Opened 5 years ago
Last modified 21 months ago
#47817 new defect (bug)
Using file editor ignores schema and always uses http
Reported by: | jeffpaulkinsta | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.2.2 |
Component: | Filesystem API | Keywords: | reporter-feedback |
Focuses: | administration | Cc: |
Description
When editing a template/theme or plugin file with the WordPress file editor, the internal loopback which I assume uses wp-json does not honor the schema of the siteurl.
For example:
Siteurl: https://kinsta.com
The request will come through as http://kinsta.com
If SSL is forced at the server level, this will force the https:// schema.
This was recently discovered and was failing because a user's SSL intermediate chain was missing, so the site would edit fine without HTTPS forced, but with SSL forced it would fail.
We were able to identify the chain issue due to this error occuring when force HTTPS was enabled in Nginx:
Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.
Change History (2)
#2
@
21 months ago
- Keywords reporter-feedback added
- The loopback request uses
admin_url()
for the URL. admin_url()
in turn callsget_admin_url()
with the$scheme
set toadmin
.get_admin_url()
callsget_site_url()
, passing$scheme
.get_site_url()
callsset_url_scheme()
, passing$scheme
.set_url_scheme()
sets the scheme based on the following condition:<?php if ( 'admin' === $scheme || 'login' === $scheme || 'login_post' === $scheme || 'rpc' === $scheme ) { $scheme = is_ssl() || force_ssl_admin() ? 'https' : 'http';
is_ssl()
returnstrue
if:$_SERVER['HTTPS']
is set to'on'
, OR$_SERVER['HTTPS']
loosely evaluates to'1'
, OR$_SERVER['SERVER_PORT']
is443
.
force_ssl_admin()
returnstrue
if it has previously been called asforce_ssl_admin( true )
.
a user's SSL intermediate chain was missing
This may suggest that the user's SSL certificate was invalid, and should have produced an error about an incomplete chain. Can you clarify whether or not this was the case?
The file editor does not utilize the REST API, so this "focus" keyword is incorrect — I believe "admin" is the correct focus here.