Make WordPress Core

Opened 9 years ago

Closed 9 years ago

#35120 closed defect (bug) (fixed)

Insert attachment should not always https

Reported by: hnle's profile hnle Owned by: joemcgill's profile joemcgill
Milestone: 4.5 Priority: normal
Severity: normal Version: 4.6
Component: Media Keywords: https
Focuses: administration Cc:


In [35804], WP_CONTENT_URL began to reflect current url scheme.

so, Image url when insert from editor with https (and front is http) will have https.

but some case like using Self-signed certificate, or like local-only ssl admin, admin only ssl... ―― they are not recommended but some user using it ―― the image cannot show in front (non-admin user:viewer)

If wp_get_attachment_url's response filtered like below, it will well but it need some conditional branching.

add_filter('wp_get_attachment_url',function($url) {
  return set_url_scheme($url ,'http');

(p.s. is this a plugin territory?)

Change History (7)

#1 @joemcgill
9 years ago

  • Keywords https needs-patch added
  • Owner set to joemcgill
  • Status changed from new to reviewing

Hi @hnle,

Thanks for the report. This definitely looks like a bug. WP_CONTENT_URL is used in wp_upload_dir() to build the URL to the uplods directory, which is then used throughout many functions in core. The one that is affecting you is get_image_tag(), which is used to build the HTML for an image before inserting it into a post.

Related history can be found in #15928.

#2 @johnbillion
9 years ago

  • Keywords reporter-feedback added
  • Version changed from trunk to 4.4

@hnle Would you let us know the following please?

  1. What's the value of the "WordPress Address" and "Site Address" fields on the Settings screen?
  2. Are you using the FORCE_SSL_ADMIN constant in your wp-config.php file?
  3. Are you using the WP_HOME or WP_SITEURL constants in your wp- config.php file?
Last edited 9 years ago by johnbillion (previous) (diff)

#3 @hnle
9 years ago

Oh... my current test environment (latest trunk) is multisite...
but its site not using FORCE_SSL_ADMIN (so self input https) and no using their const, and their site-url, home are both like (I think it is edge case)

in other side, in the current public env (4.4 stable) which using FORCE_SSL_ADMIN looks not have this issue.

#4 @johnbillion
9 years ago

  • Keywords reporter-feedback removed
  • Milestone changed from Awaiting Review to 4.4.1

#5 @johnbillion
9 years ago

In 36061:

Revert [35804]. This change has unintended side effects, notably that media URLs in the admin area now unexpectedly use the https scheme. A more comprehensive approach will be taken in 4.5.

See #13941, #35120

#6 @johnbillion
9 years ago

  • Keywords needs-patch removed
  • Milestone changed from 4.4.1 to 4.5
  • Version changed from 4.4 to trunk

#7 @johnbillion
9 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed
Note: See TracTickets for help on using tickets.