[wp-trac] [WordPress Trac] #26800: Multisite is hardcoded to redirect to http:// for invalid domains
WordPress Trac
noreply at wordpress.org
Sun Jan 12 05:52:08 UTC 2014
#26800: Multisite is hardcoded to redirect to http:// for invalid domains
------------------------------------+-----------------------------
Reporter: glen.pike.hf | Owner:
Type: defect (bug) | Status: new
Priority: low | Milestone: Future Release
Component: Multisite | Version: 3.0
Severity: minor | Resolution:
Keywords: has-patch dev-feedback |
------------------------------------+-----------------------------
Changes (by jeremyfelt):
* keywords: has-patch => has-patch dev-feedback
* priority: normal => low
* version: 3.8 => 3.0
* severity: normal => minor
* milestone: Awaiting Review => Future Release
Comment:
Relevant code in `ms-settings.php`
{{{
if ( $current_site && ! $current_blog ) {
if ( $current_site->domain != $_SERVER[ 'HTTP_HOST' ] ) {
header( 'Location: http://' . $current_site->domain .
$current_site->path );
exit;
}
}}}
It seems the answer here isn't necessarily checking for the scheme of the
request, but checking for a desired scheme assigned to the
`$current_site->domain` the redirect will be made to. If the domain
requested is invalid, there's nothing saying that the scheme is valid.
For this block of code in `ms-settings.php`, that would be likely be a
network level setting as we're redirecting to the network's main page.
I guess one question would be whether forcing SSL in this scenario should
occur in WordPress core, or in the web server configuration as an
immediate redirect.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/26800#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list