Make WordPress Core

Opened 5 years ago

Last modified 21 months ago

#47817 new defect (bug)

Using file editor ignores schema and always uses http

Reported by: jeffpaulkinsta's profile jeffpaulkinsta Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.2.2
Component: Filesystem API Keywords: reporter-feedback
Focuses: administration Cc:

Description

When editing a template/theme or plugin file with the WordPress file editor, the internal loopback which I assume uses wp-json does not honor the schema of the siteurl.

For example:
Siteurl: https://kinsta.com

The request will come through as http://kinsta.com
If SSL is forced at the server level, this will force the https:// schema.

This was recently discovered and was failing because a user's SSL intermediate chain was missing, so the site would edit fine without HTTPS forced, but with SSL forced it would fail.

We were able to identify the chain issue due to this error occuring when force HTTPS was enabled in Nginx:

Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.

Change History (2)

#1 @kadamwhite
5 years ago

  • Focuses administration added; rest-api removed

The file editor does not utilize the REST API, so this "focus" keyword is incorrect — I believe "admin" is the correct focus here.

#2 @costdev
21 months ago

  • Keywords reporter-feedback added
  • The loopback request uses admin_url() for the URL.
  • admin_url() in turn calls get_admin_url() with the $scheme set to admin.
  • get_admin_url() calls get_site_url(), passing $scheme.
  • get_site_url() calls set_url_scheme(), passing $scheme.
  • set_url_scheme() sets the scheme based on the following condition:
    <?php
    
    if ( 'admin' === $scheme || 'login' === $scheme || 'login_post' === $scheme || 'rpc' === $scheme ) {
            $scheme = is_ssl() || force_ssl_admin() ? 'https' : 'http';
    
  • is_ssl() returns true if:
    • $_SERVER['HTTPS'] is set to 'on', OR
    • $_SERVER['HTTPS'] loosely evaluates to '1', OR
    • $_SERVER['SERVER_PORT'] is 443.
  • force_ssl_admin() returns true if it has previously been called as force_ssl_admin( true ).

a user's SSL intermediate chain was missing

This may suggest that the user's SSL certificate was invalid, and should have produced an error about an incomplete chain. Can you clarify whether or not this was the case?

Note: See TracTickets for help on using tickets.