WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#14835 closed defect (bug) (fixed)

Theme header_image fails to load when not in HTTPS

Reported by: dturvene Owned by:
Milestone: 3.1 Priority: normal
Severity: minor Version: 3.0
Component: Themes Keywords: has-patch
Focuses: Cc:

Description

Server Setup: Linux, Firefox/Chrome, Apache

My server uses a self-generated SSL certificate. A firefox/chrome browser profile will challenge the user first time the mysite is accessed using HTTPS to allow an insecure certificate.

Wordpress general access uses HTTP. Wordpress admin uses HTTPS.

Using Twenty Ten theme (and others) I select a new header image. This sets header_image to

https://../wp-content/themes/twentyten/images/headers/sunset.jpg

in the mods_Twenty Ten.

The header_image will silently fail to load when a user has not previously accepted the private security certificate of my site.
It is retrieved in wp-includes/theme.php get_header_image().

The programmatic fix for this seems to be store references to common widgets using only HTTP and not HTTPS.

Non programmatic fixes (I implemented #2 below):

1) Generate a certificate by a public CA.

2) Modify mods_Twenty Ten using mysql:

use wordpress;

select option_name,option_value from wp_options where option_name="mods_Twenty Ten";

UPDATE wp_options SET option_value='a:2:{s:12:"header_image";s:79:"http://.../wp-content/themes/twentyten/images/header/sunset.jpg";s:18:"nav_menu_locations";a:1:{s:7:"primary";i:16;}}' WHERE option_name="mods_Twenty Ten";

Attachments (2)

14835.diff (640 bytes) - added by nacin 4 years ago.
14835.2.diff (643 bytes) - added by nacin 4 years ago.

Download all attachments as: .zip

Change History (10)

comment:1 @dturvene5 years ago

  • Cc dturvene added

comment:2 @nacin5 years ago

  • Milestone changed from Awaiting Review to 3.1

Since we're storing an absolute value here (and I'm not sure we can avoid that because it might be either an image in the theme versus an upload), we probably just need to do an http/https check, pick which to serve based on is_ssl().

comment:3 @hakre5 years ago

Indeed, the backend must get the propper HTTP/HTTPS setting for frontend prior storing the address to the header image into the database.

comment:4 @jane4 years ago

  • Keywords needs-patch added

Sounds like there's agreement on approach; anyone willing to write the patch so we can get it in before freeze?

comment:5 @kawauso4 years ago

Related: #14678

comment:6 @nacin4 years ago

  • Keywords has-patch added; needs-patch removed

Can someone check this?

@nacin4 years ago

@nacin4 years ago

comment:7 @ryan4 years ago

Seems fine. Someday we should introduce set_url_scheme().

comment:8 @automattor4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [16846]) Make get_header_image() ssl-aware. fixes #14835.

Note: See TracTickets for help on using tickets.