Index: wp-login.php =================================================================== --- wp-login.php (revision 7994) +++ wp-login.php (working copy) @@ -137,7 +137,7 @@ $message .= get_option('siteurl') . "\r\n\r\n"; $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n"; $message .= __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n"; - $message .= get_option('siteurl') . "/wp-login.php?action=rp&key=$key\r\n"; + $message .= site_url("wp-login.php?action=rp&key=$key") . "\r\n"; if ( !wp_mail($user_email, sprintf(__('[%s] Password Reset'), get_option('blogname')), $message) ) die('

' . __('The e-mail could not be sent.') . "
\n" . __('Possible reason: your host may have disabled the mail() function...') . '

'); @@ -174,7 +174,7 @@ wp_set_password($new_pass, $user->ID); $message = sprintf(__('Username: %s'), $user->user_login) . "\r\n"; $message .= sprintf(__('Password: %s'), $new_pass) . "\r\n"; - $message .= get_option('siteurl') . "/wp-login.php\r\n"; + $message .= site_url('wp-login.php') . "\r\n"; if ( !wp_mail($user->user_email, sprintf(__('[%s] Your new password'), get_option('blogname')), $message) ) die('

' . __('The e-mail could not be sent.') . "
\n" . __('Possible reason: your host may have disabled the mail() function...') . '

'); @@ -405,7 +405,7 @@ if ( !is_wp_error($user) ) { // If the user can't edit posts, send them to their profile. if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) ) - $redirect_to = get_option('siteurl') . '/wp-admin/profile.php'; + $redirect_to = admin_url('profile.php'); wp_safe_redirect($redirect_to); exit(); } Index: wp-includes/functions.php =================================================================== --- wp-includes/functions.php (revision 7994) +++ wp-includes/functions.php (working copy) @@ -1765,4 +1765,7 @@ return 0; } +function is_ssl() { + return ( 'on' == strtolower($_SERVER['HTTPS']) ) ? true : false; +} ?> Index: wp-includes/media.php =================================================================== --- wp-includes/media.php (revision 7994) +++ wp-includes/media.php (working copy) @@ -306,7 +306,7 @@ return $image; if ( $icon && $src = wp_mime_type_icon($attachment_id) ) { - $icon_dir = apply_filters( 'icon_dir', ABSPATH . WPINC . '/images/crystal' ); + $icon_dir = apply_filters( 'icon_dir', includes_url('images/crystal') ); $src_file = $icon_dir . '/' . basename($src); @list($width, $height) = getimagesize($src_file); } Index: wp-includes/link-template.php =================================================================== --- wp-includes/link-template.php (revision 7994) +++ wp-includes/link-template.php (working copy) @@ -774,4 +774,42 @@ return apply_filters('shortcut_link', $link); } + +// return the site_url option, using https if is_ssl() is true +// if $scheme is 'http' or 'https' it will override is_ssl() +function site_url($path = '', $scheme = null) { + // should the list of allowed schemes be maintained elsewhere? + if ( !in_array($scheme, array('http', 'https')) ) + $scheme = ( is_ssl() ? 'https' : 'http' ); + + $url = str_replace( 'http://', "{$scheme}://", get_option('siteurl') ); + + if ( !empty($path) && is_string($path) && strpos($path, '..') === false ) + $url .= '/' . ltrim($path, '/'); + + return $url; +} + +function admin_url($path = '') { + global $_wp_admin_url; + + $url = site_url() . '/wp-admin/'; + + if ( !empty($path) && is_string($path) && strpos($path, '..') === false ) + $url .= ltrim($path, '/'); + + return $url; +} + +function includes_url($path = '') { + global $_wp_includes_url; + + $url = site_url() . '/' . WPINC . '/'; + + if ( !empty($path) && is_string($path) && strpos($path, '..') === false ) + $url .= ltrim($path, '/'); + + return $url; +} + ?> Index: wp-includes/general-template.php =================================================================== --- wp-includes/general-template.php (revision 7994) +++ wp-includes/general-template.php (working copy) @@ -1139,7 +1139,7 @@ if ( defined('WP_INSTALLING') ) { $_file = "./$file.css"; } else { - $_file = get_option( 'siteurl' ) . "/wp-admin/$file.css"; + $_file = admin_url("$file.css"); } $_file = add_query_arg( 'version', get_bloginfo( 'version' ), $_file ); Index: wp-includes/pluggable.php =================================================================== --- wp-includes/pluggable.php (revision 7996) +++ wp-includes/pluggable.php (working copy) @@ -469,9 +469,14 @@ */ function wp_validate_auth_cookie($cookie = '') { if ( empty($cookie) ) { - if ( empty($_COOKIE[AUTH_COOKIE]) ) + if ( is_ssl() ) + $cookie_name = SECURE_AUTH_COOKIE; + else + $cookie_name = AUTH_COOKIE; + + if ( empty($_COOKIE[$cookie_name]) ) return false; - $cookie = $_COOKIE[AUTH_COOKIE]; + $cookie = $_COOKIE[$cookie_name]; } $cookie_elements = explode('|', $cookie); @@ -514,9 +519,10 @@ * * @param int $user_id User ID * @param int $expiration Cookie expiration in seconds + * @param bool $secure Whether the cookie is for https delivery only or not. Not used by default. For plugin use. * @return string Authentication cookie contents */ -function wp_generate_auth_cookie($user_id, $expiration) { +function wp_generate_auth_cookie($user_id, $expiration, $secure = false) { $user = get_userdata($user_id); $key = wp_hash($user->user_login . '|' . $expiration); @@ -524,7 +530,7 @@ $cookie = $user->user_login . '|' . $expiration . '|' . $hash; - return apply_filters('auth_cookie', $cookie, $user_id, $expiration); + return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $secure); } endif; @@ -550,13 +556,21 @@ $expire = 0; } - $cookie = wp_generate_auth_cookie($user_id, $expiration); + if ( is_ssl() ) { + $secure = true; + $cookie_name = SECURE_AUTH_COOKIE; + } else { + $secure = false; + $cookie_name = AUTH_COOKIE; + } - do_action('set_auth_cookie', $cookie, $expire); + $cookie = wp_generate_auth_cookie($user_id, $expiration, $secure); - setcookie(AUTH_COOKIE, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN); + do_action('set_auth_cookie', $cookie, $expire, $secure); + + setcookie($cookie_name, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure); if ( COOKIEPATH != SITECOOKIEPATH ) - setcookie(AUTH_COOKIE, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN); + setcookie($cookie_name, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure); } endif; @@ -569,6 +583,8 @@ function wp_clear_auth_cookie() { setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); + setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); + setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); // Old cookies setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); @@ -604,14 +620,36 @@ */ function auth_redirect() { // Checks if a user is logged in, if not redirects them to the login page - if ( (!empty($_COOKIE[AUTH_COOKIE]) && - !wp_validate_auth_cookie($_COOKIE[AUTH_COOKIE])) || - (empty($_COOKIE[AUTH_COOKIE])) ) { - nocache_headers(); - wp_redirect(get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI'])); - exit(); + if ( is_ssl() || (defined('FORCE_SSL_LOGIN') && FORCE_SSL_LOGIN) ) + $secure = true; + else + $secure = false; + + // If https is required and request is http, redirect + if ( $secure && !is_ssl() ) { + if ( false !== strpos($_SERVER['REQUEST_URI'], 'http') ) { + wp_redirect(str_replace('http://', 'https://', $_SERVER['REQUEST_URI'])); + exit(); + } else { + wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); + exit(); + } } + + if ( wp_validate_auth_cookie() ) + return; // The cookie is good so we're done + + // The cookie is no good so force login + nocache_headers(); + + $login_url = get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']); + + // Redirect to https if connection is secure + if ( $secure ) + $login_url = str_replace('http://', 'https://', $login_url); + wp_redirect($login_url); + exit(); } endif; Index: wp-includes/script-loader.php =================================================================== --- wp-includes/script-loader.php (revision 7994) +++ wp-includes/script-loader.php (working copy) @@ -7,7 +7,7 @@ require( ABSPATH . WPINC . '/functions.wp-styles.php' ); function wp_default_scripts( &$scripts ) { - $scripts->base_url = get_option( 'siteurl' ); + $scripts->base_url = site_url(); $scripts->default_version = get_bloginfo( 'version' ); $scripts->add( 'common', '/wp-admin/js/common.js', array('jquery'), '20080318' ); @@ -50,7 +50,7 @@ $scripts->add( 'wp-lists', '/wp-includes/js/wp-lists.js', array('wp-ajax-response'), '20080411' ); $scripts->localize( 'wp-lists', 'wpListL10n', array( - 'url' => get_option( 'siteurl' ) . '/wp-admin/admin-ajax.php' + 'url' => admin_url('admin-ajax.php') ) ); $scripts->add( 'scriptaculous-root', '/wp-includes/js/scriptaculous/scriptaculous.js', array('prototype'), '1.8.0'); @@ -129,11 +129,11 @@ $scripts->add( 'upload', '/wp-admin/js/upload.js', array('jquery'), '20070518' ); $scripts->add( 'postbox', '/wp-admin/js/postbox.js', array('jquery'), '20080128' ); $scripts->localize( 'postbox', 'postboxL10n', array( - 'requestFile' => get_option( 'siteurl' ) . '/wp-admin/admin-ajax.php', + 'requestFile' => admin_url('admin-ajax.php'), ) ); $scripts->add( 'slug', '/wp-admin/js/slug.js', array('jquery'), '20080208' ); $scripts->localize( 'slug', 'slugL10n', array( - 'requestFile' => get_option( 'siteurl' ) . '/wp-admin/admin-ajax.php', + 'requestFile' => admin_url('admin-ajax.php'), 'save' => __('Save'), 'cancel' => __('Cancel'), ) ); @@ -204,7 +204,7 @@ } function wp_default_styles( &$styles ) { - $styles->base_url = get_option( 'siteurl' ); + $styles->base_url = site_url(); $styles->default_version = get_bloginfo( 'version' ); $styles->text_direction = 'rtl' == get_bloginfo( 'text_direction' ) ? 'rtl' : 'ltr'; @@ -258,7 +258,7 @@ 'autosaveInterval' => AUTOSAVE_INTERVAL, 'previewPageText' => __('Preview this Page'), 'previewPostText' => __('Preview this Post'), - 'requestFile' => get_option( 'siteurl' ) . '/wp-admin/admin-ajax.php', + 'requestFile' => admin_url('admin-ajax.php'), 'savingText' => __('Saving Draft…') ) ); } Index: wp-settings.php =================================================================== --- wp-settings.php (revision 7994) +++ wp-settings.php (working copy) @@ -311,6 +311,13 @@ /** * It is possible to define this in wp-config.php + * @since 2.6 + */ +if ( !defined('SECURE_AUTH_COOKIE') ) + define('SECURE_AUTH_COOKIE', 'wordpress_sec_' . COOKIEHASH); + +/** + * It is possible to define this in wp-config.php * @since 2.3.0 */ if ( !defined('TEST_COOKIE') ) Index: wp-admin/users.php =================================================================== --- wp-admin/users.php (revision 7994) +++ wp-admin/users.php (working copy) @@ -396,9 +396,9 @@ ' . sprintf(__('Users can register themselves or you can manually create users here.'), get_option('siteurl').'/wp-register.php') . '

'; + echo '

' . sprintf(__('Users can register themselves or you can manually create users here.'), site_url('wp-register.php')) . '

'; else - echo '

' . sprintf(__('Users cannot currently register themselves, but you can manually create users here.'), get_option('siteurl').'/wp-admin/options-general.php#users_can_register') . '

'; + echo '

' . sprintf(__('Users cannot currently register themselves, but you can manually create users here.'), admin_url('options-general.php#users_can_register')) . '

'; ?>
Index: wp-admin/includes/media.php =================================================================== --- wp-admin/includes/media.php (revision 7994) +++ wp-admin/includes/media.php (working copy) @@ -753,7 +753,7 @@ function media_upload_form( $errors = null ) { global $type, $tab; - $flash_action_url = get_option('siteurl') . "/wp-admin/async-upload.php"; + $flash_action_url = admin_url('async-upload.php'); // If Mac and mod_security, no Flash. :( $flash = true; @@ -784,7 +784,7 @@ jQuery(function($){ swfu = new SWFUpload({ upload_url : "", - flash_url : "", + flash_url : "", file_post_name: "async-upload", file_types: "", post_params : { @@ -844,7 +844,7 @@ $post_id = intval($_REQUEST['post_id']); - $form_action_url = get_option('siteurl') . "/wp-admin/media-upload.php?type=$type&tab=type&post_id=$post_id"; + $form_action_url = admin_url("media-upload.php?type=$type&tab=type&post_id=$post_id"); $form_action_url = apply_filters('media_upload_form_url', $form_action_url, $type); $callback = "type_form_$type"; @@ -895,7 +895,7 @@ $post_id = intval($_REQUEST['post_id']); - $form_action_url = get_option('siteurl') . "/wp-admin/media-upload.php?type={$GLOBALS['type']}&tab=gallery&post_id=$post_id"; + $form_action_url = admin_url("media-upload.php?type={$GLOBALS['type']}&tab=gallery&post_id=$post_id"); ?> @@ -934,7 +934,7 @@ $post_id = intval($_REQUEST['post_id']); - $form_action_url = get_option('siteurl') . "/wp-admin/media-upload.php?type={$GLOBALS['type']}&tab=library&post_id=$post_id"; + $form_action_url = admin_url("media-upload.php?type={$GLOBALS['type']}&tab=library&post_id=$post_id"); $_GET['paged'] = intval($_GET['paged']); if ( $_GET['paged'] < 1 ) Index: wp-admin/includes/dashboard.php =================================================================== --- wp-admin/includes/dashboard.php (revision 7994) +++ wp-admin/includes/dashboard.php (working copy) @@ -225,7 +225,7 @@ } if ( $widget_feed_link ) - $links[] = '' . __( 'rss icon' ) . ' ' . __( 'RSS' ) . ''; + $links[] = '' . __( 'rss icon' ) . ' ' . __( 'RSS' ) . ''; $links = apply_filters( "wp_dashboard_widget_links_$widget_id", $links ); Index: wp-admin/post.php =================================================================== --- wp-admin/post.php (revision 7994) +++ wp-admin/post.php (working copy) @@ -159,8 +159,8 @@ } $sendback = wp_get_referer(); - if (strpos($sendback, 'post.php') !== false) $sendback = get_option('siteurl') .'/wp-admin/post-new.php'; - elseif (strpos($sendback, 'attachments.php') !== false) $sendback = get_option('siteurl') .'/wp-admin/attachments.php'; + if (strpos($sendback, 'post.php') !== false) $sendback = admin_url('post-new.php'); + elseif (strpos($sendback, 'attachments.php') !== false) $sendback = admin_url('attachments.php'); $sendback = preg_replace('|[^a-z0-9-~+_.?#=&;,/:]|i', '', $sendback); wp_redirect($sendback); exit(); Index: wp-admin/admin.php =================================================================== --- wp-admin/admin.php (revision 7994) +++ wp-admin/admin.php (working copy) @@ -26,8 +26,8 @@ wp_reset_vars(array('profile', 'redirect', 'redirect_url', 'a', 'popuptitle', 'popupurl', 'text', 'trackback', 'pingback')); -wp_admin_css_color('classic', __('Classic'), get_option( 'siteurl' ) . "/wp-admin/css/colors-classic.css", array('#07273E', '#14568A', '#D54E21', '#2683AE')); -wp_admin_css_color('fresh', __('Fresh'), get_option( 'siteurl' ) . "/wp-admin/css/colors-fresh.css", array('#464646', '#CEE1EF', '#D54E21', '#2683AE')); +wp_admin_css_color('classic', __('Classic'), admin_url("css/colors-classic.css"), array('#07273E', '#14568A', '#D54E21', '#2683AE')); +wp_admin_css_color('fresh', __('Fresh'), admin_url("css/colors-fresh.css"), array('#464646', '#CEE1EF', '#D54E21', '#2683AE')); wp_enqueue_script( 'common' ); wp_enqueue_script( 'jquery-color' ); Index: wp-admin/custom-header.php =================================================================== --- wp-admin/custom-header.php (revision 7994) +++ wp-admin/custom-header.php (working copy) @@ -189,7 +189,7 @@
- + Index: wp-admin/comment.php =================================================================== --- wp-admin/comment.php (revision 7994) +++ wp-admin/comment.php (working copy) @@ -78,7 +78,7 @@ - +
' onclick="self.location='/wp-admin/edit-comments.php';" />' onclick="self.location='" />
@@ -146,7 +146,7 @@ else if ( '' != wp_get_original_referer() && false == $noredir ) wp_redirect( wp_get_original_referer() ); else - wp_redirect( get_option('siteurl') . '/wp-admin/edit-comments.php' ); + wp_redirect( admin_url('edit-comments.php') ); die; break; @@ -171,7 +171,7 @@ if ( '' != wp_get_referer() && false == $noredir ) wp_redirect( wp_get_referer() ); else - wp_redirect( get_option('siteurl') . '/wp-admin/edit.php?p=' . absint( $comment->comment_post_ID ) . '#comments' ); + wp_redirect( admin_url('edit.php?p=' . absint( $comment->comment_post_ID ) . '#comments') ); exit(); break; @@ -200,7 +200,7 @@ if ( '' != wp_get_referer() && false == $noredir ) wp_redirect( wp_get_referer() ); else - wp_redirect( get_option('siteurl') . '/wp-admin/edit.php?p=' . absint( $comment->comment_post_ID ) . '#comments' ); + wp_redirect( admin_url('edit.php?p=' . absint( $comment->comment_post_ID ) . '#comments') ); exit(); break; Index: wp-admin/admin-header.php =================================================================== --- wp-admin/admin-header.php (revision 7994) +++ wp-admin/admin-header.php (working copy) @@ -85,7 +85,7 @@

-
+
@@ -109,7 +109,7 @@ -

%2$s!'), 'profile.php', $user_identity) ?> | | Help') ?> | Forums') ?> |

+

%2$s!'), 'profile.php', $user_identity) ?> | | Help') ?> | Forums') ?> |

screenshot ) : ?> -<?php _e('Current theme preview'); ?> +<?php _e('Current theme preview'); ?>

title, $ct->version, $ct->author) ; ?>

description; ?>

@@ -126,7 +126,7 @@ ?> - +