WordPress.org

Make WordPress Core

Changeset 34932


Ignore:
Timestamp:
10/08/2015 03:08:05 AM (6 years ago)
Author:
johnbillion
Message:

Correctly set the secure flag on the post password cookie based on the scheme of the referring URL, if it's available, instead of the home URL.

Fixes #29641

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-login.php

    r34931 r34932  
    441441     */
    442442    $expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
    443     $secure = ( 'https' === parse_url( home_url(), PHP_URL_SCHEME ) );
     443    $referer = wp_get_referer();
     444    if ( $referer ) {
     445        $secure = ( 'https' === parse_url( $referer, PHP_URL_SCHEME ) );
     446    } else {
     447        $secure = false;
     448    }
    444449    setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );
    445450
Note: See TracChangeset for help on using the changeset viewer.