From da266e6ca54d99088ed7b7cfe2ffecd49e5d37e0 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date: Tue, 2 Mar 2021 15:14:09 +0000
Subject: [PATCH] Security, Site Health: Do not store HTTPS request error
 messages in an option.

This changes the logic in `update_https_detection_errors()` to never store error messages from the actual request since they could use a different encoding, which would make storing them in an option potentially fail, leading WordPress to then falsely assume that HTTPS is supported.

While this doesn't actually fix the encoding issue, it is not crucial to do so anyway, since these messages are not used anywhere. A simple differentiation between whether the overall HTTPS request or only the SSL verification failed should be sufficient for the purpose of this function.

Props flixos90, tmatsuur, lukecarbis.
Reviewed by flixos90, SergeyBiryukov.
Merges [50471] to the 5.7 branch.
Fixes #52484.

git-svn-id: https://develop.svn.wordpress.org/branches/5.7@50472 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/https-detection.php     | 6 +++---
 tests/phpunit/tests/https-detection.php | 9 +++++----
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/wp-includes/https-detection.php b/src/wp-includes/https-detection.php
index 7642fda3da..f834549f95 100644
--- a/src/wp-includes/https-detection.php
+++ b/src/wp-includes/https-detection.php
@@ -130,13 +130,13 @@ function wp_update_https_detection_errors() {
 
 		if ( is_wp_error( $unverified_response ) ) {
 			$support_errors->add(
-				$unverified_response->get_error_code(),
-				$unverified_response->get_error_message()
+				'https_request_failed',
+				__( 'HTTPS request failed.' )
 			);
 		} else {
 			$support_errors->add(
 				'ssl_verification_failed',
-				$response->get_error_message()
+				__( 'SSL verification failed.' )
 			);
 		}
 
diff --git a/tests/phpunit/tests/https-detection.php b/tests/phpunit/tests/https-detection.php
index e8c9d9057f..acc123ee6d 100644
--- a/tests/phpunit/tests/https-detection.php
+++ b/tests/phpunit/tests/https-detection.php
@@ -56,6 +56,7 @@ class Tests_HTTPS_Detection extends WP_UnitTestCase {
 
 	/**
 	 * @ticket 47577
+	 * @ticket 52484
 	 */
 	public function test_wp_update_https_detection_errors() {
 		// Set HTTP URL, the request below should use its HTTPS version.
@@ -68,22 +69,22 @@ class Tests_HTTPS_Detection extends WP_UnitTestCase {
 		$this->assertSame( array(), get_option( 'https_detection_errors' ) );
 
 		// If initial request fails and request without SSL verification succeeds,
-		// return error with 'ssl_verification_failed' error code.
+		// return 'ssl_verification_failed' error.
 		add_filter( 'pre_http_request', array( $this, 'mock_error_with_sslverify' ), 10, 2 );
 		add_filter( 'pre_http_request', array( $this, 'mock_success_without_sslverify' ), 10, 2 );
 		wp_update_https_detection_errors();
 		$this->assertSame(
-			array( 'ssl_verification_failed' => array( 'Bad SSL certificate.' ) ),
+			array( 'ssl_verification_failed' => array( __( 'SSL verification failed.' ) ) ),
 			get_option( 'https_detection_errors' )
 		);
 
 		// If both initial request and request without SSL verification fail,
-		// return actual error from request.
+		// return 'https_request_failed' error.
 		add_filter( 'pre_http_request', array( $this, 'mock_error_with_sslverify' ), 10, 2 );
 		add_filter( 'pre_http_request', array( $this, 'mock_error_without_sslverify' ), 10, 2 );
 		wp_update_https_detection_errors();
 		$this->assertSame(
-			array( 'bad_ssl_certificate' => array( 'Bad SSL certificate.' ) ),
+			array( 'https_request_failed' => array( __( 'HTTPS request failed.' ) ) ),
 			get_option( 'https_detection_errors' )
 		);