WordPress.org

Making WordPress.org

Opened 3 years ago

Closed 3 years ago

#1860 closed defect (fixed)

Broken paging for a certain plugin search query

Reported by: SergeyBiryukov Owned by:
Milestone: Priority: normal
Component: Plugin Directory Keywords:
Cc:

Description (last modified by SergeyBiryukov)

  1. Go to https://wordpress.org/plugins/.
  2. Search for "plugin version" (without the quotes). The URL is https://wordpress.org/plugins/search.php?q=plugin+version.
  3. Click "Page 2" link in the navigation menu.
  4. The connection is aborted, and you get a "This site can’t be reached" (ERR_SPDY_PROTOCOL_ERROR) message in Chrome or "Secure Connection Failed" in Firefox.
  5. Go back to step 2 and search for "plugin version" again. There's a Keyword/Author/Tag dropdown, so the resulting URL is https://wordpress.org/plugins/search.php?type=term&q=plugin+version (note the added type=term that was not there in the first query).
  6. The paging works as expected now.

Seems like some security rule is erroneously triggered on step 4.

Change History (4)

#1 @SergeyBiryukov
3 years ago

  • Description modified (diff)

#2 @SergeyBiryukov
3 years ago

  • Description modified (diff)

#3 @dd32
3 years ago

Just noting this can be reproduced from the command line:

$ curl -v 'https://wordpress.org/plugins/search.php?page=2&q=plugin'
*   Trying 66.155.40.250...
* Connected to wordpress.org (127.0.0.1) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.wordpress.org
* Server certificate: Go Daddy Secure Certificate Authority - G2
* Server certificate: Go Daddy Root Certificate Authority - G2
> GET /plugins/search.php?page=2&q=plugin HTTP/1.1
> Host: wordpress.org
> User-Agent: curl/7.43.0
> Accept: */*
>
* Empty reply from server
* Connection #0 to host wordpress.org left intact
curl: (52) Empty reply from server

#4 @dd32
3 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Searches starting with "plugin" had been explicitly blocked, although was supposed to have been returning a proper error.
The block has now been lifted.

Note: See TracTickets for help on using tickets.