Make WordPress Core

Opened 2 years ago

Closed 8 months ago

Last modified 8 months ago

#19707 closed enhancement (worksforme)

admin-ajax.php requests via http regardless of force_ssl_admin() state

Reported by: robertaccettura Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Administration Keywords:
Focuses: Cc:


Noticing these requests failing:

"NetworkError: 403 Forbidden - http://HOSTNAMEwp-admin/admin-ajax.php"

My server explicitly denies http to wp-admin. SSL only.

Looks like admin_url() is giving http rather than https. I suspect this bug actually lies somewhere in get_site_url(), but I don't have time to triage this right now.

This is technically a security bug since WP should always obey force_ssl_admin(), but I don't think anything is being leaked or compromised. You don't get access to anything, and nothing being sent over the wire is sensitive since it still obeys the rules of the protocol (cookie is secure). It's just a nuisance.

Change History (5)

comment:1 robertaccettura2 years ago

  • Type changed from defect (bug) to enhancement

Further investigation shows this is likely a plugin creating these requests using:

var ajax_url = '<?php echo admin_url("admin-ajax.php", null); ?>';

This however is indicative of the lack of a proper ajax api on the frontend forcing plugin developers to resort to using an admin_url to serve their needs. This is problematic and conflicts with things like ssl admin.

May I suggest an equivalent wp-user-ajax.php for example and wp_user_ajax_my_action action? Switching existing plugins would be as trivial as swapping a few characters. This would be more secure since it encourages separation of wp-admin from user related functions.

comment:2 kurtpayne2 years ago

  • Cc kpayne@… added
  • Keywords reporter-feedback added

Can you use a tool like firebug or Chrome/Safari developer tools to see what "action" parameter is being passed to admin-ajax.php? This will tell you if it's from the core. If it's not from the core, the action parameter should give you a clue about which plugin is making the request.

comment:3 lightningspirit2 years ago

  • Component changed from Security to HTTP
  • Keywords has-patch dev-feedback added

The admin_url() and home_url() functions can override SSL in the second parameter passing 'http' or 'https' as parameters.

I suggest to create a ajax_url() function to choose either it should use 'https' or 'http' dynamically. Something like:

function ajax_url( $url, $scheme = null ) {
  // If $scheme is passed use it, otherwise test if the current request is HTTPS
  $scheme = $scheme ? $scheme : ( is_ssl ? 'https' : 'http' );
  return admin_url( "admin-ajax.php", $scheme );

That could be easier for developers! :)

comment:4 dd328 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

Calling admin_url( 'admin-ajax.php' ); without a scheme, or passing 'admin' (the default) as the scheme, will result in it respecting the SSL-for-admin.

A plugin developer can always override these and do things badly, but that's a plugin code issue, it's not something core can support (If a plugin requests something specific, we give it just as it asked for).

comment:5 dd328 months ago

  • Component changed from HTTP to Administration
  • Keywords reporter-feedback has-patch dev-feedback removed
Note: See TracTickets for help on using tickets.