Opened 11 years ago
Closed 9 years ago
#27565 closed defect (bug) (fixed)
Recent Posts Widget should include scheme in cache key
Reported by: | dllh | Owned by: | wonderboymusic |
---|---|---|---|
Milestone: | 4.4 | Priority: | normal |
Severity: | normal | Version: | 2.8 |
Component: | Widgets | Keywords: | needs-patch |
Focuses: | Cc: |
Description
Repro:
- Run WP on a site with SSL enabled but optional and with an object cache.
- Enable the Recent Posts widget.
- Create some posts.
- Visit the site from the non-SSL url.
- Now visit the site from the SSL url.
Expected: Items linked in the recent posts widget will use the same scheme as the site itself.
Actual: Whatever was last cached is what's used. The result is that if you visited the site via https but someone else cached data from http, you'll get insecure links when your expectation is that you'll continue to browse the site via ssl.
This can be fixed by using the scheme in the cache key so that we're always serving the right links when served from the object cache.
Attachments (4)
Change History (16)
#1
follow-ups:
↓ 2
↓ 3
@
11 years ago
- Keywords has-patch added
- Milestone changed from Awaiting Review to Future Release
- Version set to 2.8
#2
in reply to:
↑ 1
@
11 years ago
Replying to johnbillion:
Even better would be to use
home_url()
in the cache key, but this makes it likely to become longer than the allowed key size of 64 chars.
I guess you could hash the home_url() or something. That makes it a little less obvious what you're looking at if you happen to be peeking at cache keys, but it's also more resilient to hostname changes.
#3
in reply to:
↑ 1
@
10 years ago
Replying to johnbillion:
Even better would be to use
home_url()
in the cache key, but this makes it likely to become longer than the allowed key size of 64 chars.
I think using home_url is probably a little excessive, if we are really worried about cache pollution when home_url changes we can just hook the purging function onto that too.
#6
follow-up:
↓ 7
@
9 years ago
- Keywords commit added
Refreshed westi's patch. Can anyone see anything wrong with it?
#7
in reply to:
↑ 6
@
9 years ago
- Keywords commit removed
Replying to obenland:
Refreshed westi's patch. Can anyone see anything wrong with it?
What about the situation where the site can be accessed via multiple domains? For instance, if setting the WP_HOME
constant to include $_SERVER['HTTP_HOST']
, then the cached values could be wrong.
So what if instead of using is_ssl() ? 'https' : 'http'
in the cache key, it instead uses home_url()
?
This would necessarily change how the cache deletion is done, since it wouldn't be known all of the possible home URLs that could appear. So the cached value could instead be an array of cached outputs mapped to the home_url
that was active for that given cache. In that way, you can still just delete one cache value and it will purge the caches for all variations of the home URL.
This ticket was mentioned in Slack in #core by obenland. View the logs.
9 years ago
#10
@
9 years ago
- Owner changed from obenland to wonderboymusic
- Status changed from accepted to assigned
why on earth are we caching the HTML output? The only other place this is done is the 2011 Ephemera widget
#11
@
9 years ago
27565.3.diff ditches the cache completely. No other widgets, except for Recent Comments, cache like this. This was 7 releases before $split_the_query
. Without an object cache, these queries already happen. With an object cache, posts are served from the cache. This will remove any cached scheme weirdness automatically.
Even better would be to use
home_url()
in the cache key, but this makes it likely to become longer than the allowed key size of 64 chars.