From 93a4bf15e428c6dcc781618a4ec685ce6264ef4c Mon Sep 17 00:00:00 2001 From: Boone Gorges Date: Mon, 4 May 2015 13:09:14 +0000 Subject: [PATCH] Attachment URLs should only be forced to SSL on the front end. Detecting SSL status on the Dashboard introduces problems when writing content that is saved to the database and then displayed on the front end, where SSL may be optional (or impossible, due to self-signed certificates). The new approach parallels the logic in `get_home_url()` for forcing HTTPS. See [31614] #15928 for background. Fixes #32112 for trunk. git-svn-id: https://develop.svn.wordpress.org/trunk@32342 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/post.php | 9 ++--- tests/phpunit/tests/post/attachments.php | 46 ++++++++++++++++++------ 2 files changed, 39 insertions(+), 16 deletions(-) diff --git a/src/wp-includes/post.php b/src/wp-includes/post.php index 7b6575366a..d0ecd2e04e 100644 --- a/src/wp-includes/post.php +++ b/src/wp-includes/post.php @@ -4992,12 +4992,9 @@ function wp_get_attachment_url( $post_id = 0 ) { $url = get_the_guid( $post->ID ); } - /* - * If currently on SSL, prefer HTTPS URLs when we know they're supported by the domain - * (which is to say, when they share the domain name of the current SSL page). - */ - if ( is_ssl() && 'https' !== substr( $url, 0, 5 ) && parse_url( $url, PHP_URL_HOST ) === $_SERVER['HTTP_HOST'] ) { - $url = set_url_scheme( $url, 'https' ); + // On SSL front-end, URLs should be HTTPS. + if ( is_ssl() && ! is_admin() && 'wp-login.php' !== $GLOBALS['pagenow'] ) { + $url = set_url_scheme( $url ); } /** diff --git a/tests/phpunit/tests/post/attachments.php b/tests/phpunit/tests/post/attachments.php index 881fb641fb..6c922b9747 100644 --- a/tests/phpunit/tests/post/attachments.php +++ b/tests/phpunit/tests/post/attachments.php @@ -409,9 +409,9 @@ class Tests_Post_Attachments extends WP_UnitTestCase { /** * @ticket 15928 */ - public function test_wp_get_attachment_url_should_not_force_https_when_https_is_on_but_url_has_a_different_domain() { + public function test_wp_get_attachment_url_should_not_force_https_when_administering_over_https_but_siteurl_is_not_https() { $siteurl = get_option( 'siteurl' ); - update_option( 'siteurl', set_url_scheme( $siteurl, 'https' ) ); + update_option( 'siteurl', set_url_scheme( $siteurl, 'http' ) ); $filename = ( DIR_TESTDATA . '/images/test-image.jpg' ); $contents = file_get_contents( $filename ); @@ -422,21 +422,47 @@ class Tests_Post_Attachments extends WP_UnitTestCase { // Set attachment ID $attachment_id = $this->_make_attachment( $upload ); - // Save server data for cleanup. $is_ssl = is_ssl(); - $http_host = $_SERVER['HTTP_HOST']; - $_SERVER['HTTPS'] = 'on'; - - // Set server host to something random. - $_SERVER['HTTP_HOST'] = 'some.otherhostname.com'; + set_current_screen( 'dashboard' ); $url = wp_get_attachment_url( $attachment_id ); - $this->assertSame( set_url_scheme( $url, 'http' ), $url ); // Cleanup. $_SERVER['HTTPS'] = $is_ssl ? 'on' : 'off'; - $_SERVER['HTTP_HOST'] = $http_host; + set_current_screen( 'front' ); + + $this->assertSame( set_url_scheme( $url, 'http' ), $url ); + } + + /** + * @ticket 15928 + */ + public function test_wp_get_attachment_url_should_force_https_when_administering_over_https_and_siteurl_is_https() { + // Must set the upload_url_path to fake out `wp_upload_dir()`. + $siteurl = get_option( 'siteurl' ); + update_option( 'upload_url_path', set_url_scheme( $siteurl, 'https' ) . '/uploads' ); + + $filename = ( DIR_TESTDATA . '/images/test-image.jpg' ); + $contents = file_get_contents( $filename ); + + $upload = wp_upload_bits( basename( $filename ), null, $contents ); + $this->assertTrue( empty( $upload['error'] ) ); + + // Set attachment ID + $attachment_id = $this->_make_attachment( $upload ); + + $is_ssl = is_ssl(); + $_SERVER['HTTPS'] = 'on'; + set_current_screen( 'dashboard' ); + + $url = wp_get_attachment_url( $attachment_id ); + + // Cleanup. + $_SERVER['HTTPS'] = $is_ssl ? 'on' : 'off'; + set_current_screen( 'front' ); + + $this->assertSame( set_url_scheme( $url, 'https' ), $url ); } public function test_wp_attachment_is() {