Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improper generation of admin-ajax.php URL if FORCE_SSL_LOGIN is on #75

Open
janrenn opened this issue Mar 15, 2016 · 2 comments
Open

Improper generation of admin-ajax.php URL if FORCE_SSL_LOGIN is on #75

janrenn opened this issue Mar 15, 2016 · 2 comments
Labels
wontfix

Comments

@janrenn
Copy link

janrenn commented Mar 15, 2016

Consider WP configuration where admin is under HTTPS and frontend still on HTTP protocol (FORCE_SSL_ADMIN is on). wp-postratings.php then generates ajax_url using admin_url() without protocol check.

If one uses self-signed certificate (acceptable for admin login purposes), Postratings will not work - the AJAX POST request on admin-ajax.php by WP-Postratings will be blocked (visitor does not have the certificate among security exceptions). The line 169 of wp-postratings.php should better read:

'ajax_url' => admin_url('admin-ajax.php', ( is_ssl() ? 'https' : 'http' )),
@lesterchan
Copy link
Owner

That was the original code, the reason why I changed it is lesterchan/wp-polls#19 and it makes sense, so unlikely I will change this.

Also with Let's Encrypt, you can use a proper free SSL cert rather than a self-signed one.

@janrenn
Copy link
Author

janrenn commented Mar 15, 2016

Yes, you are right. There can be a dispute if it is more rare to use self-signed certificate for WP admin login or to augment FORCE_SSL_ADMIN with mod_rewrite what was the reason to change in lesterchan/wp-polls#19.

Notice that not null, but "admin" is default scheme, if you do not use second parameter in admin_url(), then set_url_scheme() tests is_ssl() || force_ssl_admin(). It thinks we are in Admin. But we are not, we're on public page. Should the plugin respect rather fact we call a component from admin folder or rather actual context? I really do not expect that any plugin will call HTTPS if only FORCE_SSL_ADMIN is on.

Anyway, it is disputed, the main issue here is WP architecture which uses admin folder calls for AJAX components from front-end, it should be separated. For those, who face issues with HTTPS calls from HTTP page as me: use admin_url filter to choose the intended plugin behavior, e.g.

// somewhere in functions.php
function repair_postratings_admin_ajax( $url, $path ) {
    if ( $path == 'admin-ajax.php' && is_ssl() == FALSE ) {
        return str_replace( 'https:', 'http:', $url );
    }
    return $url;
}
add_filter( 'admin_url', 'repair_postratings_admin_ajax', 20, 2 );

Thank you.

This was referenced Mar 15, 2016
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lesterchan @janrenn