diff --git a/wp-admin/admin-header.php b/wp-admin/admin-header.php index 69b61281fb..830171f926 100644 --- a/wp-admin/admin-header.php +++ b/wp-admin/admin-header.php @@ -85,7 +85,7 @@ if ( ($is_gecko || $is_winIE) && strpos(strtolower($_SERVER['HTTP_USER_AGENT']),

-
+
@@ -109,7 +109,7 @@ if ( ($is_gecko || $is_winIE) && strpos(strtolower($_SERVER['HTTP_USER_AGENT']), -

%2$s!'), 'profile.php', $user_identity) ?> | | Help') ?> | Forums') ?> |

+

%2$s!'), 'profile.php', $user_identity) ?> | | Help') ?> | Forums') ?> |

-' onclick="self.location='/wp-admin/edit-comments.php';" /> +' onclick="self.location='" /> @@ -146,7 +146,7 @@ case 'deletecomment' : else if ( '' != wp_get_original_referer() && false == $noredir ) wp_redirect( wp_get_original_referer() ); else - wp_redirect( get_option('siteurl') . '/wp-admin/edit-comments.php' ); + wp_redirect( admin_url('edit-comments.php') ); die; break; @@ -171,7 +171,7 @@ case 'unapprovecomment' : if ( '' != wp_get_referer() && false == $noredir ) wp_redirect( wp_get_referer() ); else - wp_redirect( get_option('siteurl') . '/wp-admin/edit.php?p=' . absint( $comment->comment_post_ID ) . '#comments' ); + wp_redirect( admin_url('edit.php?p=' . absint( $comment->comment_post_ID ) . '#comments') ); exit(); break; @@ -200,7 +200,7 @@ case 'approvecomment' : if ( '' != wp_get_referer() && false == $noredir ) wp_redirect( wp_get_referer() ); else - wp_redirect( get_option('siteurl') . '/wp-admin/edit.php?p=' . absint( $comment->comment_post_ID ) . '#comments' ); + wp_redirect( admin_url('edit.php?p=' . absint( $comment->comment_post_ID ) . '#comments') ); exit(); break; diff --git a/wp-admin/custom-header.php b/wp-admin/custom-header.php index c54d9a9241..b1f583d144 100644 --- a/wp-admin/custom-header.php +++ b/wp-admin/custom-header.php @@ -189,7 +189,7 @@ Event.observe( window, 'load', hide_text );
-
+ diff --git a/wp-admin/edit-pages.php b/wp-admin/edit-pages.php index 20249a075a..0f93d977a7 100644 --- a/wp-admin/edit-pages.php +++ b/wp-admin/edit-pages.php @@ -20,8 +20,8 @@ if ( isset($_GET['deleteit']) && isset($_GET['delete']) ) { } $sendback = wp_get_referer(); - if (strpos($sendback, 'page.php') !== false) $sendback = get_option('siteurl') .'/wp-admin/page-new.php'; - elseif (strpos($sendback, 'attachments.php') !== false) $sendback = get_option('siteurl') .'/wp-admin/attachments.php'; + if (strpos($sendback, 'page.php') !== false) $sendback = admin_url('page-new.php'); + elseif (strpos($sendback, 'attachments.php') !== false) $sendback = admin_url('attachments.php'); $sendback = preg_replace('|[^a-z0-9-~+_.?#=&;,/:]|i', '', $sendback); wp_redirect($sendback); diff --git a/wp-admin/edit.php b/wp-admin/edit.php index b2a8e99d43..467a9bb540 100644 --- a/wp-admin/edit.php +++ b/wp-admin/edit.php @@ -20,8 +20,8 @@ if ( isset($_GET['deleteit']) && isset($_GET['delete']) ) { } $sendback = wp_get_referer(); - if (strpos($sendback, 'post.php') !== false) $sendback = get_option('siteurl') .'/wp-admin/post-new.php'; - elseif (strpos($sendback, 'attachments.php') !== false) $sendback = get_option('siteurl') .'/wp-admin/attachments.php'; + if (strpos($sendback, 'post.php') !== false) $sendback = admin_url('post-new.php'); + elseif (strpos($sendback, 'attachments.php') !== false) $sendback = admin_url('attachments.php'); $sendback = preg_replace('|[^a-z0-9-~+_.?#=&;,/:]|i', '', $sendback); wp_redirect($sendback); diff --git a/wp-admin/includes/dashboard.php b/wp-admin/includes/dashboard.php index 9346ece149..685ffac006 100644 --- a/wp-admin/includes/dashboard.php +++ b/wp-admin/includes/dashboard.php @@ -225,7 +225,7 @@ function wp_dashboard_dynamic_sidebar_params( $params ) { } if ( $widget_feed_link ) - $links[] = '' . __( 'rss icon' ) . ' ' . __( 'RSS' ) . ''; + $links[] = '' . __( 'rss icon' ) . ' ' . __( 'RSS' ) . ''; $links = apply_filters( "wp_dashboard_widget_links_$widget_id", $links ); diff --git a/wp-admin/includes/media.php b/wp-admin/includes/media.php index 47d442d882..0e34137969 100644 --- a/wp-admin/includes/media.php +++ b/wp-admin/includes/media.php @@ -753,7 +753,7 @@ function media_upload_header() { function media_upload_form( $errors = null ) { global $type, $tab; - $flash_action_url = get_option('siteurl') . "/wp-admin/async-upload.php"; + $flash_action_url = admin_url('async-upload.php'); // If Mac and mod_security, no Flash. :( $flash = true; @@ -784,7 +784,7 @@ function media_upload_form( $errors = null ) { jQuery(function($){ swfu = new SWFUpload({ upload_url : "", - flash_url : "", + flash_url : "", file_post_name: "async-upload", file_types: "", post_params : { @@ -844,7 +844,7 @@ function media_upload_type_form($type = 'file', $errors = null, $id = null) { $post_id = intval($_REQUEST['post_id']); - $form_action_url = get_option('siteurl') . "/wp-admin/media-upload.php?type=$type&tab=type&post_id=$post_id"; + $form_action_url = admin_url("media-upload.php?type=$type&tab=type&post_id=$post_id"); $form_action_url = apply_filters('media_upload_form_url', $form_action_url, $type); $callback = "type_form_$type"; @@ -895,7 +895,7 @@ function media_upload_gallery_form($errors) { $post_id = intval($_REQUEST['post_id']); - $form_action_url = get_option('siteurl') . "/wp-admin/media-upload.php?type={$GLOBALS['type']}&tab=gallery&post_id=$post_id"; + $form_action_url = admin_url("media-upload.php?type={$GLOBALS['type']}&tab=gallery&post_id=$post_id"); ?> @@ -934,7 +934,7 @@ function media_upload_library_form($errors) { $post_id = intval($_REQUEST['post_id']); - $form_action_url = get_option('siteurl') . "/wp-admin/media-upload.php?type={$GLOBALS['type']}&tab=library&post_id=$post_id"; + $form_action_url = admin_url("media-upload.php?type={$GLOBALS['type']}&tab=library&post_id=$post_id"); $_GET['paged'] = intval($_GET['paged']); if ( $_GET['paged'] < 1 ) diff --git a/wp-admin/page.php b/wp-admin/page.php index 523ddd7fa1..181a3049c6 100644 --- a/wp-admin/page.php +++ b/wp-admin/page.php @@ -148,8 +148,8 @@ case 'delete': } $sendback = wp_get_referer(); - if (strpos($sendback, 'page.php') !== false) $sendback = get_option('siteurl') .'/wp-admin/page.php'; - elseif (strpos($sendback, 'attachments.php') !== false) $sendback = get_option('siteurl') .'/wp-admin/attachments.php'; + if (strpos($sendback, 'page.php') !== false) $sendback = admin_url('page.php'); + elseif (strpos($sendback, 'attachments.php') !== false) $sendback = admin_url('attachments.php'); $sendback = preg_replace('|[^a-z0-9-~+_.?#=&;,/:]|i', '', $sendback); wp_redirect($sendback); exit(); diff --git a/wp-admin/post.php b/wp-admin/post.php index c07e1b7acd..a5619a438b 100644 --- a/wp-admin/post.php +++ b/wp-admin/post.php @@ -159,8 +159,8 @@ case 'delete': } $sendback = wp_get_referer(); - if (strpos($sendback, 'post.php') !== false) $sendback = get_option('siteurl') .'/wp-admin/post-new.php'; - elseif (strpos($sendback, 'attachments.php') !== false) $sendback = get_option('siteurl') .'/wp-admin/attachments.php'; + if (strpos($sendback, 'post.php') !== false) $sendback = admin_url('post-new.php'); + elseif (strpos($sendback, 'attachments.php') !== false) $sendback = admin_url('attachments.php'); $sendback = preg_replace('|[^a-z0-9-~+_.?#=&;,/:]|i', '', $sendback); wp_redirect($sendback); exit(); diff --git a/wp-admin/themes.php b/wp-admin/themes.php index f50361dba2..252c6da747 100644 --- a/wp-admin/themes.php +++ b/wp-admin/themes.php @@ -57,7 +57,7 @@ $themes = array_slice( $themes, $start, $per_page );

screenshot ) : ?> -<?php _e('Current theme preview'); ?> +<?php _e('Current theme preview'); ?>

title, $ct->version, $ct->author) ; ?>

description; ?>

@@ -126,7 +126,7 @@ foreach ( $cols as $col => $theme_name ) { ?> - +

diff --git a/wp-admin/users.php b/wp-admin/users.php index 9dd2918971..f032e41391 100644 --- a/wp-admin/users.php +++ b/wp-admin/users.php @@ -396,9 +396,9 @@ foreach ( $wp_user_search->get_results() as $userid ) { ' . sprintf(__('Users can register themselves or you can manually create users here.'), get_option('siteurl').'/wp-register.php') . '

'; + echo '

' . sprintf(__('Users can register themselves or you can manually create users here.'), site_url('wp-register.php')) . '

'; else - echo '

' . sprintf(__('Users cannot currently register themselves, but you can manually create users here.'), get_option('siteurl').'/wp-admin/options-general.php#users_can_register') . '

'; + echo '

' . sprintf(__('Users cannot currently register themselves, but you can manually create users here.'), admin_url('options-general.php#users_can_register')) . '

'; ?> diff --git a/wp-includes/functions.php b/wp-includes/functions.php index 96c99b622d..4ec9d94a73 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -1765,4 +1765,7 @@ function validate_file( $file, $allowed_files = '' ) { return 0; } +function is_ssl() { + return ( 'on' == strtolower($_SERVER['HTTPS']) ) ? true : false; +} ?> diff --git a/wp-includes/general-template.php b/wp-includes/general-template.php index 2bd10c8ee8..f3e976f356 100644 --- a/wp-includes/general-template.php +++ b/wp-includes/general-template.php @@ -1139,7 +1139,7 @@ function wp_admin_css_uri( $file = 'wp-admin' ) { if ( defined('WP_INSTALLING') ) { $_file = "./$file.css"; } else { - $_file = get_option( 'siteurl' ) . "/wp-admin/$file.css"; + $_file = admin_url("$file.css"); } $_file = add_query_arg( 'version', get_bloginfo( 'version' ), $_file ); diff --git a/wp-includes/link-template.php b/wp-includes/link-template.php index 835c69f49b..77a3e85aa3 100644 --- a/wp-includes/link-template.php +++ b/wp-includes/link-template.php @@ -774,4 +774,42 @@ function get_shortcut_link() { return apply_filters('shortcut_link', $link); } + +// return the site_url option, using https if is_ssl() is true +// if $scheme is 'http' or 'https' it will override is_ssl() +function site_url($path = '', $scheme = null) { + // should the list of allowed schemes be maintained elsewhere? + if ( !in_array($scheme, array('http', 'https')) ) + $scheme = ( is_ssl() ? 'https' : 'http' ); + + $url = str_replace( 'http://', "{$scheme}://", get_option('siteurl') ); + + if ( !empty($path) && is_string($path) && strpos($path, '..') === false ) + $url .= '/' . ltrim($path, '/'); + + return $url; +} + +function admin_url($path = '') { + global $_wp_admin_url; + + $url = site_url() . '/wp-admin/'; + + if ( !empty($path) && is_string($path) && strpos($path, '..') === false ) + $url .= ltrim($path, '/'); + + return $url; +} + +function includes_url($path = '') { + global $_wp_includes_url; + + $url = site_url() . '/' . WPINC . '/'; + + if ( !empty($path) && is_string($path) && strpos($path, '..') === false ) + $url .= ltrim($path, '/'); + + return $url; +} + ?> diff --git a/wp-includes/media.php b/wp-includes/media.php index e25fd33189..23bcdf364c 100644 --- a/wp-includes/media.php +++ b/wp-includes/media.php @@ -306,7 +306,7 @@ function wp_get_attachment_image_src($attachment_id, $size='thumbnail', $icon = return $image; if ( $icon && $src = wp_mime_type_icon($attachment_id) ) { - $icon_dir = apply_filters( 'icon_dir', ABSPATH . WPINC . '/images/crystal' ); + $icon_dir = apply_filters( 'icon_dir', includes_url('images/crystal') ); $src_file = $icon_dir . '/' . basename($src); @list($width, $height) = getimagesize($src_file); } diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index 8e3b6db218..f666e192fc 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -469,9 +469,14 @@ if ( !function_exists('wp_validate_auth_cookie') ) : */ function wp_validate_auth_cookie($cookie = '') { if ( empty($cookie) ) { - if ( empty($_COOKIE[AUTH_COOKIE]) ) + if ( is_ssl() ) + $cookie_name = SECURE_AUTH_COOKIE; + else + $cookie_name = AUTH_COOKIE; + + if ( empty($_COOKIE[$cookie_name]) ) return false; - $cookie = $_COOKIE[AUTH_COOKIE]; + $cookie = $_COOKIE[$cookie_name]; } $cookie_elements = explode('|', $cookie); @@ -514,9 +519,10 @@ if ( !function_exists('wp_generate_auth_cookie') ) : * * @param int $user_id User ID * @param int $expiration Cookie expiration in seconds + * @param bool $secure Whether the cookie is for https delivery only or not. Not used by default. For plugin use. * @return string Authentication cookie contents */ -function wp_generate_auth_cookie($user_id, $expiration) { +function wp_generate_auth_cookie($user_id, $expiration, $secure = false) { $user = get_userdata($user_id); $key = wp_hash($user->user_login . '|' . $expiration); @@ -524,7 +530,7 @@ function wp_generate_auth_cookie($user_id, $expiration) { $cookie = $user->user_login . '|' . $expiration . '|' . $hash; - return apply_filters('auth_cookie', $cookie, $user_id, $expiration); + return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $secure); } endif; @@ -550,13 +556,21 @@ function wp_set_auth_cookie($user_id, $remember = false) { $expire = 0; } - $cookie = wp_generate_auth_cookie($user_id, $expiration); + if ( is_ssl() ) { + $secure = true; + $cookie_name = SECURE_AUTH_COOKIE; + } else { + $secure = false; + $cookie_name = AUTH_COOKIE; + } - do_action('set_auth_cookie', $cookie, $expire); + $cookie = wp_generate_auth_cookie($user_id, $expiration, $secure); - setcookie(AUTH_COOKIE, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN); + do_action('set_auth_cookie', $cookie, $expire, $secure); + + setcookie($cookie_name, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure); if ( COOKIEPATH != SITECOOKIEPATH ) - setcookie(AUTH_COOKIE, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN); + setcookie($cookie_name, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure); } endif; @@ -569,6 +583,8 @@ if ( !function_exists('wp_clear_auth_cookie') ) : function wp_clear_auth_cookie() { setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); + setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); + setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); // Old cookies setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); @@ -604,14 +620,36 @@ if ( !function_exists('auth_redirect') ) : */ function auth_redirect() { // Checks if a user is logged in, if not redirects them to the login page - if ( (!empty($_COOKIE[AUTH_COOKIE]) && - !wp_validate_auth_cookie($_COOKIE[AUTH_COOKIE])) || - (empty($_COOKIE[AUTH_COOKIE])) ) { - nocache_headers(); - wp_redirect(get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI'])); - exit(); + if ( is_ssl() || (defined('FORCE_SSL_LOGIN') && FORCE_SSL_LOGIN) ) + $secure = true; + else + $secure = false; + + // If https is required and request is http, redirect + if ( $secure && !is_ssl() ) { + if ( false !== strpos($_SERVER['REQUEST_URI'], 'http') ) { + wp_redirect(str_replace('http://', 'https://', $_SERVER['REQUEST_URI'])); + exit(); + } else { + wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); + exit(); + } } + + if ( wp_validate_auth_cookie() ) + return; // The cookie is good so we're done + + // The cookie is no good so force login + nocache_headers(); + + $login_url = get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']); + + // Redirect to https if connection is secure + if ( $secure ) + $login_url = str_replace('http://', 'https://', $login_url); + wp_redirect($login_url); + exit(); } endif; diff --git a/wp-includes/script-loader.php b/wp-includes/script-loader.php index de4540a769..60efcf6377 100644 --- a/wp-includes/script-loader.php +++ b/wp-includes/script-loader.php @@ -7,7 +7,7 @@ require( ABSPATH . WPINC . '/class.wp-styles.php' ); require( ABSPATH . WPINC . '/functions.wp-styles.php' ); function wp_default_scripts( &$scripts ) { - $scripts->base_url = get_option( 'siteurl' ); + $scripts->base_url = site_url(); $scripts->default_version = get_bloginfo( 'version' ); $scripts->add( 'common', '/wp-admin/js/common.js', array('jquery'), '20080318' ); @@ -50,7 +50,7 @@ function wp_default_scripts( &$scripts ) { $scripts->add( 'wp-lists', '/wp-includes/js/wp-lists.js', array('wp-ajax-response'), '20080411' ); $scripts->localize( 'wp-lists', 'wpListL10n', array( - 'url' => get_option( 'siteurl' ) . '/wp-admin/admin-ajax.php' + 'url' => admin_url('admin-ajax.php') ) ); $scripts->add( 'scriptaculous-root', '/wp-includes/js/scriptaculous/scriptaculous.js', array('prototype'), '1.8.0'); @@ -129,11 +129,11 @@ function wp_default_scripts( &$scripts ) { $scripts->add( 'upload', '/wp-admin/js/upload.js', array('jquery'), '20070518' ); $scripts->add( 'postbox', '/wp-admin/js/postbox.js', array('jquery'), '20080128' ); $scripts->localize( 'postbox', 'postboxL10n', array( - 'requestFile' => get_option( 'siteurl' ) . '/wp-admin/admin-ajax.php', + 'requestFile' => admin_url('admin-ajax.php'), ) ); $scripts->add( 'slug', '/wp-admin/js/slug.js', array('jquery'), '20080208' ); $scripts->localize( 'slug', 'slugL10n', array( - 'requestFile' => get_option( 'siteurl' ) . '/wp-admin/admin-ajax.php', + 'requestFile' => admin_url('admin-ajax.php'), 'save' => __('Save'), 'cancel' => __('Cancel'), ) ); @@ -204,7 +204,7 @@ function wp_default_scripts( &$scripts ) { } function wp_default_styles( &$styles ) { - $styles->base_url = get_option( 'siteurl' ); + $styles->base_url = site_url(); $styles->default_version = get_bloginfo( 'version' ); $styles->text_direction = 'rtl' == get_bloginfo( 'text_direction' ) ? 'rtl' : 'ltr'; @@ -258,7 +258,7 @@ function wp_just_in_time_script_localization() { 'autosaveInterval' => AUTOSAVE_INTERVAL, 'previewPageText' => __('Preview this Page'), 'previewPostText' => __('Preview this Post'), - 'requestFile' => get_option( 'siteurl' ) . '/wp-admin/admin-ajax.php', + 'requestFile' => admin_url('admin-ajax.php'), 'savingText' => __('Saving Draft…') ) ); } diff --git a/wp-login.php b/wp-login.php index 9e739c6631..761b7e6870 100644 --- a/wp-login.php +++ b/wp-login.php @@ -137,7 +137,7 @@ function retrieve_password() { $message .= get_option('siteurl') . "\r\n\r\n"; $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n"; $message .= __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n"; - $message .= get_option('siteurl') . "/wp-login.php?action=rp&key=$key\r\n"; + $message .= site_url("wp-login.php?action=rp&key=$key") . "\r\n"; if ( !wp_mail($user_email, sprintf(__('[%s] Password Reset'), get_option('blogname')), $message) ) die('

' . __('The e-mail could not be sent.') . "
\n" . __('Possible reason: your host may have disabled the mail() function...') . '

'); @@ -174,7 +174,7 @@ function reset_password($key) { wp_set_password($new_pass, $user->ID); $message = sprintf(__('Username: %s'), $user->user_login) . "\r\n"; $message .= sprintf(__('Password: %s'), $new_pass) . "\r\n"; - $message .= get_option('siteurl') . "/wp-login.php\r\n"; + $message .= site_url('wp-login.php') . "\r\n"; if ( !wp_mail($user->user_email, sprintf(__('[%s] Your new password'), get_option('blogname')), $message) ) die('

' . __('The e-mail could not be sent.') . "
\n" . __('Possible reason: your host may have disabled the mail() function...') . '

'); @@ -405,7 +405,7 @@ default: if ( !is_wp_error($user) ) { // If the user can't edit posts, send them to their profile. if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) ) - $redirect_to = get_option('siteurl') . '/wp-admin/profile.php'; + $redirect_to = admin_url('profile.php'); wp_safe_redirect($redirect_to); exit(); } diff --git a/wp-settings.php b/wp-settings.php index 6bc4dc46ac..0ba723c123 100644 --- a/wp-settings.php +++ b/wp-settings.php @@ -309,6 +309,13 @@ if ( !defined('PASS_COOKIE') ) if ( !defined('AUTH_COOKIE') ) define('AUTH_COOKIE', 'wordpress_' . COOKIEHASH); +/** + * It is possible to define this in wp-config.php + * @since 2.6 + */ +if ( !defined('SECURE_AUTH_COOKIE') ) + define('SECURE_AUTH_COOKIE', 'wordpress_sec_' . COOKIEHASH); + /** * It is possible to define this in wp-config.php * @since 2.3.0