Make WordPress Core

Opened 9 years ago

Closed 9 years ago

Last modified 6 years ago

#32354 closed defect (bug) (duplicate)

is_ssl() does not work on cloud hosting

Reported by: mdawart's profile mdawart Owned by: chriscct7's profile chriscct7
Milestone: Priority: normal
Severity: normal Version: 4.1
Component: General Keywords: has-patch
Focuses: Cc:

Description

On our clients cloud hosting the $_SERVERHTTPS? nor '443' == $_SERVERSERVER_PORT? is set so wordpress is not able to determine if calles via https or not and activating the force ssl setting leads to a redirect loop.

I've modified the is_ssl function to detect for environments like those:

/**
 * Determine if SSL is used.
 *
 * @since 2.6.0
 *
 * @return bool True if SSL, false if not used.
 */
function is_ssl() {
	if ( isset($_SERVER['HTTPS']) ) {
		if ( 'on' == strtolower($_SERVER['HTTPS']) )
			return true;
		if ( '1' == $_SERVER['HTTPS'] )
			return true;
	} elseif ( isset($_SERVER['SERVER_PORT']) && ( '443' == $_SERVER['SERVER_PORT'] ) ) {
		return true;
	} elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && ( 'https' == $_SERVER['HTTP_X_FORWARDED_PROTO'] )) {
		return true;
	}
	return false;
}


Attachments (2)

32354.patch (1.2 KB) - added by chriscct7 9 years ago.
32354.2.patch (1.3 KB) - added by chriscct7 9 years ago.
If port for HTTPS is used set SERVER var

Download all attachments as: .zip

Change History (9)

#1 @chriscct7
9 years ago

  • Component changed from Security to Permalinks
  • Keywords needs-patch dev-feedback added
  • Owner set to chriscct7
  • Status changed from new to assigned
  • Version changed from 4.1.1 to 4.1

There should really be a filter in there, perhaps 2 (one general one at the bottom and one earlier that does isset SERVER PORT so it can check a custom https port).

Also

// if site is set to run on SSL, then force-enable SSL detection!
if (stripos(get_option('siteurl'), 'https://') === 0) {
    $_SERVER['HTTPS'] = 'on';
}

Needs to be a patch file. Will review and work on this a bit.

Last edited 9 years ago by chriscct7 (previous) (diff)

@chriscct7
9 years ago

#2 @chriscct7
9 years ago

  • Keywords has-patch needs-testing added; needs-patch removed

Related #19654, #19337, #15733

@chriscct7
9 years ago

If port for HTTPS is used set SERVER var

#3 @chriscct7
9 years ago

  • Milestone changed from Awaiting Review to 4.3
  • Status changed from assigned to accepted

#4 @chriscct7
9 years ago

  • Keywords needs-nacin added

This needs to be reviewed extensively before merge

#5 @dd32
9 years ago

  • Component changed from Permalinks to General
  • Keywords needs-nacin removed
  • Milestone 4.3 deleted
  • Resolution set to duplicate
  • Status changed from accepted to closed

Duplicate of #31288.

I don't believe we can trust the HTTP_X_FORWARDED_PROTO variable, as clients can set it, bypassing any checks which rely upon is_ssl().

The correct method is to either
a) Fix the server variables in the server to reflect the upstream proxy
b) Fix the server variables in wp-config.php to reflect the upstream proxy

You can see my full reasoning here: https://core.trac.wordpress.org/ticket/31288#comment:11

#6 @chriscct7
9 years ago

  • Keywords dev-feedback needs-testing removed

Makes sense

#7 @tsaweb
6 years ago

Estou com uma problema de (error 500), onde não está exibindo o site do cliente https://descubraoguaruja.com.br.

A hospedagem acusou erro nos arquivos (functions.php) e (load.php), que acusa erro na linha onde a função verifica a existencia de SSL.

Alguém já passou por esse problema?

Note: See TracTickets for help on using tickets.