Make WordPress Core

Changeset 32342


Ignore:
Timestamp:
05/04/2015 01:09:14 PM (9 years ago)
Author:
boonebgorges
Message:

Attachment URLs should only be forced to SSL on the front end.

Detecting SSL status on the Dashboard introduces problems when writing content
that is saved to the database and then displayed on the front end, where SSL
may be optional (or impossible, due to self-signed certificates). The new
approach parallels the logic in get_home_url() for forcing HTTPS.

See [31614] #15928 for background.

Fixes #32112 for trunk.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/post.php

    r32116 r32342  
    49934993    }
    49944994
    4995     /*
    4996      * If currently on SSL, prefer HTTPS URLs when we know they're supported by the domain
    4997      * (which is to say, when they share the domain name of the current SSL page).
    4998      */
    4999     if ( is_ssl() && 'https' !== substr( $url, 0, 5 ) && parse_url( $url, PHP_URL_HOST ) === $_SERVER['HTTP_HOST'] ) {
    5000         $url = set_url_scheme( $url, 'https' );
     4995    // On SSL front-end, URLs should be HTTPS.
     4996    if ( is_ssl() && ! is_admin() && 'wp-login.php' !== $GLOBALS['pagenow'] ) {
     4997        $url = set_url_scheme( $url );
    50014998    }
    50024999
  • trunk/tests/phpunit/tests/post/attachments.php

    r31670 r32342  
    410410    * @ticket 15928
    411411    */
    412     public function test_wp_get_attachment_url_should_not_force_https_when_https_is_on_but_url_has_a_different_domain() {
     412    public function test_wp_get_attachment_url_should_not_force_https_when_administering_over_https_but_siteurl_is_not_https() {
    413413        $siteurl = get_option( 'siteurl' );
    414         update_option( 'siteurl', set_url_scheme( $siteurl, 'https' ) );
     414        update_option( 'siteurl', set_url_scheme( $siteurl, 'http' ) );
    415415
    416416        $filename = ( DIR_TESTDATA . '/images/test-image.jpg' );
     
    423423        $attachment_id = $this->_make_attachment( $upload );
    424424
    425         // Save server data for cleanup.
    426425        $is_ssl = is_ssl();
    427         $http_host = $_SERVER['HTTP_HOST'];
    428 
    429426        $_SERVER['HTTPS'] = 'on';
    430 
    431         // Set server host to something random.
    432         $_SERVER['HTTP_HOST'] = 'some.otherhostname.com';
     427        set_current_screen( 'dashboard' );
    433428
    434429        $url = wp_get_attachment_url( $attachment_id );
    435         $this->assertSame( set_url_scheme( $url, 'http' ), $url );
    436430
    437431        // Cleanup.
    438432        $_SERVER['HTTPS'] = $is_ssl ? 'on' : 'off';
    439         $_SERVER['HTTP_HOST'] = $http_host;
     433        set_current_screen( 'front' );
     434
     435        $this->assertSame( set_url_scheme( $url, 'http' ), $url );
     436    }
     437
     438    /**
     439     * @ticket 15928
     440     */
     441    public function test_wp_get_attachment_url_should_force_https_when_administering_over_https_and_siteurl_is_https() {
     442        // Must set the upload_url_path to fake out `wp_upload_dir()`.
     443        $siteurl = get_option( 'siteurl' );
     444        update_option( 'upload_url_path', set_url_scheme( $siteurl, 'https' ) . '/uploads' );
     445
     446        $filename = ( DIR_TESTDATA . '/images/test-image.jpg' );
     447        $contents = file_get_contents( $filename );
     448
     449        $upload = wp_upload_bits( basename( $filename ), null, $contents );
     450        $this->assertTrue( empty( $upload['error'] ) );
     451
     452        // Set attachment ID
     453        $attachment_id = $this->_make_attachment( $upload );
     454
     455        $is_ssl = is_ssl();
     456        $_SERVER['HTTPS'] = 'on';
     457        set_current_screen( 'dashboard' );
     458
     459        $url = wp_get_attachment_url( $attachment_id );
     460
     461        // Cleanup.
     462        $_SERVER['HTTPS'] = $is_ssl ? 'on' : 'off';
     463        set_current_screen( 'front' );
     464
     465        $this->assertSame( set_url_scheme( $url, 'https' ), $url );
    440466    }
    441467
Note: See TracChangeset for help on using the changeset viewer.