Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mixed http/https access to admin can cause infinite loop of nonce checks #36118

Open
mboynes opened this issue Nov 1, 2021 · 5 comments · May be fixed by #32475 or #67812
Open

Mixed http/https access to admin can cause infinite loop of nonce checks #36118

mboynes opened this issue Nov 1, 2021 · 5 comments · May be fixed by #32475 or #67812
Assignees
Labels
REST API Interaction Related to REST API [Status] In Progress Tracking issues with work in progress [Type] Bug An existing feature does not function as intended

Comments

@mboynes
Copy link
Contributor

mboynes commented Nov 1, 2021

Description

Gutenberg can find itself in an infinite loop of REST requests due to an invalid nonce if a user uses their site over https but at some point happens to load up the login screen over http. This happened to me in a local environment where I don't force https traffic but have a cert available. I inadvertently navigated to the http address, realized my mistake and re-navigated to the https address, and when I created a post in Gutenberg it was unusable.

Step-by-step reproduction instructions

  1. Sign into wp-admin successfully at https address, e.g. https://wp.test/wp-admin/.
  2. Load up the http:// variant of wp-admin, e.g. http://wp.test/wp-admin/. You will get the login screen but don't sign in.
  3. Load up wp-admin again at the https address, e.g. https://wp.test/wp-admin/
  4. Open browser console and go to network tab
  5. Navigate to create a new post in GB, e.g. https://wp.test/wp-admin/post-new.php
  6. Observe an infinite loop of 403 requests in the network tab of the browser console due to invalid nonces.

Screenshots, screen recording, code snippet

to-infinity-and-beyond.mp4

Environment info

  • WordPress 5.8.1 using Twenty Twenty-One theme, no plugins active
  • Chrome 95.0.4638.54
  • MacOS 11.6

Please confirm that you have searched existing issues in the repo.

Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

Yes

@stevenlinx stevenlinx added [Type] Bug An existing feature does not function as intended Needs Testing Needs further testing to be confirmed. labels Nov 2, 2021
@skorasaurus
Copy link
Member

Thanks for reporting;

I'm not able to reproduce this; when I hit step 2 of http://testsite.test ; I am automatically redirected to https://wp.test/wp-admin/ and am already logged in. (In chrome, I use vvv which has self-signed SSL certs)

This may depend on your local environment; what are you using?

@mboynes
Copy link
Contributor Author

mboynes commented Mar 10, 2022

Yes, this would be environment-dependent. The server would have to be configured to not automatically redirect http requests to https. Mine does not redirect http → https.

I just tested again in a new environment with a fresh installation of WordPress (5.9.1) and am still able to replicate using the instructions I wrote above.

@ryanboswell
Copy link

I think this problem is slightly broader than just http/https redirect issues, but anytime that a JSON API endpoint returns a 403 error, the request is retried until it gets a successful response. In most cases, that's probably unlikely and so it get stuck in an infinite loop.

I just encountered this because our instance forces WordPress into a read-only mode (we force read-only database credentials) for certain JSON API request paths that are publicly accessible as a precaution. In that mode, WordPress cannot perform cookie or nonce auth and returns a 403 when auth is even attempted (which the editor does automatically for JSON API requests). Specifically, after the WordPress 5.9 update the editor makes a call to the base JSON API route which in our case we force to be read-only and it triggers the endless issue.

It seems that the API fetch utils aren't fully aware of error states and in at least some cases end up in an infinite hole of retries if an error is returned (at least in the case of 403 errors, I haven't worked to prove other cases). In most cases that error is probably final and the result won't change from one second to the next and the API code should handle that accordingly.

@skorasaurus skorasaurus added the REST API Interaction Related to REST API label Mar 30, 2022
@Mamaduka
Copy link
Member

Mamaduka commented Aug 9, 2022

Related to #13509, #42400.

@Mamaduka Mamaduka removed the Needs Testing Needs further testing to be confirmed. label Aug 9, 2022
@desaiuditd desaiuditd linked a pull request Feb 9, 2024 that will close this issue
7 tasks
@desaiuditd desaiuditd linked a pull request Feb 9, 2024 that will close this issue
7 tasks
@github-actions github-actions bot added the [Status] In Progress Tracking issues with work in progress label Dec 11, 2024
@Mamaduka
Copy link
Member

Created a PR with possible fix #67812.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
REST API Interaction Related to REST API [Status] In Progress Tracking issues with work in progress [Type] Bug An existing feature does not function as intended
Projects
None yet
5 participants