[wp-trac] [WordPress Trac] #31288: IS_SSL should check return true for SSL Terminated load balancing
WordPress Trac
noreply at wordpress.org
Tue Feb 10 23:55:23 UTC 2015
#31288: IS_SSL should check return true for SSL Terminated load balancing
--------------------------+-----------------------
Reporter: bretterer | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone:
Component: Security | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
--------------------------+-----------------------
Comment (by bretterer):
Replying to [comment:6 dd32]:
> Part of the problem with relying upon headers from untrusted downstreams
(which is effectively what you're suggesting) is that it's then possible
to bypass any SSL-only settings done in WordPress.
> A MITM proxy could force it to HTTP, add the header, allow someone to
login over HTTP (because is_ssl() is now true) on this SSL-only site, and
then, well you get the picture..
Isn't WordPress currently relying on headers anyway for the is_ssl()
method. I could just as easily add a header to my request to set HTTPS to
be true and bam, I have access to the site over HTTP because is_ssl() is
now true. So this argument in my opinion is not a valid one. WordPress
is still relying on headers in the current setup. I am just suggesting
that we add a different header to look at.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/31288#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list