Commit Graph

6 Commits

Author SHA1 Message Date
Sergey Biryukov 1adcc5bb83 Security, Site Health: Do not store HTTPS request error messages in an option.
This changes the logic in `update_https_detection_errors()` to never store error messages from the actual request since they could use a different encoding, which would make storing them in an option potentially fail, leading WordPress to then falsely assume that HTTPS is supported.

While this doesn't actually fix the encoding issue, it is not crucial to do so anyway, since these messages are not used anywhere. A simple differentiation between whether the overall HTTPS request or only the SSL verification failed should be sufficient for the purpose of this function.

Props flixos90, tmatsuur, lukecarbis.
Reviewed by flixos90, SergeyBiryukov.
Merges [50471] to the 5.7 branch.
Fixes #52484.
Built from https://develop.svn.wordpress.org/branches/5.7@50472


git-svn-id: http://core.svn.wordpress.org/branches/5.7@50083 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-03-02 15:16:02 +00:00
Felix Arntz f7fd9adee1 Security: Fix bug in `wp_is_local_html_output()`.
Prior to this changeset, the check for the correct RSD link output was relying on a specific protocol, although it needs to accept both the HTTP and HTTPS version of the URL.

Props TimothyBlynJacobs.
Fixes #52542. See #47577.

Built from https://develop.svn.wordpress.org/trunk@50391


git-svn-id: http://core.svn.wordpress.org/trunk@50002 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-02-19 21:13:08 +00:00
Felix Arntz d9d883468b Security: Allow short-circuiting the `wp_update_https_detection_errors()` process.
This changeset introduces a `pre_wp_update_https_detection_errors` filter which can be used to short-circuit the default logic for detecting problems with HTTPS support for the site, by returning a `WP_Error` object.

Props timothyblynjacobs.
See #47577.

Built from https://develop.svn.wordpress.org/trunk@50075


git-svn-id: http://core.svn.wordpress.org/trunk@49775 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-29 20:00:02 +00:00
Felix Arntz 9d348e26f3 Security, Site Health: Improve accuracy in messaging about HTTPS support.
Following up on [49904], this changeset focuses mainly on improving the guidance about the current state of HTTPS in Site Health.

* Correct the existing copy to indicate that both the Site Address and the WordPress Address need to be changed to fully switch to HTTPS.
* Link to the respective input fields via anchor links rather than to the overall General Settings screen.
* Show different copy if the site is using HTTPS for the WordPress Address (for example to have only the administration panel in HTTPS), but not for the Site Address.
* Inform the user about potential problems even when the site is already using HTTPS, for example if the SSL certificate was no longer valid.
* Always rely on fresh information for determining HTTPS support issues in Site Health, and therefore change the `https_status` test to become asynchronous.
* Rename the new private `wp_is_owned_html_output()` function to a more appropriate `wp_is_local_html_output()`.

Props adamsilverstein, flixos90, johnjamesjacoby, timothyblynjacobs.
See #47577.

Built from https://develop.svn.wordpress.org/trunk@50072


git-svn-id: http://core.svn.wordpress.org/trunk@49773 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-29 19:10:58 +00:00
Gary Pendergast 4dc59b954a Site Health: Check that WordPress is installed before scheduling the HTTPS cron.
Trying to schedule cron jobs before WordPress is installed results in DB errors, which is suboptimal.

See #47577.


Built from https://develop.svn.wordpress.org/trunk@49909


git-svn-id: http://core.svn.wordpress.org/trunk@49608 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-12-28 01:45:06 +00:00
Felix Arntz c81db1f6e6 Security, Site Health: Detect HTTPS support and encourage switching.
This changeset modifies the Site Health panel for HTTPS to provide more accurate recommendations based on whether the environment is already set up for HTTPS.

* Introduces `wp_is_using_https()` to check whether the site is configured to use HTTPS (via its Site Address and WordPress Address).
* Introduces `wp_is_https_supported()` to check whether the environment supports HTTPS. This relies on a cron job which periodically checks support using a loopback request.

Props Clorith, flixos90, miinasikk, westonruter.
Fixes #47577.

Built from https://develop.svn.wordpress.org/trunk@49904


git-svn-id: http://core.svn.wordpress.org/trunk@49603 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-12-23 19:13:04 +00:00