From e3745529610622c27da66170cbc9a48aa069e4e0 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 7 Feb 2023 17:46:20 +0000 Subject: [PATCH] Application Passwords: Allow plain HTTP success and reject URLs when using a local environment type. It's not uncommon for local environments to run over HTTP due to the relative complexity of configuring HTTPS for a local environment. This change allows HTTP URLs for application password responses when that is the case. Props peterwilsoncc, wppunk, cadic, viralsampat Fixes #52617 Built from https://develop.svn.wordpress.org/trunk@55283 git-svn-id: http://core.svn.wordpress.org/trunk@54816 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/user.php | 8 +++++--- wp-includes/version.php | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/wp-admin/includes/user.php b/wp-admin/includes/user.php index 5b6c6ffd8b..05dd852f2f 100644 --- a/wp-admin/includes/user.php +++ b/wp-admin/includes/user.php @@ -612,6 +612,7 @@ Please click the following link to activate your user account: * Checks if the Authorize Application Password request is valid. * * @since 5.6.0 + * @since 6.2.0 Allow insecure HTTP connections for the local environment. * * @param array $request { * The array of request data. All arguments are optional and may be empty. @@ -625,12 +626,13 @@ Please click the following link to activate your user account: * @return true|WP_Error True if the request is valid, a WP_Error object contains errors if not. */ function wp_is_authorize_application_password_request_valid( $request, $user ) { - $error = new WP_Error(); + $error = new WP_Error(); + $is_local = 'local' === wp_get_environment_type(); if ( ! empty( $request['success_url'] ) ) { $scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME ); - if ( 'http' === $scheme ) { + if ( 'http' === $scheme && ! $is_local ) { $error->add( 'invalid_redirect_scheme', __( 'The success URL must be served over a secure connection.' ) @@ -641,7 +643,7 @@ function wp_is_authorize_application_password_request_valid( $request, $user ) { if ( ! empty( $request['reject_url'] ) ) { $scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME ); - if ( 'http' === $scheme ) { + if ( 'http' === $scheme && ! $is_local ) { $error->add( 'invalid_redirect_scheme', __( 'The rejection URL must be served over a secure connection.' ) diff --git a/wp-includes/version.php b/wp-includes/version.php index ee7184aec8..93971dd787 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.2-alpha-55282'; +$wp_version = '6.2-alpha-55283'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.