WordPress.org

Make WordPress Core

Opened 11 days ago

Closed 8 days ago

#52542 closed defect (bug) (fixed)

HTTPS local html detection RSD check is protocol specific

Reported by: TimothyBlynJacobs Owned by: flixos90
Milestone: 5.7 Priority: normal
Severity: normal Version: trunk
Component: Site Health Keywords: good-first-bug has-patch has-unit-tests dev-feedback commit
Focuses: Cc:

Description

The wp_is_local_html_output function is used to check whether the output from the https detection loopback request comes from the WordPress site itself.

The first check is done is for RSD, but it checks specifically for the http version of the URL, whereas the other checks ignore the protocol.

In my testing environment at least, the RSD link header is output as an https url when the site is requested over https, and as such this check returns false. Incorrectly asserting in Site Health that I need to talk to my host about supporting HTTPS even though my site already supports it.

Tentatively milestoning for 5.7.

Change History (8)

#1 @johnbillion
11 days ago

  • Component changed from Security to Site Health

#2 @lukecarbis
10 days ago

@TimothyBlynJacobs That sounds like a bug specific to the changes to Site Health in the 5.7 beta, is that right? Possibly introduced by [49904]. Is this something we could get fixed in the next week before RC1 is out?

#3 @TimothyBlynJacobs
10 days ago

@lukecarbis Yep! Sorry for not including that in the original report! Yeah, I believe @flixos90 is planning on working on it this week.

#4 @flixos90
8 days ago

  • Owner set to flixos90
  • Status changed from new to assigned

This ticket was mentioned in PR #1023 on WordPress/wordpress-develop by felixarntz.


8 days ago

  • Keywords has-patch has-unit-tests added; needs-patch removed
  • Updates the RSD link check in wp_is_local_html_output() to be protocol-agnostic as expected, like the other ones.
  • Updates a minor issue in the REST API link check: The removal of the protocol should happen on the complete URL as included in the HTML output, which is run through esc_url. Before esc_url was called after removing the protocol which is not correct.

Trac ticket: https://core.trac.wordpress.org/ticket/52542

#6 @flixos90
8 days ago

  • Keywords dev-feedback added
  • Owner changed from flixos90 to TimothyBlynJacobs
  • Status changed from assigned to reviewing

@TimothyBlynJacobs I've added PR to address this bug. Can you review please?

#7 @TimothyBlynJacobs
8 days ago

  • Keywords commit added
  • Owner changed from TimothyBlynJacobs to flixos90

Looks great to me!

#8 @flixos90
8 days ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 50391:

Security: Fix bug in wp_is_local_html_output().

Prior to this changeset, the check for the correct RSD link output was relying on a specific protocol, although it needs to accept both the HTTP and HTTPS version of the URL.

Props TimothyBlynJacobs.
Fixes #52542. See #47577.

Note: See TracTickets for help on using tickets.