[wp-trac] [WordPress Trac] #15928: wp_get_attachment_url does not check for HTTPS

WordPress Trac noreply at wordpress.org
Wed Nov 5 14:51:35 UTC 2014 

#15928: wp_get_attachment_url does not check for HTTPS
--------------------------+-----------------------------
 Reporter:  atetlaw       |       Owner:  boonebgorges
     Type:  defect (bug)  |      Status:  accepted
 Priority:  normal        |   Milestone:  Future Release
Component:  Permalinks    |     Version:  3.0.3
 Severity:  normal        |  Resolution:
 Keywords:  needs-patch   |     Focuses:
--------------------------+-----------------------------
Changes (by boonebgorges):

 * keywords:  needs-testing has-patch => needs-patch
 * milestone:  4.1 => Future Release


Comment:

 I was in the process of drafting a commit message for the change and
 writing a new ticket to describe the broader issue, and I started to have
 second thoughts related to
 [https://core.trac.wordpress.org/ticket/15928#comment:24 johnbillion's
 comment here]. Let's say we went with [attachment:15928.7.patch]. We might
 find ourselves in the following situation:

 - My site is publicly viewable at http://example.com
 - Administration is all done over SSL at https://secure.example.com
 - I write a post and insert media. `is_ssl()` will be true, which means
 that the 'src' of the inserted `<img>` will have a 'https' URL. However,
 `wp_upload_dir()` will point to 'http://example.com', because that's the
 public URL of my site. So the 'src' ends up starting with
 'https://example.com'
 - If I don't have an SSL cert for example.com, the images will not load at
 all.

 The case of non-loading content seems just as bad as (or worse than) the
 mixed-content warnings we currently see in certain setups.

 Since we're using `wp_upload_dir()` to build the attachment URL, we need a
 reliable way to determine whether than URL should be viewed over SSL. To
 go back to the original ticket:

 > The wp_upload_dir function should probably be changed, so that instead
 of calling get_option('siteurl') directly, it uses something like
 get_home_url (or even get_site_url) which check for HTTPS.

 As things currently stand, the only way WordPress knows whether your
 front-end should (or can) be viewed over SSL is by looking to see whether
 your 'siteurl' or 'homeurl' have 'https' as their scheme. So I think we
 need to trust that value, which is to say we cannot override it just
 because `is_ssl()` is true in the admin.

 A more general solution may be to split `wp_get_attachment_url()` into two
 separate functions (one of which may be a wrapper for the other). One will
 generate links that should be relative to 'homeurl'/'siteurl' (used eg to
 insert links into the post editor), and one will generate links that are
 relative to the *current* scheme (used eg to display attachment links
 within a theme). This is going to need a good deal more investigation, and
 might benefit from a broader treatment of front-end SSL in WP. See #27954.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/15928#comment:81>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list