[wp-trac] [WordPress Trac] #36451: get_rest_url() not returning SSL version of the URL when the home_url it's a subdomain

WordPress Trac noreply at wordpress.org
Fri Jan 13 14:26:42 UTC 2017 

#36451: get_rest_url() not returning SSL version of the URL when the home_url it's
a subdomain
-------------------------+-------------------------------------------------
 Reporter:  nicholas_io  |       Owner:
     Type:  defect       |      Status:  reopened
  (bug)                  |   Milestone:
 Priority:  normal       |     Version:  4.4
Component:  REST API     |  Resolution:
 Severity:  major        |     Focuses:  administration, multisite, rest-
 Keywords:               |  api
-------------------------+-------------------------------------------------
Changes (by igmoweb):

 * status:  closed => reopened
 * focuses:   => administration, multisite, rest-api
 * resolution:  worksforme =>
 * severity:  normal => major


Comment:

 I'm going to reopen this as is causing problems to me too and I see lots
 of situations where the function won't work properly.

 The problem is in the line where the host is compared:


 {{{
  if ( $_SERVER['SERVER_NAME'] === parse_url( get_home_url( $blog_id
 ),PHP_URL_HOST ) ) {
 }}}

 Please, read $_SERVER variables names in PHP manual:
 http://php.net/manual/en/reserved.variables.server.php

 `SERVER_NAME`: The name of the server host under which the current script
 is executing. If the script is running on a virtual host, this will be the
 value defined for that virtual host.

 `HTTP_HOST`: Contents of the Host: header from the current request, if
 there is one.

 So, let's say we have a subdomain installation in a multisite with the
 main URL `example.com` and the user is trying to make a request to
 `mysite.example.org`. The `$_SERVER` variable values would be:

 `SERVER_NAME`: `example.com`
 `HTTP_HOST`: `mysite.example.com`

 But `get_rest_url()` is actually comparing to `example.com` so the line
 above will never be true. The line should be actually

 {{{
 if ( $_SERVER['HTTP_HOST'] === parse_url( get_home_url( $blog_id
 ),PHP_URL_HOST ) ) {
 }}}


 Now, how to reproduce? You'll need:
 - A multisite with subdomains
 - `FORCE_ADMIN_SSL` set to `true`
 - Do not force SSL in front
 - Create a new site in the multisite
 - Add the following code into a plugin or theme:

 {{{#!php
 <?php
 add_action( 'admin_init', function() {
         var_dump( get_rest_url() );
         wp_die();
 });
 }}}

 And go to the subdomain/wp-admin

 You should see that the REST URL has no `https` prefixed but `http`.

 This is really bad when you try to make an AJAX call to any REST endpoint
 from admin.

 You can test an example by installing Jetpack 4.4.2 (is the current last
 one) and go to the Jetpack connection page. You'll see that the button
 connection link is wrong and if you open the JS console... Tada!

 Please, reconsider this ticket.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36451#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list