Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#50201 closed defect (bug) (invalid)

SSL compromised by mixed content due to outdated links in the installed code

Reported by: balwuw's profile balwuw Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Themes Keywords:
Focuses: Cc:

Description

All URLs delivered with WordPress should be updated from http:// to https:// in order to prevent security holes.

get_template_directory_uri() yields http:// even though the database has https:// throughout.

Change History (5)

#1 follow-up: @audrasjb
4 years ago

  • Keywords has-privacy-review needs-refresh removed
  • Severity changed from critical to normal
  • Version 5.4.1 deleted

Hi @balwuw and welcome to WordPress Trac, thanks for opening a ticket,

However, I'm not sure to understand what is the exact issue here. get_template_directory_uri() function handles SSL and returns https link if the website uses https.

#2 in reply to: ↑ 1 @balwuw
4 years ago

  • Summary changed from SSL compromised by outdated links to SSL compromised by mixed content due to outdated links in the installed code

Replying to audrasjb:

get_template_directory_uri() function handles SSL and returns https link if the website uses https.

Hi @audrasjb, thanks for looking into this.

Well, the bug is that it doesn’t. Despite siteurl and home are both https, internal images are given http URLs, making for mixed content breaking the security.

BTW I’ve come here because that is not a support question. The bug is built into new WordPress instances of latest version. Countless pointless http URLs are found in the code, even http://wordpress.org in the Powered by: link showing up on every single page.

To fix this, we can do the following:

In wp-content/themes/catch-everest/inc/panel/theme-options.php
1241 http://https://
1251 http://https://

In wp-content/themes/catch-everest/header.php
39 http://https://

Still the get_template_directory_uri() function remains unfixed for now.

Countless sites all over the web are broken because of that outdated code delivered when installing. IMO that is really a critical issue.

#3 @balwuw
4 years ago

The get_template_directory_uri() function sometimes handles SSL, e.g. when occurring for thumb images, and sometimes it doesn’t handle SSL, e.g. when it comes to slider images. Bottom line: it doesn’t handle SSL properly.

#4 @ocean90
4 years ago

  • Component changed from General to Themes
  • Keywords reporter-feedback removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hello @balwuw, thanks for the additional info.

Unfortunately it looks like your theme doesn't handle this properly. For support please try contacting the author of the theme or use our support forums.

Please feel free to reopen if you can reproduce the issue with all plugins disabled and a default theme activated.

#5 @balwuw
4 years ago

Hi @ocean90, thank you for getting it to the point.

While ready to try out one of the installed default themes, thankfully Catch Everest offered a new version, that removes the sample images for an easy fix of the problem in generating the image URLs, upgrades the theme credit to an https link, and drops the “Powered by:” credit.

Adding an image—actually a backup of the Mount Everest—doesn’t break the page, as the image gets a properly generated https URL.

Note: See TracTickets for help on using tickets.