Make WordPress Core

Changeset 35342


Ignore:
Timestamp:
10/21/2015 08:37:56 PM (9 years ago)
Author:
johnbillion
Message:

Force the REST API URL to use https for its scheme when the current request is served over HTTPS and the host name matches that of the REST API URL.

This allows sites to use an admin area over HTTPS with the front end over HTTP, and not end up with a cross-protocol problem when using the REST API URL in the admin area.

Fixes #34299

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/rest-functions.php

    r35324 r35342  
    255255    }
    256256
     257    if ( is_ssl() ) {
     258        // If the current host is the same as the REST URL host, force the REST URL scheme to HTTPS
     259        if ( $_SERVER['SERVER_NAME'] === parse_url( get_home_url( $blog_id ), PHP_URL_HOST ) ) {
     260            $url = set_url_scheme( $url, 'https' );
     261        }
     262    }
     263
    257264    /**
    258265     * Filter the REST URL.
  • trunk/tests/phpunit/tests/rest-api.php

    r34928 r35342  
    252252        // In non-pretty case, we get a query string to invoke the rest router.
    253253        $this->assertEquals( 'http://' . WP_TESTS_DOMAIN . '/?rest_route=/', get_rest_url() );
    254     }
     254
     255    }
     256
     257    /**
     258     * @ticket 34299
     259     */
     260    public function test_rest_url_scheme() {
     261        if ( isset( $_SERVER['HTTPS'] ) ) {
     262            $_https = $_SERVER['HTTPS'];
     263        }
     264        if ( isset( $_SERVER['SERVER_NAME'] ) ) {
     265            $_name = $_SERVER['SERVER_NAME'];
     266        }
     267        $_SERVER['SERVER_NAME'] = parse_url( home_url(), PHP_URL_HOST );
     268        $_siteurl = get_option( 'siteurl' );
     269
     270        // Test an HTTP URL
     271        unset( $_SERVER['HTTPS'] );
     272        $url = get_rest_url();
     273        $this->assertSame( 'http', parse_url( $url, PHP_URL_SCHEME ) );
     274
     275        // Test an HTTPS URL
     276        $_SERVER['HTTPS'] = 'on';
     277        $url = get_rest_url();
     278        $this->assertSame( 'https', parse_url( $url, PHP_URL_SCHEME ) );
     279
     280        // Switch to an admin request on a different domain name
     281        $_SERVER['SERVER_NAME'] = 'admin.example.org';
     282        update_option( 'siteurl', 'http://admin.example.org' );
     283        $this->assertNotEquals( $_SERVER['SERVER_NAME'], parse_url( home_url(), PHP_URL_HOST ) );
     284
     285        set_current_screen( 'edit.php' );
     286        $this->assertTrue( is_admin() );
     287
     288        // Test an HTTP URL
     289        unset( $_SERVER['HTTPS'] );
     290        $url = get_rest_url();
     291        $this->assertSame( 'http', parse_url( $url, PHP_URL_SCHEME ) );
     292
     293        // Test an HTTPS URL
     294        $_SERVER['HTTPS'] = 'on';
     295        $url = get_rest_url();
     296        $this->assertSame( 'http', parse_url( $url, PHP_URL_SCHEME ) );
     297
     298        // Reset
     299        if ( isset( $_https ) ) {
     300            $_SERVER['HTTPS'] = $_https;
     301        } else {
     302            unset( $_SERVER['HTTPS'] );
     303        }
     304        if ( isset( $_name ) ) {
     305            $_SERVER['SERVER_NAME'] = $_name;
     306        } else {
     307            unset( $_SERVER['SERVER_NAME'] );
     308        }
     309        update_option( 'siteurl', $_siteurl );
     310        set_current_screen( 'front' );
     311
     312    }
     313
    255314}
Note: See TracChangeset for help on using the changeset viewer.