[wp-trac] [WordPress Trac] #50201: SSL compromised by mixed content due to outdated links in the installed code (was: SSL compromised by outdated links)
WordPress Trac
noreply at wordpress.org
Mon May 18 19:05:40 UTC 2020
#50201: SSL compromised by mixed content due to outdated links in the installed
code
-------------------------------+------------------------------
Reporter: balwuw | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: reporter-feedback | Focuses:
-------------------------------+------------------------------
Comment (by balwuw):
Replying to [comment:1 audrasjb]:
> `get_template_directory_uri()` function handles SSL and returns `https`
link if the website uses `https`.
Hi @audrasjb, thanks for looking into this.
Well, the bug is that it doesn’t. Despite `siteurl` and `home` are both
`https`, internal images are given `http` URLs, making for mixed content
breaking the security.
BTW I’ve come here because that is **not** a support question. The bug is
built into new WordPress instances of latest version. Countless pointless
`http` URLs are found in the code, even `http://wordpress.org` in the
`Powered by:` link showing up on every single page.
To fix this, we can do the following:
In `wp-content/themes/catch-everest/inc/panel/theme-options.php`
1241 `http://` ➔ `https://`
1251 `http://` ➔ `https://`
In `wp-content/themes/catch-everest/header.php`
39 `http://` ➔ `https://`
Still the `get_template_directory_uri()` function remains unfixed for now.
Countless sites all over the web are broken because of that outdated code
delivered when installing. IMO that is really a `critical` issue.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50201#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list