Make WordPress Core

Ticket #19023: 19023.ssl_proxy.patch

File 19023.ssl_proxy.patch, 3.3 KB (added by kurtpayne, 13 years ago)

Rewrite comments to reference images securely, reference external images through a local proxy

  • wp-admin/ssl_proxy.php

     3 * WordPress SSL Proxy
     4 *
     5 * @package WordPress
     6 * @subpackage Administration
     7 */
     9// Get admin libs
     12// Make sure URL is present
     13if (empty($_REQUEST['url']))
     14        default_image();
     16// Get the URL arg
     17$url = base64_decode($_REQUEST['url']);
     19// Check that base64 decoded okay
     20if ( false === $url )
     21        default_image();
     23// Make sure it's a valid URL
     24if ( false === parse_url($url) )
     25        default_image();
     27// Fetch it
     28$req = wp_remote_get(base64_decode($_REQUEST['url']));
     30// Look for errors
     31if ( is_wp_error($req) )
     32        default_image();
     34// Look for error status codes
     35if ( $req['response']['code'] < 200 || $req['response']['code'] >= 400)
     36        default_image();
     38// Okay, no errors, show the image
     39if (isset($req['headers']['content-type']))
     40        header('Content-type: ' . $req['headers']['content-type']);
     41echo $req['body'];
     44 * Show the default image.  This is called when an error happened.
     45 */
     46function default_image() {
     47        header('Content-type: image/gif');
     48        readfile('./images/loading.gif');
     49        die();
  • wp-admin/edit-comments.php

    Property changes on: wp-admin\ssl_proxy.php
    Added: svn:eol-style
       + native
    1717$doaction = $wp_list_table->current_action();
     19// Filter out any insecure content to avoid SSL warnings
     20if ( is_ssl() )
     21        add_filter( 'comment_text', 'proxy_insecure_content', 999 );
    1923if ( $doaction ) {
    2024        check_admin_referer( 'bulk-comments' );
  • wp-includes/comment-template.php

     618 * Filter out any images from insecure sources
     619 * @param string $content
     620 * @return string
     621 */
     622function proxy_insecure_content($content) {
     623        if ( preg_match_all('/src=[\'"]?([^\'">]+)[\'"]?/ix', $content, $matches )) {
     624                foreach ( $matches[1] as $k => $v ) {
     625                        $parts = parse_url($v);
     626                        if ( $parts === false )
     627                                continue;
     629                        // If we can just slap "https://" onto the front, go ahead
     630                        if ( $parts['host'] == $_SERVER['HTTP_HOST'] ) {
     631                                $url = str_replace('http://', 'https://', $v);
     633                        // If not, it's probably an external image and needs to be proxied
     634                        } else {
     635                                $url = get_ssl_proxy_url($v);
     636                        }
     638                        // Update the content
     639                        $content = str_replace($v, $url, $content);
     640                }
     641        }
     642        return $content;
     646 * Run non-secure items through an SSL proxy
     647 * Why base64 encode?  mod_security will detect it as an attack otherwise.
     648 * @param string $url
     649 * @return string
     650 */
     651function get_ssl_proxy_url($url) {
     652        return get_admin_url() . 'ssl_proxy.php?url=' . base64_encode($url);
    618656 * Retrieve the comment time of the current comment.
    619657 *
    620658 * @since 1.5.0