WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Forcing SSL logins now forces SSL for the entire admin, with no middle ground. 

fixes #10267.

Built from https://develop.svn.wordpress.org/trunk@28609


git-svn-id: http://core.svn.wordpress.org/trunk@28433 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Andrew Nacin 2014-05-29 03:59:15 +00:00
parent ec121f9899
commit d29dc48134
4 changed files with 15 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
wp-includes/default-constants.php
View File

@ -247,16 +247,17 @@ function wp_ssl_constants() {
/**
* @since 2.6.0
*/
if ( !defined('FORCE_SSL_ADMIN') )
define('FORCE_SSL_ADMIN', false);
force_ssl_admin(FORCE_SSL_ADMIN);
if ( !defined( 'FORCE_SSL_ADMIN' ) )
define( 'FORCE_SSL_ADMIN', false );
force_ssl_admin( FORCE_SSL_ADMIN );
/**
* @since 2.6.0
* @deprecated 4.0.0
*/
if ( !defined('FORCE_SSL_LOGIN') )
define('FORCE_SSL_LOGIN', false);
force_ssl_login(FORCE_SSL_LOGIN);
if ( defined( 'FORCE_SSL_LOGIN' ) && FORCE_SSL_LOGIN ) {
force_ssl_admin( true );
}
}
/**

13
wp-includes/functions.php
View File

@ -3387,15 +3387,7 @@ function is_ssl() {
* @return bool True if forced, false if not forced.
*/
function force_ssl_login( $force = null ) {
static $forced = false;
if ( !is_null( $force ) ) {
$old_forced = $forced;
$forced = $force;
return $old_forced;
}
return $forced;
return force_ssl_admin( $force );
}
/**
@ -4305,9 +4297,6 @@ function wp_auth_check_html() {
$current_domain = ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'];
$same_domain = ( strpos( $login_url, $current_domain ) === 0 );
if ( $same_domain && force_ssl_login() && ! force_ssl_admin() )
$same_domain = false;
/**
* Filter whether the authentication check originated at the same domain.
*

16
wp-includes/link-template.php
View File

@ -2845,15 +2845,13 @@ function self_admin_url($path = '', $scheme = 'admin') {
*/
function set_url_scheme( $url, $scheme = null ) {
$orig_scheme = $scheme;
if ( ! in_array( $scheme, array( 'http', 'https', 'relative' ) ) ) {
if ( ( 'login_post' == $scheme || 'rpc' == $scheme ) && ( force_ssl_login() || force_ssl_admin() ) )
$scheme = 'https';
elseif ( ( 'login' == $scheme ) && force_ssl_admin() )
$scheme = 'https';
elseif ( ( 'admin' == $scheme ) && force_ssl_admin() )
$scheme = 'https';
else
$scheme = ( is_ssl() ? 'https' : 'http' );
if ( ! $scheme ) {
$scheme = is_ssl() ? 'https' : 'http';
} elseif ( $scheme === 'admin' || $scheme === 'login' || $scheme === 'login_post' || $scheme === 'rpc' ) {
$scheme = is_ssl() || force_ssl_admin() ? 'https' : 'http';
} elseif ( $scheme !== 'http' && $scheme !== 'https' && $scheme !== 'relative' ) {
$scheme = is_ssl() ? 'https' : 'http';
}
$url = trim( $url );

6
wp-login.php
View File

@ -741,12 +741,6 @@ default:
$reauth = empty($_REQUEST['reauth']) ? false : true;
// If the user was redirected to a secure login form from a non-secure admin page, and secure login is required but secure admin is not, then don't use a secure
// cookie and redirect back to the referring non-secure admin page. This allows logins to always be POSTed over SSL while allowing the user to choose visiting
// the admin via http or https.
if ( !$secure_cookie && is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) )
$secure_cookie = false;
$user = wp_signon( '', $secure_cookie );
if ( empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) {