[wp-trac] [WordPress Trac] #19707: admin-ajax.php requests via http regardless of force_ssl_admin() state
WordPress Trac
wp-trac at lists.automattic.com
Sun Jan 1 00:53:53 UTC 2012
#19707: admin-ajax.php requests via http regardless of force_ssl_admin() state
-----------------------------+-----------------------------
Reporter: robertaccettura | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords:
-----------------------------+-----------------------------
Noticing these requests failing:
"NetworkError: 403 Forbidden - http://HOSTNAMEwp-admin/admin-ajax.php"
My server explicitly denies http to wp-admin. SSL only.
Looks like admin_url() is giving http rather than https. I suspect this
bug actually lies somewhere in get_site_url(), but I don't have time to
triage this right now.
This is technically a security bug since WP should always obey
force_ssl_admin(), but I don't think anything is being leaked or
compromised. You don't get access to anything, and nothing being sent
over the wire is sensitive since it still obeys the rules of the protocol
(cookie is secure). It's just a nuisance.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/19707>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list