Ticket #32112: 32112.diff

src/wp-admin/includes/ajax-actions.php

@@ -2454 +2454 @@
 
                 $title = ''; // We no longer insert title tags into <img> tags, as they are redundant.
                 $html = get_image_send_to_editor( $id, $caption, $title, $align, $url, (bool) $rel, $size, $alt );
+
+                // 'src' attribute should not be HTTPS if the site URL is not also HTTPS.
+                if ( is_ssl() ) {
+                        $upload_dir = wp_upload_dir();
+                        if ( 'https' !== substr( $upload_dir['basedir'], 0, 5 ) ) {
+                                if ( preg_match( '|src\=\"([^"]*)\"|', $html, $matches ) ) {
+                                        $html = str_replace( $matches[1], set_url_scheme( $matches[1], 'http' ), $html );
+                                }
+                        }
+                }
         } elseif ( wp_attachment_is( 'video', $post ) || wp_attachment_is( 'audio', $post )  ) {
                 $html = stripslashes_deep( $_POST['html'] );
         }

tests/phpunit/includes/testcase-ajax.php

@@ -46 +46 @@
                 'hidden-columns', 'update-welcome-panel', 'menu-get-metabox', 'wp-link-ajax',
                 'menu-locations-save', 'menu-quick-search', 'meta-box-order', 'get-permalink',
                 'sample-permalink', 'inline-save', 'inline-save-tax', 'find_posts', 'widgets-order',
-                'save-widget', 'set-post-thumbnail', 'date_format', 'time_format', 'wp-fullscreen-save-post',
+                'save-widget', 'send-attachment-to-editor', 'set-post-thumbnail', 'date_format', 'time_format', 'wp-fullscreen-save-post',
                 'wp-remove-post-lock', 'dismiss-wp-pointer', 'heartbeat', 'nopriv_heartbeat',
         );
 

new file tests/phpunit/tests/ajax/SendAttachmentToEditor.php

@@ +1 @@
+<?php
+
+/**
+ * Admin ajax functions to be tested
+ */
+require_once( ABSPATH . 'wp-admin/includes/ajax-actions.php' );
+
+/**
+ * @group ajax
+ */
+class Tests_Ajax_SendAttachmentToEditor extends WP_Ajax_UnitTestCase {
+        private $_ids;
+
+        /**
+         * Set up the test fixture
+         */
+        public function setUp() {
+                parent::setUp();
+                $_SERVER['REMOTE_ADDR'] = '';
+        }
+
+        /**
+         * Tear down the test fixture.
+         */
+        public function tearDown() {
+                // Cleanup
+                foreach ( $this->_ids as $id ) {
+                        wp_delete_attachment( $id, true );
+                }
+
+                parent::tearDown();
+        }
+
+        /**
+         * @ticket 32112
+         */
+        public function test_src_should_be_http_when_homeurl_is_http_even_when_is_ssl() {
+                $_https = isset( $_SERVER['HTTPS'] ) ? $_SERVER['HTTPS'] : null;
+                $_post_backup = $_POST;
+
+                $post_id = $this->factory->post->create();
+
+                $filename = DIR_TESTDATA . '/images/canola.jpg';
+                $contents = file_get_contents( $filename );
+
+                $upload = wp_upload_bits( basename( $filename ), null, $contents );
+                $attachment_id = $this->_make_attachment( $upload, $post_id );
+
+                $attachment_url = wp_get_attachment_url( $attachment_id );
+                $this->assertSame( $attachment_url, set_url_scheme( $attachment_url, 'http' ) );
+
+                wp_set_current_user( $this->factory->user->create( array( 'role' => 'editor' ) ) );
+
+                // Fake SSL.
+                $_SERVER['HTTPS'] = 'on';
+
+                // Set up a default request.
+                $_POST['nonce'] = wp_create_nonce( 'media-send-to-editor' );
+                $_POST['attachment'] = array(
+                        'id' => $attachment_id,
+                );
+                $_POST['post_id'] = $post_id;
+
+                // Make the request
+                try {
+                        $this->_handleAjax( 'send-attachment-to-editor' );
+                } catch ( WPAjaxDieContinueException $e ) {
+                        unset( $e );
+                }
+
+                // Clean up before assertion.
+                if ( is_null( $_https ) ) {
+                        unset( $_SERVER['HTTPS'] );
+                } else {
+                        $_SERVER['HTTPS'] = $_https;
+                }
+
+                $_POST = $_post_backup;
+
+                $response = json_decode( $this->_last_response );
+
+                // We don't test against the full attachment URL because of resizing, etc.
+                $attachment_base = substr( $attachment_url, 0, strrpos( $attachment_url, '/' ) );
+                $this->assertContains( 'src="' . $attachment_base, $response->data );
+        }
+
+        private function _make_attachment( $upload, $parent_post_id = 0 ) {
+                $type = '';
+                if ( !empty($upload['type']) ) {
+                        $type = $upload['type'];
+                } else {
+                        $mime = wp_check_filetype( $upload['file'] );
+                        if ($mime)
+                                $type = $mime['type'];
+                }
+
+                $attachment = array(
+                        'post_title' => basename( $upload['file'] ),
+                        'post_content' => '',
+                        'post_type' => 'attachment',
+                        'post_parent' => $parent_post_id,
+                        'post_mime_type' => $type,
+                        'guid' => $upload[ 'url' ],
+                );
+
+                // Save the data
+                $id = wp_insert_attachment( $attachment, $upload[ 'file' ], $parent_post_id );
+                wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $upload['file'] ) );
+                return $this->_ids[] = $id;
+        }
+}