WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 5 years ago

#10253 closed defect (bug) (fixed)

Use https for wp-pass.php if SSL login configured

Reported by: ryan Owned by: ryan
Milestone: 3.4 Priority: normal
Severity: normal Version: 2.8
Component: Security Keywords: https ssl
Focuses: Cc:

Description

get_the_password_form() should use https for the wp-pass.php link in the form action attribute if secure logins are configured. This is probably as easy as using site_url('wp-pass.php', 'login')

Change History (8)

#1 @Denis-de-Bernardy
8 years ago

while we're on the same topic, this, in wp-pass.php, seems like garbage:

if ( get_magic_quotes_gpc() )
	$_POST['post_password'] = stripslashes($_POST['post_password']);

should be:

$_POST['post_password'] = stripslashes($_POST['post_password']);

#2 @johnbillion
8 years ago

I can see the thinking behind this suggestion, but inputting post passwords and logging into the admin area are two exclusive actions and the setting for one shouldn't have an affect on the other. The administration over SSL settings are for administration after all, not for visitors using the front end.

#3 @ryan
8 years ago

The login SSL settings are separate from the admin settings.

#4 @Denis-de-Bernardy
8 years ago

There also is the issue when the password is actually set in the editor. When a password is present, it should ideally send the request over SSL.

See also #10267 and #10268.

#6 @ryan
8 years ago

  • Milestone changed from 2.9 to Future Release

#7 @westi
7 years ago

  • Cc westi added

#8 @nacin
5 years ago

  • Milestone changed from Future Release to 3.4
  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.