WordPress/wp-includes/https-detection.php

182 lines
5.3 KiB
PHP

<?php
/**
* HTTPS detection functions.
*
* @package WordPress
* @since 5.7.0
*/
/**
* Checks whether the website is using HTTPS.
*
* This is based on whether the home and site URL are using HTTPS.
*
* @since 5.7.0
*
* @return bool True if using HTTPS, false otherwise.
*/
function wp_is_using_https() {
if ( 'https' !== wp_parse_url( home_url(), PHP_URL_SCHEME ) ) {
return false;
}
// Use direct option access for 'siteurl' and manually run the 'site_url'
// filter because site_url() will adjust the scheme based on what the
// current request is using.
/** This filter is documented in wp-includes/link-template.php */
$site_url = apply_filters( 'site_url', get_option( 'siteurl' ), '', null, null );
if ( 'https' !== wp_parse_url( $site_url, PHP_URL_SCHEME ) ) {
return false;
}
return true;
}
/**
* Checks whether HTTPS is supported for the server and domain.
*
* @since 5.7.0
*
* @return bool True if HTTPS is supported, false otherwise.
*/
function wp_is_https_supported() {
$https_detection_errors = get_option( 'https_detection_errors' );
// If option has never been set by the Cron hook before, run it on-the-fly as fallback.
if ( false === $https_detection_errors ) {
wp_update_https_detection_errors();
$https_detection_errors = get_option( 'https_detection_errors' );
}
// If there are no detection errors, HTTPS is supported.
return empty( $https_detection_errors );
}
/**
* Runs a remote HTTPS request to detect whether HTTPS supported, and stores potential errors.
*
* This internal function is called by a regular Cron hook to ensure HTTPS support is detected and maintained.
*
* @since 5.7.0
* @access private
*/
function wp_update_https_detection_errors() {
$support_errors = new WP_Error();
$response = wp_remote_request(
home_url( '/', 'https' ),
array(
'headers' => array(
'Cache-Control' => 'no-cache',
),
'sslverify' => true,
)
);
if ( is_wp_error( $response ) ) {
$unverified_response = wp_remote_request(
home_url( '/', 'https' ),
array(
'headers' => array(
'Cache-Control' => 'no-cache',
),
'sslverify' => false,
)
);
if ( is_wp_error( $unverified_response ) ) {
$support_errors->add(
$unverified_response->get_error_code(),
$unverified_response->get_error_message()
);
} else {
$support_errors->add(
'ssl_verification_failed',
$response->get_error_message()
);
}
$response = $unverified_response;
}
if ( ! is_wp_error( $response ) ) {
if ( 200 !== wp_remote_retrieve_response_code( $response ) ) {
$support_errors->add( 'bad_response_code', wp_remote_retrieve_response_message( $response ) );
} elseif ( false === wp_is_owned_html_output( wp_remote_retrieve_body( $response ) ) ) {
$support_errors->add( 'bad_response_source', __( 'It looks like the response did not come from this site.' ) );
}
}
update_option( 'https_detection_errors', $support_errors->errors );
}
/**
* Schedules the Cron hook for detecting HTTPS support.
*
* @since 5.7.0
* @access private
*/
function wp_schedule_https_detection() {
if ( ! wp_next_scheduled( 'wp_https_detection' ) ) {
wp_schedule_event( time(), 'twicedaily', 'wp_https_detection' );
}
}
/**
* Disables SSL verification if the 'cron_request' arguments include an HTTPS URL.
*
* This prevents an issue if HTTPS breaks, where there would be a failed attempt to verify HTTPS.
*
* @since 5.7.0
* @access private
*
* @param array $request The Cron request arguments.
* @return array $request The filtered Cron request arguments.
*/
function wp_cron_conditionally_prevent_sslverify( $request ) {
if ( 'https' === wp_parse_url( $request['url'], PHP_URL_SCHEME ) ) {
$request['args']['sslverify'] = false;
}
return $request;
}
/**
* Checks whether a given HTML string is likely an output from this WordPress site.
*
* This function attempts to check for various common WordPress patterns whether they are included in the HTML string.
* Since any of these actions may be disabled through third-party code, this function may also return null to indicate
* that it was not possible to determine ownership.
*
* @since 5.7.0
* @access private
*
* @param string $html Full HTML output string, e.g. from a HTTP response.
* @return bool|null True/false for whether HTML was generated by this site, null if unable to determine.
*/
function wp_is_owned_html_output( $html ) {
// 1. Check if HTML includes the site's Really Simple Discovery link.
if ( has_action( 'wp_head', 'rsd_link' ) ) {
$pattern = esc_url( site_url( 'xmlrpc.php?rsd', 'rpc' ) ); // See rsd_link().
return false !== strpos( $html, $pattern );
}
// 2. Check if HTML includes the site's Windows Live Writer manifest link.
if ( has_action( 'wp_head', 'wlwmanifest_link' ) ) {
// Try both HTTPS and HTTP since the URL depends on context.
$pattern = preg_replace( '#^https?:(?=//)#', '', includes_url( 'wlwmanifest.xml' ) ); // See wlwmanifest_link().
return false !== strpos( $html, $pattern );
}
// 3. Check if HTML includes the site's REST API link.
if ( has_action( 'wp_head', 'rest_output_link_wp_head' ) ) {
// Try both HTTPS and HTTP since the URL depends on context.
$pattern = esc_url( preg_replace( '#^https?:(?=//)#', '', get_rest_url() ) ); // See rest_output_link_wp_head().
return false !== strpos( $html, $pattern );
}
// Otherwise the result cannot be determined.
return null;
}