WordPress.org

Make WordPress Core

Changeset 28609


Ignore:
Timestamp:
05/29/2014 03:58:41 AM (6 years ago)
Author:
nacin
Message:

Forcing SSL logins now forces SSL for the entire admin, with no middle ground.

fixes #10267.

Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/default-constants.php

    r28569 r28609  
    248248     * @since 2.6.0
    249249     */
    250     if ( !defined('FORCE_SSL_ADMIN') )
    251         define('FORCE_SSL_ADMIN', false);
    252     force_ssl_admin(FORCE_SSL_ADMIN);
    253 
    254     /**
    255      * @since 2.6.0
    256      */
    257     if ( !defined('FORCE_SSL_LOGIN') )
    258         define('FORCE_SSL_LOGIN', false);
    259     force_ssl_login(FORCE_SSL_LOGIN);
     250    if ( !defined( 'FORCE_SSL_ADMIN' ) )
     251        define( 'FORCE_SSL_ADMIN', false );
     252    force_ssl_admin( FORCE_SSL_ADMIN );
     253
     254    /**
     255     * @since 2.6.0
     256     * @deprecated 4.0.0
     257     */
     258    if ( defined( 'FORCE_SSL_LOGIN' ) && FORCE_SSL_LOGIN ) {
     259        force_ssl_admin( true );
     260    }
    260261}
    261262
  • trunk/src/wp-includes/functions.php

    r28588 r28609  
    33883388 */
    33893389function force_ssl_login( $force = null ) {
    3390     static $forced = false;
    3391 
    3392     if ( !is_null( $force ) ) {
    3393         $old_forced = $forced;
    3394         $forced = $force;
    3395         return $old_forced;
    3396     }
    3397 
    3398     return $forced;
     3390    return force_ssl_admin( $force );
    33993391}
    34003392
     
    43064298    $same_domain = ( strpos( $login_url, $current_domain ) === 0 );
    43074299
    4308     if ( $same_domain && force_ssl_login() && ! force_ssl_admin() )
    4309         $same_domain = false;
    4310 
    43114300    /**
    43124301     * Filter whether the authentication check originated at the same domain.
  • trunk/src/wp-includes/link-template.php

    r28590 r28609  
    28462846function set_url_scheme( $url, $scheme = null ) {
    28472847    $orig_scheme = $scheme;
    2848     if ( ! in_array( $scheme, array( 'http', 'https', 'relative' ) ) ) {
    2849         if ( ( 'login_post' == $scheme || 'rpc' == $scheme ) && ( force_ssl_login() || force_ssl_admin() ) )
    2850             $scheme = 'https';
    2851         elseif ( ( 'login' == $scheme ) && force_ssl_admin() )
    2852             $scheme = 'https';
    2853         elseif ( ( 'admin' == $scheme ) && force_ssl_admin() )
    2854             $scheme = 'https';
    2855         else
    2856             $scheme = ( is_ssl() ? 'https' : 'http' );
     2848
     2849    if ( ! $scheme ) {
     2850        $scheme = is_ssl() ? 'https' : 'http';
     2851    } elseif ( $scheme === 'admin' || $scheme === 'login' || $scheme === 'login_post' || $scheme === 'rpc' ) {
     2852        $scheme = is_ssl() || force_ssl_admin() ? 'https' : 'http';
     2853    } elseif ( $scheme !== 'http' && $scheme !== 'https' && $scheme !== 'relative' ) {
     2854        $scheme = is_ssl() ? 'https' : 'http';
    28572855    }
    28582856
  • trunk/src/wp-login.php

    r28340 r28609  
    742742    $reauth = empty($_REQUEST['reauth']) ? false : true;
    743743
    744     // If the user was redirected to a secure login form from a non-secure admin page, and secure login is required but secure admin is not, then don't use a secure
    745     // cookie and redirect back to the referring non-secure admin page. This allows logins to always be POSTed over SSL while allowing the user to choose visiting
    746     // the admin via http or https.
    747     if ( !$secure_cookie && is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) )
    748         $secure_cookie = false;
    749 
    750744    $user = wp_signon( '', $secure_cookie );
    751745
  • trunk/tests/phpunit/tests/url.php

    r25389 r28609  
    22
    33// tests for link-template.php and related URL functions
     4/**
     5 * @group url
     6 */
    47class Tests_URL extends WP_UnitTestCase {
    58    var $_old_server;
     
    265268
    266269            force_ssl_login( true );
    267             $this->assertEquals( $http_links[ $i ], set_url_scheme( $link, 'admin' ) );
     270            $this->assertEquals( $https_links[ $i ], set_url_scheme( $link, 'admin' ) );
    268271            $this->assertEquals( $https_links[ $i ], set_url_scheme( $link, 'login_post' ) );
    269             $this->assertEquals( $http_links[ $i ], set_url_scheme( $link, 'login' ) );
     272            $this->assertEquals( $https_links[ $i ], set_url_scheme( $link, 'login' ) );
    270273            $this->assertEquals( $https_links[ $i ], set_url_scheme( $link, 'rpc' ) );
    271274
Note: See TracChangeset for help on using the changeset viewer.