Make WordPress Core

Opened 12 years ago

Closed 12 years ago

#19665 closed defect (bug) (fixed)

Plugin installer beaks https URLs

Reported by: sirzooro's profile sirzooro Owned by: duck_'s profile duck_
Milestone: 3.4 Priority: normal
Severity: normal Version: 3.3
Component: Upgrade/Install Keywords: has-patch
Focuses: Cc:

Description

From plugin installer search for plugin which has https link(s) in its readme.txt (e.g. AntiVirus). When you show details for such plugin, all https links will be broken - they will be prefixed by link to plugin's page in repository. I am not sure if API returns such links, or this prefix is added on WP side.

These link(s) are displayed correctly on wordpress.org plugin's page.

Attachments (3)

19665.patch (583 bytes) - added by SergeyBiryukov 12 years ago.
19665.2.diff (538 bytes) - added by duck_ 12 years ago.
19665.3.patch (606 bytes) - added by SergeyBiryukov 12 years ago.

Download all attachments as: .zip

Change History (8)

#1 @SergeyBiryukov
12 years ago

  • Keywords has-patch added; needs-patch removed
  • Milestone changed from Awaiting Review to 3.4

Links in plugin descriptions go through links_add_base_url().

The problem is that _links_add_base() only checks for http:
http://core.trac.wordpress.org/browser/tags/3.3/wp-includes/formatting.php#L2815

@duck_
12 years ago

#2 @duck_
12 years ago

19665.2.diff doesn't prepend anything that starts with a protocol like string (e.g. mailto:, irc:, svn:) and ensures that the URL actually begins with said protocol rather than just appearing somewhere in it.

#3 @sirzooro
12 years ago

@duck_: mailto protocol does not use slashes - e.g. mailto:someone@somewhere.com. So your path should look for ":" after word only.

#4 @SergeyBiryukov
12 years ago

19665.3.patch uses wp_allowed_protocols() for additional validation.

#5 @duck_
12 years ago

  • Owner set to duck_
  • Resolution set to fixed
  • Status changed from new to closed

In [20466]:

Recognise protocols other than "http" in _links_add_base(). Props SergeyBiryukov. Fixes #19665.

Previously "https" URLs used in plugin READMEs displayed by install_plugin_information() would have the plugin's extend URL prepended.

Note: See TracTickets for help on using tickets.