Make WordPress Core

Opened 15 years ago

Closed 12 years ago

#10253 closed defect (bug) (fixed)

Use https for wp-pass.php if SSL login configured

Reported by: ryan's profile ryan Owned by: ryan's profile ryan
Milestone: 3.4 Priority: normal
Severity: normal Version: 2.8
Component: Security Keywords: https ssl
Focuses: Cc:


get_the_password_form() should use https for the wp-pass.php link in the form action attribute if secure logins are configured. This is probably as easy as using site_url('wp-pass.php', 'login')

Change History (8)

#1 @Denis-de-Bernardy
15 years ago

while we're on the same topic, this, in wp-pass.php, seems like garbage:

if ( get_magic_quotes_gpc() )
	$_POST['post_password'] = stripslashes($_POST['post_password']);

should be:

$_POST['post_password'] = stripslashes($_POST['post_password']);

#2 @johnbillion
15 years ago

I can see the thinking behind this suggestion, but inputting post passwords and logging into the admin area are two exclusive actions and the setting for one shouldn't have an affect on the other. The administration over SSL settings are for administration after all, not for visitors using the front end.

#3 @ryan
15 years ago

The login SSL settings are separate from the admin settings.

#4 @Denis-de-Bernardy
15 years ago

There also is the issue when the password is actually set in the editor. When a password is present, it should ideally send the request over SSL.

See also #10267 and #10268.

#6 @ryan
15 years ago

  • Milestone changed from 2.9 to Future Release

#7 @westi
14 years ago

  • Cc westi added

#8 @nacin
12 years ago

  • Milestone changed from Future Release to 3.4
  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.