Make WordPress Core

Ticket #19023: 19023.ssl_proxy.2.patch

File 19023.ssl_proxy.2.patch, 3.9 KB (added by kurtpayne, 13 years ago)

Filtering insecure images after editing comments via ajax

  • wp-admin/ssl_proxy.php

     
     1<?php
     2/**
     3 * WordPress SSL Proxy
     4 *
     5 * @package WordPress
     6 * @subpackage Administration
     7 */
     8
     9// Get admin libs
     10require_once('./admin.php');
     11
     12// Make sure URL is present
     13if (empty($_REQUEST['url']))
     14        default_image();
     15
     16// Get the URL arg
     17$url = base64_decode($_REQUEST['url']);
     18
     19// Check that base64 decoded okay
     20if ( false === $url )
     21        default_image();
     22
     23// Make sure it's a valid URL
     24if ( false === parse_url($url) )
     25        default_image();
     26
     27// Fetch it
     28$req = wp_remote_get(base64_decode($_REQUEST['url']));
     29
     30// Look for errors
     31if ( is_wp_error($req) )
     32        default_image();
     33
     34// Look for error status codes
     35if ( $req['response']['code'] < 200 || $req['response']['code'] >= 400)
     36        default_image();
     37
     38// Okay, no errors, show the image
     39if (isset($req['headers']['content-type']))
     40        header('Content-type: ' . $req['headers']['content-type']);
     41echo $req['body'];
     42
     43/**
     44 * Show the default image.  This is called when an error happened.
     45 */
     46function default_image() {
     47        header('Content-type: image/gif');
     48        readfile('./images/loading.gif');
     49        die();
     50}
  • wp-admin/edit-comments.php

    Property changes on: wp-admin\ssl_proxy.php
    ___________________________________________________________________
    Added: svn:eol-style
       + native
    
     
    1616
    1717$doaction = $wp_list_table->current_action();
    1818
     19// Filter out any insecure content to avoid SSL warnings
     20if ( is_ssl() )
     21        add_filter( 'comment_text', 'proxy_insecure_content', 999 );
     22
    1923if ( $doaction ) {
    2024        check_admin_referer( 'bulk-comments' );
    2125
  • wp-includes/comment-template.php

     
    615615}
    616616
    617617/**
     618 * Filter out any images from insecure sources
     619 * @param string $content
     620 * @return string
     621 */
     622function proxy_insecure_content($content) {
     623        if ( preg_match_all('/src=[\'"]?([^\'">]+)[\'"]?/iS', $content, $matches )) {
     624                foreach ( $matches[1] as $k => $v ) {
     625                        $parts = parse_url($v);
     626                        if ( $parts === false )
     627                                continue;
     628                       
     629                        // If we can just slap "https://" onto the front, go ahead
     630                        if ( $parts['host'] == $_SERVER['HTTP_HOST'] ) {
     631                                $url = str_replace('http://', 'https://', $v);
     632
     633                        // If not, it's probably an external image and needs to be proxied
     634                        } else {
     635                                $url = get_ssl_proxy_url($v);
     636                        }
     637                       
     638                        // Update the content
     639                        $content = str_replace($v, $url, $content);
     640                }
     641        }
     642        return $content;
     643}
     644
     645/**
     646 * Run non-secure items through an SSL proxy
     647 * Why base64 encode?  mod_security will detect it as an attack otherwise.
     648 * @param string $url
     649 * @return string
     650 */
     651function get_ssl_proxy_url($url) {
     652        return get_admin_url() . 'ssl_proxy.php?url=' . base64_encode($url);
     653}
     654
     655/**
    618656 * Retrieve the comment time of the current comment.
    619657 *
    620658 * @since 1.5.0
  • wp-admin/admin-ajax.php

     
    733733        $wp_list_table = _get_list_table( $checkbox ? 'WP_Comments_List_Table' : 'WP_Post_Comments_List_Table' );
    734734
    735735        ob_start();
     736                // Filter out any insecure content to avoid SSL warnings
     737                if ( is_ssl() )
     738                        add_filter( 'comment_text', 'proxy_insecure_content', 999 );
    736739                $wp_list_table->single_row( get_comment( $comment_id ) );
    737740                $comment_list_item = ob_get_contents();
    738741        ob_end_clean();