WordPress.org

Make WordPress Core

Changeset 28895


Ignore:
Timestamp:
06/29/2014 01:24:55 PM (6 years ago)
Author:
johnbillion
Message:

Conditionally set the the secure flag on the test cookie, post password cookie, settings cookies, and comment author cookies depending on whether the front end and/or admin area are served over https. Fixes #28427

Location:
trunk/src
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/comment.php

    r28738 r28895  
    719719     */
    720720    $comment_cookie_lifetime = apply_filters( 'comment_cookie_lifetime', 30000000 );
    721     setcookie('comment_author_' . COOKIEHASH, $comment->comment_author, time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN);
    722     setcookie('comment_author_email_' . COOKIEHASH, $comment->comment_author_email, time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN);
    723     setcookie('comment_author_url_' . COOKIEHASH, esc_url($comment->comment_author_url), time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN);
     721    $secure = is_https_url( home_url() );
     722    setcookie( 'comment_author_' . COOKIEHASH, $comment->comment_author, time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN, $secure );
     723    setcookie( 'comment_author_email_' . COOKIEHASH, $comment->comment_author_email, time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN, $secure );
     724    setcookie( 'comment_author_url_' . COOKIEHASH, esc_url($comment->comment_author_url), time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN, $secure );
    724725}
    725726
  • trunk/src/wp-includes/option.php

    r28735 r28895  
    747747
    748748    // The cookie is not set in the current browser or the saved value is newer.
    749     setcookie( 'wp-settings-' . $user_id, $settings, time() + YEAR_IN_SECONDS, SITECOOKIEPATH );
    750     setcookie( 'wp-settings-time-' . $user_id, time(), time() + YEAR_IN_SECONDS, SITECOOKIEPATH );
     749    $secure = is_https_url( site_url() );
     750    setcookie( 'wp-settings-' . $user_id, $settings, time() + YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN, $secure );
     751    setcookie( 'wp-settings-time-' . $user_id, time(), time() + YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN, $secure );
    751752    $_COOKIE['wp-settings-' . $user_id] = $settings;
    752753}
  • trunk/src/wp-login.php

    r28792 r28895  
    423423
    424424//Set a cookie now to see if they are supported by the browser.
    425 setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN);
     425$secure = ( is_https_url( home_url() ) && is_https_url( site_url() ) );
     426setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN, $secure );
    426427if ( SITECOOKIEPATH != COOKIEPATH )
    427     setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
     428    setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN, $secure );
    428429
    429430/**
     
    464465     */
    465466    $expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
    466     setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH );
     467    $secure = is_https_url( home_url() );
     468    setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );
    467469
    468470    wp_safe_redirect( wp_get_referer() );
Note: See TracChangeset for help on using the changeset viewer.