Forcing SSL logins now forces SSL for the entire admin, with no middle ground.

fixes #10267. Built from https://develop.svn.wordpress.org/trunk@28609 git-svn-id: http://core.svn.wordpress.org/trunk@28433 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-29 03:59:15 +00:00 · 2014-05-29 03:59:15 +00:00 · d29dc48134
parent ec121f9899
commit d29dc48134
4 changed files with 15 additions and 33 deletions
--- a/wp-includes/default-constants.php
+++ b/wp-includes/default-constants.php
@ -247,16 +247,17 @@ function wp_ssl_constants() {
 	/**
 	 * @since 2.6.0
 	 */
-	if ( !defined('FORCE_SSL_ADMIN') )
+	if ( !defined( 'FORCE_SSL_ADMIN' ) )
-		define('FORCE_SSL_ADMIN', false);
+		define( 'FORCE_SSL_ADMIN', false );
-	force_ssl_admin(FORCE_SSL_ADMIN);
+	force_ssl_admin( FORCE_SSL_ADMIN );
 	/**
 	 * @since 2.6.0
 	 * @deprecated 4.0.0
 	 */
-	if ( !defined('FORCE_SSL_LOGIN') )
+	if ( defined( 'FORCE_SSL_LOGIN' ) && FORCE_SSL_LOGIN ) {
-		define('FORCE_SSL_LOGIN', false);
+		force_ssl_admin( true );
-	force_ssl_login(FORCE_SSL_LOGIN);
+	}
 }
 /**
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@ -3387,15 +3387,7 @@ function is_ssl() {
 * @return bool True if forced, false if not forced.
 */
 function force_ssl_login( $force = null ) {
-	static $forced = false;
+	return force_ssl_admin( $force );
 	if ( !is_null( $force ) ) {
 		$old_forced = $forced;
 		$forced = $force;
 		return $old_forced;
 	}
 	return $forced;
 }
 /**
@ -4305,9 +4297,6 @@ function wp_auth_check_html() {
 	$current_domain = ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'];
 	$same_domain = ( strpos( $login_url, $current_domain ) === 0 );
 	if ( $same_domain && force_ssl_login() && ! force_ssl_admin() )
 		$same_domain = false;
 	/**
 	 * Filter whether the authentication check originated at the same domain.
 	 *
--- a/wp-includes/link-template.php
+++ b/wp-includes/link-template.php
@ -2845,15 +2845,13 @@ function self_admin_url($path = '', $scheme = 'admin') {
 */
 function set_url_scheme( $url, $scheme = null ) {
 	$orig_scheme = $scheme;
-	if ( ! in_array( $scheme, array( 'http', 'https', 'relative' ) ) ) {
+
-		if ( ( 'login_post' == $scheme || 'rpc' == $scheme ) && ( force_ssl_login() || force_ssl_admin() ) )
+	if ( ! $scheme ) {
-			$scheme = 'https';
+		$scheme = is_ssl() ? 'https' : 'http';
-		elseif ( ( 'login' == $scheme ) && force_ssl_admin() )
+	} elseif ( $scheme === 'admin' || $scheme === 'login' || $scheme === 'login_post' || $scheme === 'rpc' ) {
-			$scheme = 'https';
+		$scheme = is_ssl() || force_ssl_admin() ? 'https' : 'http';
-		elseif ( ( 'admin' == $scheme ) && force_ssl_admin() )
+	} elseif ( $scheme !== 'http' && $scheme !== 'https' && $scheme !== 'relative' ) {
-			$scheme = 'https';
+		$scheme = is_ssl() ? 'https' : 'http';
 		else
 			$scheme = ( is_ssl() ? 'https' : 'http' );
 	}
 	$url = trim( $url );
--- a/wp-login.php
+++ b/wp-login.php
@ -741,12 +741,6 @@ default:
 	$reauth = empty($_REQUEST['reauth']) ? false : true;
 	// If the user was redirected to a secure login form from a non-secure admin page, and secure login is required but secure admin is not, then don't use a secure
 	// cookie and redirect back to the referring non-secure admin page. This allows logins to always be POSTed over SSL while allowing the user to choose visiting
 	// the admin via http or https.
 	if ( !$secure_cookie && is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) )
 		$secure_cookie = false;
 	$user = wp_signon( '', $secure_cookie );
 	if ( empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) {