Index: wp-login.php
===================================================================
--- wp-login.php (revision 7994)
+++ wp-login.php (working copy)
@@ -137,7 +137,7 @@
$message .= get_option('siteurl') . "\r\n\r\n";
$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
$message .= __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n";
- $message .= get_option('siteurl') . "/wp-login.php?action=rp&key=$key\r\n";
+ $message .= site_url("wp-login.php?action=rp&key=$key") . "\r\n";
if ( !wp_mail($user_email, sprintf(__('[%s] Password Reset'), get_option('blogname')), $message) )
die('
' . __('The e-mail could not be sent.') . "
\n" . __('Possible reason: your host may have disabled the mail() function...') . '
');
@@ -174,7 +174,7 @@
wp_set_password($new_pass, $user->ID);
$message = sprintf(__('Username: %s'), $user->user_login) . "\r\n";
$message .= sprintf(__('Password: %s'), $new_pass) . "\r\n";
- $message .= get_option('siteurl') . "/wp-login.php\r\n";
+ $message .= site_url('wp-login.php') . "\r\n";
if ( !wp_mail($user->user_email, sprintf(__('[%s] Your new password'), get_option('blogname')), $message) )
die('' . __('The e-mail could not be sent.') . "
\n" . __('Possible reason: your host may have disabled the mail() function...') . '
');
@@ -405,7 +405,7 @@
if ( !is_wp_error($user) ) {
// If the user can't edit posts, send them to their profile.
if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) )
- $redirect_to = get_option('siteurl') . '/wp-admin/profile.php';
+ $redirect_to = admin_url('profile.php');
wp_safe_redirect($redirect_to);
exit();
}
Index: wp-includes/functions.php
===================================================================
--- wp-includes/functions.php (revision 7994)
+++ wp-includes/functions.php (working copy)
@@ -1765,4 +1765,7 @@
return 0;
}
+function is_ssl() {
+ return ( 'on' == strtolower($_SERVER['HTTPS']) ) ? true : false;
+}
?>
Index: wp-includes/media.php
===================================================================
--- wp-includes/media.php (revision 7994)
+++ wp-includes/media.php (working copy)
@@ -306,7 +306,7 @@
return $image;
if ( $icon && $src = wp_mime_type_icon($attachment_id) ) {
- $icon_dir = apply_filters( 'icon_dir', ABSPATH . WPINC . '/images/crystal' );
+ $icon_dir = apply_filters( 'icon_dir', includes_url('images/crystal') );
$src_file = $icon_dir . '/' . basename($src);
@list($width, $height) = getimagesize($src_file);
}
Index: wp-includes/link-template.php
===================================================================
--- wp-includes/link-template.php (revision 7994)
+++ wp-includes/link-template.php (working copy)
@@ -774,4 +774,42 @@
return apply_filters('shortcut_link', $link);
}
+
+// return the site_url option, using https if is_ssl() is true
+// if $scheme is 'http' or 'https' it will override is_ssl()
+function site_url($path = '', $scheme = null) {
+ // should the list of allowed schemes be maintained elsewhere?
+ if ( !in_array($scheme, array('http', 'https')) )
+ $scheme = ( is_ssl() ? 'https' : 'http' );
+
+ $url = str_replace( 'http://', "{$scheme}://", get_option('siteurl') );
+
+ if ( !empty($path) && is_string($path) && strpos($path, '..') === false )
+ $url .= '/' . ltrim($path, '/');
+
+ return $url;
+}
+
+function admin_url($path = '') {
+ global $_wp_admin_url;
+
+ $url = site_url() . '/wp-admin/';
+
+ if ( !empty($path) && is_string($path) && strpos($path, '..') === false )
+ $url .= ltrim($path, '/');
+
+ return $url;
+}
+
+function includes_url($path = '') {
+ global $_wp_includes_url;
+
+ $url = site_url() . '/' . WPINC . '/';
+
+ if ( !empty($path) && is_string($path) && strpos($path, '..') === false )
+ $url .= ltrim($path, '/');
+
+ return $url;
+}
+
?>
Index: wp-includes/general-template.php
===================================================================
--- wp-includes/general-template.php (revision 7994)
+++ wp-includes/general-template.php (working copy)
@@ -1139,7 +1139,7 @@
if ( defined('WP_INSTALLING') ) {
$_file = "./$file.css";
} else {
- $_file = get_option( 'siteurl' ) . "/wp-admin/$file.css";
+ $_file = admin_url("$file.css");
}
$_file = add_query_arg( 'version', get_bloginfo( 'version' ), $_file );
Index: wp-includes/pluggable.php
===================================================================
--- wp-includes/pluggable.php (revision 7996)
+++ wp-includes/pluggable.php (working copy)
@@ -469,9 +469,14 @@
*/
function wp_validate_auth_cookie($cookie = '') {
if ( empty($cookie) ) {
- if ( empty($_COOKIE[AUTH_COOKIE]) )
+ if ( is_ssl() )
+ $cookie_name = SECURE_AUTH_COOKIE;
+ else
+ $cookie_name = AUTH_COOKIE;
+
+ if ( empty($_COOKIE[$cookie_name]) )
return false;
- $cookie = $_COOKIE[AUTH_COOKIE];
+ $cookie = $_COOKIE[$cookie_name];
}
$cookie_elements = explode('|', $cookie);
@@ -514,9 +519,10 @@
*
* @param int $user_id User ID
* @param int $expiration Cookie expiration in seconds
+ * @param bool $secure Whether the cookie is for https delivery only or not. Not used by default. For plugin use.
* @return string Authentication cookie contents
*/
-function wp_generate_auth_cookie($user_id, $expiration) {
+function wp_generate_auth_cookie($user_id, $expiration, $secure = false) {
$user = get_userdata($user_id);
$key = wp_hash($user->user_login . '|' . $expiration);
@@ -524,7 +530,7 @@
$cookie = $user->user_login . '|' . $expiration . '|' . $hash;
- return apply_filters('auth_cookie', $cookie, $user_id, $expiration);
+ return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $secure);
}
endif;
@@ -550,13 +556,21 @@
$expire = 0;
}
- $cookie = wp_generate_auth_cookie($user_id, $expiration);
+ if ( is_ssl() ) {
+ $secure = true;
+ $cookie_name = SECURE_AUTH_COOKIE;
+ } else {
+ $secure = false;
+ $cookie_name = AUTH_COOKIE;
+ }
- do_action('set_auth_cookie', $cookie, $expire);
+ $cookie = wp_generate_auth_cookie($user_id, $expiration, $secure);
- setcookie(AUTH_COOKIE, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN);
+ do_action('set_auth_cookie', $cookie, $expire, $secure);
+
+ setcookie($cookie_name, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure);
if ( COOKIEPATH != SITECOOKIEPATH )
- setcookie(AUTH_COOKIE, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN);
+ setcookie($cookie_name, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure);
}
endif;
@@ -569,6 +583,8 @@
function wp_clear_auth_cookie() {
setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
+ setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
+ setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
// Old cookies
setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
@@ -604,14 +620,36 @@
*/
function auth_redirect() {
// Checks if a user is logged in, if not redirects them to the login page
- if ( (!empty($_COOKIE[AUTH_COOKIE]) &&
- !wp_validate_auth_cookie($_COOKIE[AUTH_COOKIE])) ||
- (empty($_COOKIE[AUTH_COOKIE])) ) {
- nocache_headers();
- wp_redirect(get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
- exit();
+ if ( is_ssl() || (defined('FORCE_SSL_LOGIN') && FORCE_SSL_LOGIN) )
+ $secure = true;
+ else
+ $secure = false;
+
+ // If https is required and request is http, redirect
+ if ( $secure && !is_ssl() ) {
+ if ( false !== strpos($_SERVER['REQUEST_URI'], 'http') ) {
+ wp_redirect(str_replace('http://', 'https://', $_SERVER['REQUEST_URI']));
+ exit();
+ } else {
+ wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+ exit();
+ }
}
+
+ if ( wp_validate_auth_cookie() )
+ return; // The cookie is good so we're done
+
+ // The cookie is no good so force login
+ nocache_headers();
+
+ $login_url = get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']);
+
+ // Redirect to https if connection is secure
+ if ( $secure )
+ $login_url = str_replace('http://', 'https://', $login_url);
+ wp_redirect($login_url);
+ exit();
}
endif;
Index: wp-includes/script-loader.php
===================================================================
--- wp-includes/script-loader.php (revision 7994)
+++ wp-includes/script-loader.php (working copy)
@@ -7,7 +7,7 @@
require( ABSPATH . WPINC . '/functions.wp-styles.php' );
function wp_default_scripts( &$scripts ) {
- $scripts->base_url = get_option( 'siteurl' );
+ $scripts->base_url = site_url();
$scripts->default_version = get_bloginfo( 'version' );
$scripts->add( 'common', '/wp-admin/js/common.js', array('jquery'), '20080318' );
@@ -50,7 +50,7 @@
$scripts->add( 'wp-lists', '/wp-includes/js/wp-lists.js', array('wp-ajax-response'), '20080411' );
$scripts->localize( 'wp-lists', 'wpListL10n', array(
- 'url' => get_option( 'siteurl' ) . '/wp-admin/admin-ajax.php'
+ 'url' => admin_url('admin-ajax.php')
) );
$scripts->add( 'scriptaculous-root', '/wp-includes/js/scriptaculous/scriptaculous.js', array('prototype'), '1.8.0');
@@ -129,11 +129,11 @@
$scripts->add( 'upload', '/wp-admin/js/upload.js', array('jquery'), '20070518' );
$scripts->add( 'postbox', '/wp-admin/js/postbox.js', array('jquery'), '20080128' );
$scripts->localize( 'postbox', 'postboxL10n', array(
- 'requestFile' => get_option( 'siteurl' ) . '/wp-admin/admin-ajax.php',
+ 'requestFile' => admin_url('admin-ajax.php'),
) );
$scripts->add( 'slug', '/wp-admin/js/slug.js', array('jquery'), '20080208' );
$scripts->localize( 'slug', 'slugL10n', array(
- 'requestFile' => get_option( 'siteurl' ) . '/wp-admin/admin-ajax.php',
+ 'requestFile' => admin_url('admin-ajax.php'),
'save' => __('Save'),
'cancel' => __('Cancel'),
) );
@@ -204,7 +204,7 @@
}
function wp_default_styles( &$styles ) {
- $styles->base_url = get_option( 'siteurl' );
+ $styles->base_url = site_url();
$styles->default_version = get_bloginfo( 'version' );
$styles->text_direction = 'rtl' == get_bloginfo( 'text_direction' ) ? 'rtl' : 'ltr';
@@ -258,7 +258,7 @@
'autosaveInterval' => AUTOSAVE_INTERVAL,
'previewPageText' => __('Preview this Page'),
'previewPostText' => __('Preview this Post'),
- 'requestFile' => get_option( 'siteurl' ) . '/wp-admin/admin-ajax.php',
+ 'requestFile' => admin_url('admin-ajax.php'),
'savingText' => __('Saving Draft…')
) );
}
Index: wp-settings.php
===================================================================
--- wp-settings.php (revision 7994)
+++ wp-settings.php (working copy)
@@ -311,6 +311,13 @@
/**
* It is possible to define this in wp-config.php
+ * @since 2.6
+ */
+if ( !defined('SECURE_AUTH_COOKIE') )
+ define('SECURE_AUTH_COOKIE', 'wordpress_sec_' . COOKIEHASH);
+
+/**
+ * It is possible to define this in wp-config.php
* @since 2.3.0
*/
if ( !defined('TEST_COOKIE') )
Index: wp-admin/users.php
===================================================================
--- wp-admin/users.php (revision 7994)
+++ wp-admin/users.php (working copy)
@@ -396,9 +396,9 @@
' . sprintf(__('Users can register themselves or you can manually create users here.'), get_option('siteurl').'/wp-register.php') . '';
+ echo '' . sprintf(__('Users can register themselves or you can manually create users here.'), site_url('wp-register.php')) . '
';
else
- echo '' . sprintf(__('Users cannot currently register themselves, but you can manually create users here.'), get_option('siteurl').'/wp-admin/options-general.php#users_can_register') . '
';
+ echo '' . sprintf(__('Users cannot currently register themselves, but you can manually create users here.'), admin_url('options-general.php#users_can_register')) . '
';
?>