPress Trac] #51816: Implement auto recovery mode during auto update cron

WordPress Trac noreply at wordpress.org
Wed Nov 18 15:01:33 UTC 2020


#51816: Implement auto recovery mode during auto update cron
-------------------------------+-----------------------------
 Reporter:  TimothyBlynJacobs  |       Owner:  (none)
     Type:  enhancement        |      Status:  new
 Priority:  normal             |   Milestone:  Future Release
Component:  Site Health        |     Version:
 Severity:  normal             |  Resolution:
 Keywords:                     |     Focuses:
-------------------------------+-----------------------------
Description changed by TimothyBlynJacobs:

Old description:

> We introduced Recovery Mode to allow for a site administrator to access
> their site backend when a plugin is causing fatal errors. This makes it
> possible for the user to deactivate the plugin or update the plugin to a
> fixed version.
>
> With the introduction of opt-in plugin auto updates in 5.5, it would be
> nice if we could ensure that a site could still autoupdate, even if one
> of its plugin was causing fatal errors.
>
> This would need to happen without user interaction, otherwise the user
> could just use Recovery Mode themselves manually.
>
> One of the reasons Recovery Mode is a manual process is to make sure we
> don't fail open and disable a plugin that was providing protections of
> some kind to their site. As such, we'd need to make sure that this auto
> recovery mode would only allow a very limited amount of code to run.
>
> This could probably be all of cron, but I think it'd be good to try to
> further lock it down to when the automatic updater cron action is
> running.
>
> One way to do this would be in `WP_Recovery_Mode::handle_error` to check
> `wp_doing_cron()` and if so to trigger another `spawn_cron` but with a
> recovery mode token appended that could only be utilized when
> `wp_doing_cron()`. That way it wouldn't be exposed if a site was using
> the alternate cron setup.
>
> This wouldn't work for setups that are using an alternate cron runner, or
> using WP CLI to trigger cron jobs. But I think it would be possible to
> make work for users who are pinging `wp-cron.php` manually.

New description:

 We introduced Recovery Mode to allow for a site administrator to access
 their site backend when a plugin is causing fatal errors. This makes it
 possible for the user to deactivate the plugin or update the plugin to a
 fixed version.

 With the introduction of opt-in plugin auto updates in 5.5, it would be
 nice if we could ensure that a site could still autoupdate, even if one of
 its plugin was causing fatal errors.

 This would need to happen without user interaction, otherwise the user
 could just use Recovery Mode themselves manually.

 One of the reasons Recovery Mode is a manual process is to make sure we
 don't fail open and disable a plugin that was providing protections of
 some kind to their site. As such, we'd need to make sure that this auto
 recovery mode would only allow a very limited amount of code to run.

 This could probably be all of cron, but I think it'd be good to try to
 further lock it down to when the automatic updater cron action is running.

 One way to do this would be in `WP_Recovery_Mode::handle_error` to check
 `wp_doing_cron()` and if so to trigger another `spawn_cron` but with a
 recovery mode token appended that could only be utilized when
 `wp_doing_cron()`. That way it wouldn't be exposed if a site was using the
 alternate cron setup.

 This wouldn't work for setups that are using a custom cron runner, or
 using WP CLI to trigger cron jobs. But I think it would be possible to
 make work for users who are pinging `wp-cron.php` manually.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/51816#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list