Make WordPress Core

Opened 10 years ago

Closed 8 years ago

#28658 closed defect (bug) (duplicate)

is_ssl() may fail on ssl, relying on mod_ssl.

Reported by: mampf's profile mampf Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.9.1
Component: Security Keywords:
Focuses: Cc:

Description

Dear developers,

in functions.php, you rely on reading

$_SERVER['HTTPS']
'443' == $_SERVER['SERVER_PORT']

to detect wether SSL is enabled or not. This is not sufficient.

The hoster uberspace (and probably many more) use pound as https frontend. Pound and others will not set 'HTTPS', but 'ENV:HTTPS'.

Thus, if on a pound server with a non-standard-port, this function will return "false" when the opposite is true.

Please check for ENV:HTTPS as well (and probably others).

Thanks.

Code link

Change History (5)

#1 @johnbillion
10 years ago

  • Keywords reporter-feedback 2nd-opinion added

Thanks for the report mampf.

Here are some previous discussions relating to SSL proxies / load balancers: #19337, #24394, #28443. The consensus is that the proxy should be correctly setting the environment variables rather than each application having to check multiple different environment variables in an attempt to support many different possible configurations.

For what reason does Pound not set the HTTPS environment variable?

#2 @mampf
10 years ago

Hello John,

I think it just can't. This "proxy" is transparent to apache, like apache/nginx is transparent to tomcat. I don't know how the port is set correctly in apache. Honestly I don't know why pound is not able to change $_SERVERHTTP?.

A long-term solution would be to mark this function as deprecated and only set the server-relative path (host/path) everywhere, omnitting the protocol (http: or https:). The downside: You'd need to change every image-link in the database.

I think there might be legitimate situations where a proxy cannot change the environment variable. Perhaps a ticket on pound's bug tracker would be helpful.

#3 @mampf
10 years ago

Another idea would be to include images not via http:// or https://, but just using server/path/to/image/.
This would work in any way with any configuration, as the client's browser figures out which protocol to use.

#4 @DrewAPicture
10 years ago

  • Component changed from General to Security

#5 @dd32
8 years ago

  • Keywords reporter-feedback 2nd-opinion removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Ultimately it's down to the server configuration to properly let the applications know that SSL is in use - forwarding variables which the application cannot detect as coming from a legitimate upstream is a challenge in itself, which has been greatly discussed in #31288

Note: See TracTickets for help on using tickets.