Opened 17 months ago
Last modified 13 months ago
#19707 new enhancement
admin-ajax.php requests via http regardless of force_ssl_admin() state
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Awaiting Review |
| Component: | HTTP | Version: | |
| Severity: | normal | Keywords: | reporter-feedback has-patch dev-feedback |
| Cc: | kpayne@… |
Description
Noticing these requests failing:
"NetworkError: 403 Forbidden - http://HOSTNAMEwp-admin/admin-ajax.php"
My server explicitly denies http to wp-admin. SSL only.
Looks like admin_url() is giving http rather than https. I suspect this bug actually lies somewhere in get_site_url(), but I don't have time to triage this right now.
This is technically a security bug since WP should always obey force_ssl_admin(), but I don't think anything is being leaked or compromised. You don't get access to anything, and nothing being sent over the wire is sensitive since it still obeys the rules of the protocol (cookie is secure). It's just a nuisance.
Change History (3)
- Type changed from defect (bug) to enhancement
- Cc kpayne@… added
- Keywords reporter-feedback added
Can you use a tool like firebug or Chrome/Safari developer tools to see what "action" parameter is being passed to admin-ajax.php? This will tell you if it's from the core. If it's not from the core, the action parameter should give you a clue about which plugin is making the request.
- Component changed from Security to HTTP
- Keywords has-patch dev-feedback added
The admin_url() and home_url() functions can override SSL in the second parameter passing 'http' or 'https' as parameters.
I suggest to create a ajax_url() function to choose either it should use 'https' or 'http' dynamically. Something like:
function ajax_url( $url, $scheme = null ) {
// If $scheme is passed use it, otherwise test if the current request is HTTPS
$scheme = $scheme ? $scheme : ( is_ssl ? 'https' : 'http' );
return admin_url( "admin-ajax.php", $scheme );
}
That could be easier for developers! :)
Further investigation shows this is likely a plugin creating these requests using:
var ajax_url = '<?php echo admin_url("admin-ajax.php", null); ?>';This however is indicative of the lack of a proper ajax api on the frontend forcing plugin developers to resort to using an admin_url to serve their needs. This is problematic and conflicts with things like ssl admin.
May I suggest an equivalent wp-user-ajax.php for example and wp_user_ajax_my_action action? Switching existing plugins would be as trivial as swapping a few characters. This would be more secure since it encourages separation of wp-admin from user related functions.