WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 3 years ago

#10268 new defect (bug)

Profile and Edit user pages should be secure too

Reported by: Denis-de-Bernardy Owned by: ryan
Priority: normal Milestone: Future Release
Component: Security Version:
Severity: normal Keywords: has-patch
Cc:

Description

With admin_ssl off, and login_ssl on, the profile page ends up insecure. It should at least send its POST request over SSL, since a new password might be set.

And possibly use a secure form as well (see #10267).

Attachments (1)

10268.diff (1.4 KB) - added by Denis-de-Bernardy 4 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Denis-de-Bernardy4 years ago

see also #10268 regarding the profile page.

Denis-de-Bernardy4 years ago

comment:2 Denis-de-Bernardy4 years ago

  • Keywords has-patch added

comment:4 ryan4 years ago

  • Milestone changed from 2.8.1 to 2.9

comment:5 azaozz4 years ago

  • Milestone changed from 2.9 to 3.0

Perhaps this should be handled in auth_redirect() which is called from admin.php.

comment:6 nacin3 years ago

  • Milestone changed from 3.0 to 3.1

comment:7 nacin3 years ago

  • Milestone changed from Awaiting Triage to Future Release
Note: See TracTickets for help on using tickets.