WordPress.org

Make WordPress Core

Opened 7 months ago

Closed 7 months ago

#52542 closed defect (bug) (fixed)

HTTPS local html detection RSD check is protocol specific

Reported by: TimothyBlynJacobs Owned by: flixos90
Milestone: 5.7 Priority: normal
Severity: normal Version: 5.7
Component: Site Health Keywords: good-first-bug has-patch has-unit-tests dev-feedback commit
Focuses: Cc:

Description

The wp_is_local_html_output function is used to check whether the output from the https detection loopback request comes from the WordPress site itself.

The first check is done is for RSD, but it checks specifically for the http version of the URL, whereas the other checks ignore the protocol.

In my testing environment at least, the RSD link header is output as an https url when the site is requested over https, and as such this check returns false. Incorrectly asserting in Site Health that I need to talk to my host about supporting HTTPS even though my site already supports it.

Tentatively milestoning for 5.7.

Change History (8)

#1 @johnbillion
7 months ago

  • Component changed from Security to Site Health

#2 @lukecarbis
7 months ago

@TimothyBlynJacobs That sounds like a bug specific to the changes to Site Health in the 5.7 beta, is that right? Possibly introduced by [49904]. Is this something we could get fixed in the next week before RC1 is out?

#3 @TimothyBlynJacobs
7 months ago

@lukecarbis Yep! Sorry for not including that in the original report! Yeah, I believe @flixos90 is planning on working on it this week.

#4 @flixos90
7 months ago

  • Owner set to flixos90
  • Status changed from new to assigned

This ticket was mentioned in PR #1023 on WordPress/wordpress-develop by felixarntz.


7 months ago

  • Keywords has-patch has-unit-tests added; needs-patch removed
  • Updates the RSD link check in wp_is_local_html_output() to be protocol-agnostic as expected, like the other ones.
  • Updates a minor issue in the REST API link check: The removal of the protocol should happen on the complete URL as included in the HTML output, which is run through esc_url. Before esc_url was called after removing the protocol which is not correct.

Trac ticket: https://core.trac.wordpress.org/ticket/52542

#6 @flixos90
7 months ago

  • Keywords dev-feedback added
  • Owner changed from flixos90 to TimothyBlynJacobs
  • Status changed from assigned to reviewing

@TimothyBlynJacobs I've added PR to address this bug. Can you review please?

#7 @TimothyBlynJacobs
7 months ago

  • Keywords commit added
  • Owner changed from TimothyBlynJacobs to flixos90

Looks great to me!

#8 @flixos90
7 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 50391:

Security: Fix bug in wp_is_local_html_output().

Prior to this changeset, the check for the correct RSD link output was relying on a specific protocol, although it needs to accept both the HTTP and HTTPS version of the URL.

Props TimothyBlynJacobs.
Fixes #52542. See #47577.

Note: See TracTickets for help on using tickets.