WordPress.org

Make WordPress Core

Changeset 35351


Ignore:
Timestamp:
10/22/2015 12:07:36 AM (4 years ago)
Author:
johnbillion
Message:

Force the REST API URL to use https for its scheme when the current request is served over HTTPS and the host name matches that of the REST API URL.

This allows sites to use an admin area over HTTPS with the front end over HTTP, and not end up with a cross-protocol problem when using the REST API URL in the admin area.

Fixes #34299

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/rest-functions.php

    r35349 r35351  
    255255    }
    256256
     257    if ( is_ssl() ) {
     258        // If the current host is the same as the REST URL host, force the REST URL scheme to HTTPS
     259        if ( $_SERVER['SERVER_NAME'] === parse_url( get_home_url( $blog_id ), PHP_URL_HOST ) ) {
     260            $url = set_url_scheme( $url, 'https' );
     261        }
     262    }
     263
    257264    /**
    258265     * Filter the REST URL.
  • trunk/tests/phpunit/tests/rest-api.php

    r35344 r35351  
    254254
    255255    }
     256    /**
     257     * @ticket 34299
     258     */
     259    public function test_rest_url_scheme() {
     260        if ( isset( $_SERVER['HTTPS'] ) ) {
     261            $_https = $_SERVER['HTTPS'];
     262        }
     263        $_name = $_SERVER['SERVER_NAME'];
     264        $_SERVER['SERVER_NAME'] = parse_url( home_url(), PHP_URL_HOST );
     265        $_siteurl = get_option( 'siteurl' );
     266
     267        set_current_screen( 'edit.php' );
     268        $this->assertTrue( is_admin() );
     269
     270        // Test an HTTP URL
     271        unset( $_SERVER['HTTPS'] );
     272        $url = get_rest_url();
     273        $this->assertSame( 'http', parse_url( $url, PHP_URL_SCHEME ) );
     274
     275        // Test an HTTPS URL
     276        $_SERVER['HTTPS'] = 'on';
     277        $url = get_rest_url();
     278        $this->assertSame( 'https', parse_url( $url, PHP_URL_SCHEME ) );
     279
     280        // Switch to an admin request on a different domain name
     281        $_SERVER['SERVER_NAME'] = 'admin.example.org';
     282        update_option( 'siteurl', 'http://admin.example.org' );
     283        $this->assertNotEquals( $_SERVER['SERVER_NAME'], parse_url( home_url(), PHP_URL_HOST ) );
     284
     285        // // Test an HTTP URL
     286        unset( $_SERVER['HTTPS'] );
     287        $url = get_rest_url();
     288        $this->assertSame( 'http', parse_url( $url, PHP_URL_SCHEME ) );
     289
     290        // // Test an HTTPS URL
     291        $_SERVER['HTTPS'] = 'on';
     292        $url = get_rest_url();
     293        $this->assertSame( 'http', parse_url( $url, PHP_URL_SCHEME ) );
     294
     295        // Reset
     296        if ( isset( $_https ) ) {
     297            $_SERVER['HTTPS'] = $_https;
     298        } else {
     299            unset( $_SERVER['HTTPS'] );
     300        }
     301        $_SERVER['SERVER_NAME'] = $_name;
     302        update_option( 'siteurl', $_siteurl );
     303        set_current_screen( 'front' );
     304
     305    }
    256306
    257307}
Note: See TracChangeset for help on using the changeset viewer.