Unable to download backups from admin or using download link generated in admin

[katmoody]

Description of issue

I've had a few users report this and thought it was some kind of weird glitch. I had a new report this morning from a user who tried using different browsers and who was still unable to download her backups.

She tried copying and pasting the download link in a new tab as well, and that didn't work either.

So I tried this on my own test site - the download worked just fine for me on the newest version of Chrome on Mac … so I used the developer tools to see if I noticed anything I could point to as a potential 'thing'.

I saw this come up, not as an error, but it was in the console: "Resource interpreted as Document but transferred with MIME type application/zip"

I did some searching and found a potentially applicable Stack Overflow post talking about the same issue:
http://stackoverflow.com/questions/6587393/resource-interpreted-as-document-but-transferred-with-mime-type-application-zip

I'm not sure if there are steps we can take on our end, but if it is impacting users regularly, even a small number, it might be worth investigating a bit further?

[katmoody]

I might have figured out at least one reason why this is failing for some users (though not on the newest Chrome).

I tracked the URLs, and the URL to the actual path is actually invalid. Chrome uses it anyway, but it has a double // in between the site root URL and the /wp-content/ directory.

IE:
http://testbwp.com//wp-content/backupwordpress-e8387b7df8-backups/bwp-katsmedia-com-1475774650-database-2017-04-04-12-29-13.zip?key=cfcccbb10e081673fb075764b8307266

Is anyone able to help me find where this is set up in the code, because it includes a lot of extraneous bits to compile the URL path:
http://testbwp.com/wp-admin/admin-post.php?hmbkp\_backup\_archive=L2hvbWUva2F0c21lZDEvcHVibGljX2h0bWwvYndwL3dwLWNvbnRlbnQvYmFja3Vwd29yZHByZXNzLWU4Mzg3YjdkZjgtYmFja3Vwcy9id3Ata2F0c21lZGlhLWNvbS0xNDc1Nzc0NjUwLWRhdGFiYXNlLTIwMTctMDQtMDQtMTItMjktMTMuemlw&hmbkp\_schedule\_id=1475774650&action=hmbkp\_request\_download\_backup&hmbkp\_download\_backup\_nonce=e0f27d65c1

Looks like it is compiled here but I'm not seeing where the issue is yet:
https://github.com/humanmade/backupwordpress/blob/master/functions/interface.php#L32

[katmoody]

Possibly related to this function:

<?php if (  is_path_accessible( Path::get_path() )  ) : ?>
                <a href="<?php echo esc_url( wp_nonce_url( add_query_arg( array( 'hmbkp_backup_archive' => $encoded_file, 'hmbkp_schedule_id' => $schedule->get_id(), 'action' => 'hmbkp_request_download_backup' ), admin_url( 'admin-post.php' ) ), 'hmbkp_download_backup', 'hmbkp_download_backup_nonce' ) ); ?>" class="download-action"><?php _e( 'Download', 'backupwordpress' ); ?></a> |
            <?php endif; ?>

My understanding is that it first tests whether the path is accessible (per the function defined in the core.php file) and then uses the wp_nonce to protect the download link to the given backup? And that link is compiled using all the different parts of the array?

I’m trying to figure out why a growing number of people are having issues downloading those files. It’s not all the same browser, php version, anything I can pin down. So I’m trying to see if there’s something in the function that might be redirecting incorrectly? Or the link being compiled incorrectly in some way.

[katmoody]

I was putting notes together and I’m wondering if this is one symptom of a larger issue that is an issue with the root path. There are similarities between this, the recursive symlink issue, and a wp-cli specific one for Path::get_root #1162

[roborourke]

Update: spent some time trying to write failing tests for this but couldn't reproduce the problem yet. I'll take another look at the intercom data.

[roborourke]

Possible causes:

• Nonce generation method may have changed? - check WP changelogs. Uses user info when logged in so may fail depending on when where download link in email is clicked.
• Incorrect headers sent

[roborourke]

can't seem to find where the email download link is handled in the plugin, @willmot can you point me in the right direction? Unless the download link handler was changed and the email link not updated to reflect it.

[willmot]

Here https://github.com/humanmade/backupwordpress/blob/6a0729633e28567f846197e7050b6ef5a9bfae38/classes/class-email-service.php#L155

[roborourke]

@willmot I found that bit sorry - what I meant is the link that's appended to the email notification generated here containing the hmbkp_download query arg: https://github.com/humanmade/backupwordpress/blob/6a0729633e28567f846197e7050b6ef5a9bfae38/classes/class-email-service.php#L159

I can only find a handler for links within the admin UI containing the nonce which the email link doesn't have:
https://github.com/humanmade/backupwordpress/blob/6a0729633e28567f846197e7050b6ef5a9bfae38/admin/actions.php#L155

[willmot]

Oh good catch, that could be an oversight for sure. Although I guess that’s only going to affect links from emails and this issue is about admin links not working?

[roborourke]

Doh. There is an intercom issue related to the email link though, maybe there's a separate issue for that already.

@katmoody don't suppose you can dig out and link to the intercom convo for this one?

[katmoody]

I will dig that out because they continue to get in touch with me about our progress on it. So it seems that the email issue stems more from the fact that the link added isn't including the nonce? I'll look into that, and I'll link to it once I find it. (and make sure there's a corresponding issue too)

[katmoody]

Here's the most consistent person to get back in touch with me - https://app.intercom.io/a/apps/7f1l4qyq/respond/inbox/247906/conversations/5680812053

I'm also including a list of some of the main settings here for your convenience:

The long plugin list includes some security plugins and I already tested against those - no impact, just in case you needed to know 😀 I also changed the site name, for obvious reasons. ;-)

ZIPARCHIVE -- Yes
CALCULATED SIZE OF SITE -- array ( 'database' => '125 MB', 'complete' => '7 GB', )
VERSION -- 7.0.14-nmm1
ZIP COMMAND -- No
MYSQLDUMP COMMAND -- mysqldump
WP CRON TEST FAILED -- No
HOME URL -- http://www.example.com
PLUGIN VERSION -- 3.6.3.1
PDO -- dblib, mysql, odbc, pgsql, sqlite
PROC_OPEN -- Yes
DIRECTORYITERATOR FOLLOW_SYMLINKS -- Unknown
SAFE MODE -- No
SHELL EXEC -- Unknown
MEMORY LIMIT -- 4096M
CRON ARRAY -- long list, see ticket to confirm
ACTIVE PLUGINS -- 
array ( 0 => 'antispam-bee/antispam_bee.php', 1 => 'backupwordpress/backupwordpress.php', 2 => 'better-wp-security/better-wp-security.php', 3 => 'codecanyon-6392174-woocommerce-order-status-actions-manager/wc_custom_action_status.php', 4 => 'comet-cache/comet-cache.php', 5 => 'contact-form-7-honeypot/honeypot.php', 6 => 'contact-form-7-to-database-extension/contact-form-7-db.php', 7 => 'contact-form-7/wp-contact-form-7.php', 8 => 'cookie-notice/cookie-notice.php', 9 => 'cw-google-analytics-datenschutz/cw-google-analytics-datenschutz.php', 10 => 'duplicate-post/duplicate-post.php', 11 => 'email-encoder-bundle/email-encoder-bundle.php', 12 => 'google-analytics-dashboard-for-wp/gadwp.php', 13 => 'google-analytics-opt-out-pro/google-analytics-opt-out-pro.php', 14 => 'js_composer_theme/js_composer.php', 15 => 'layered-popups/layered-popups.php', 17 => 'simple-history/index.php', 18 => 'simple-image-sizes/simple_image_sizes.php', 19 => 'smart-manager-for-wp-e-commerce/smart-manager.php', 20 => 'woo-brands/main.php', 21 => 'woocommerce-address-labels/woocommerce-address-labels.php', 22 => 'woocommerce-admin-bar-addition/woocommerce-admin-bar-addition.php', 23 => 'woocommerce-german-market/WooCommerce-German-Market.php', 24 => 'woocommerce-partial-orders/woocommerce-partial-orders.php', 25 => 'woocommerce-pdf-invoices-packing-slips/woocommerce-pdf-invoices-packingslips.php', 26 => 'woocommerce-pdf-ips-pro/woocommerce-pdf-ips-pro.php', 27 => 'woocommerce-pdf-ips-templates/woocommerce-pdf-ips-templates.php', 28 => 'woocommerce-poor-guys-swiss-knife/woocommerce-poor-guys-swiss-knife.php', 29 => 'woocommerce-product-bundles/woocommerce-product-bundles.php', 30 => 'woocommerce-sequential-order-numbers/woocommerce-sequential-order-numbers.php', 31 => 'woocommerce/woocommerce.php', 32 => 'wooshippinginfo/wooshippinginfo.php', 33 => 'woothemes-updater/woothemes-updater.php', 34 => 'wordpress-seo-premium/wp-seo-premium.php', 35 => 'wp-email-login/email-login.php', 36 => 'wp-memory-usage/wp-memory-usage.php', )
BACKUP PATH
/path/to/wordpress/wordpress-files/wp-content/backupwordpress-xxxxxxxxx-backups
BACKUP PATH PERMISSIONS -- 0755
WP_CONTENT_DIR -- 
/path/to/wordpress/wordpress-files/wp-content
WP_CONTENT_DIR PERMISSIONS -- 0755
ABSPATH -- /path/to/wordpress/wordpress-files/
SERVER -- Apache
OS -- Linux
SITE URL -- http://www.example.com
SITE ROOT PATH -- /path/to/wordpress/wordpress-files

[katmoody]

Also, @roborourke - check out this old closed issue? #93

[roborourke]

@katmoody cheers 👍