[wp-trac] [WordPress Trac] #15928: wp_get_attachment_url does not check for HTTPS

WordPress Trac noreply at wordpress.org
Mon Apr 29 21:56:09 UTC 2013 

#15928: wp_get_attachment_url does not check for HTTPS
-------------------------------------+-----------------------------
 Reporter:  atetlaw                  |       Owner:
     Type:  defect (bug)             |      Status:  assigned
 Priority:  normal                   |   Milestone:  Future Release
Component:  Permalinks               |     Version:  3.0.3
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-testing  |
-------------------------------------+-----------------------------

Comment (by ccolotti):

 You are over complicating the issue.  I am doing admin over HTTPS I upload
 an image, I go to another browser NOT logged in use HTTP to test the
 posted page and the IMAGE on that page is served HTTPS instead of HTTP.
 Simple, but incorrect.  The simple issue is logged in over HTTPS and
 adding an image to a post uses the HTTPS version for ALL non HTTPS users
 on that post/page.  You are sku'ing the original issue into something
 completely different and unrelated.

 Replying to [comment:46 ryansatterfield]:
 > Because you aren't actually administering over https, if you have http
 mixed in the backend. When you mix the two, the security of https is
 broken, so the admin is open to attacks. The option to have the admin be
 https and not the entire site is an odd one. One that I believe should be
 removed.
 >
 > Replying to [comment:45 ccolotti]:
 > > Replying to [comment:44 ryansatterfield]:
 > > > Why don't you just make the entire site https?
 > > > Replying to [comment:43 ccolotti]:
 > > > > Replying to [comment:40 johnbillion]:
 > > > > > Replying to [comment:39 ryansatterfield]:
 > > > > > > Your site is either purely https or purely http. Even if you
 think it is half and half, it isn't. If you use http mixed with https,
 you've broken the http strict transport security, thus making it easier
 for hackers to get information transmitted over https.
 > > > > > ccolotti is talking about the WordPress admin area. You can have
 admin over SSL with a site over HTTP. In this situation, WordPress
 currently incorrectly inserts a images into your post content using the
 HTTPS scheme instead of HTTP.
 > > > >
 > > > > SO I have to ask again....can this be resolved so the images are
 not incorrectly inserted?  This is still ongoing with 3.5.1
 > >
 > > Becuase there is no need to make an entire site HTTPS that is a basic
 blog site.  That's not the answer to the bug if you ask me.  I don't want
 to serve all HTTPS it's not a requirement for this site.  I just simply
 want to ADMINISTER via HTTPS and not have the images all served up that
 way.  This seems like it should just work properly but nobody is taking a
 moment to look at.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/15928#comment:47>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list