Skip to:
Content

BuddyPress.org

Opened 12 years ago

Closed 12 years ago

#959 closed defect (bug) (fixed)

BP_PLUGIN_URL - "define" enhancement for partial SSL-enabled BP sites [Has Patch]

Reported by: r-a-y Owned by: jason_jm
Milestone: 1.1 Priority: major
Severity: Version:
Component: Keywords: Security, SSL, plug-in, url
Cc: jason_jm

Description

I've just started implementing SSL on a WPMU site I'm working on.

The default BP_PLUGIN_URL define uses WP_PLUGIN_URL which doesn't correctly redirect SSL requests over to their HTTPS equivalents.

In bp-core.php, instead of WP_PLUGIN_URL:

define( 'BP_PLUGIN_URL', WP_PLUGIN_URL . '/buddypress' );

I recommend using plugins_url() instead:

define( 'BP_PLUGIN_URL', plugins_url($path = '/buddypress') );

---

plugins_url() correctly switches all BP wp_enqueue_scripts/styles over to HTTPS.

More info here:
http://wpengineer.com/wordpress-plugin-path/

Attachments (1)

(JASON_JM)bp-core.php(959.1).patch (1.2 KB) - added by Jason_JM 12 years ago.
V1 of patch for ticket #959.

Download all attachments as: .zip

Change History (7)

#1 @r-a-y
12 years ago

I should note that although bp_core_get_root_domain() makes SSL sitewide, this enhancement is for sites not using SSL throughout the main site, but only on certain pages (eg. e-commerce sites - checkout pages, etc.).

#2 @r-a-y
12 years ago

  • Summary changed from BP_PLUGIN_URL - "define" enhancement for SSL-enabled BP sites to BP_PLUGIN_URL - "define" enhancement for partial SSL-enabled BP sites

#3 @jason_jm
12 years ago

  • Cc jason_jm added
  • Keywords SSL plug-in url added
  • Owner set to jason_jm
  • Status changed from new to accepted

I would like to take a look at this.

#4 @Jason_JM
12 years ago

  • Summary changed from BP_PLUGIN_URL - "define" enhancement for partial SSL-enabled BP sites to BP_PLUGIN_URL - "define" enhancement for partial SSL-enabled BP sites [Has Patch]
  • Type changed from enhancement to defect

R-a-y is right on this one.

==Trace of what goes on now==
[bp-core.php TRUNK @ 09.04.2009 ]
8: define( 'BP_PLUGIN_URL', WP_PLUGIN_URL . '/buddypress' );

[wp-settings.php TRUNK @ 09.04.2009]
410: if ( !defined('WP_PLUGIN_URL') )
411: define( 'WP_PLUGIN_URL', WP_CONTENT_URL . '/plugins' ); full url, no trailing slash

[wp-settings.php TRUNK @ 09.04.2009]
391: if ( !defined('WP_CONTENT_URL') )
392: define( 'WP_CONTENT_URL', get_option('siteurl') . '/wp-content'); full url - WP_CONTENT_DIR is defined further up

It is this call to "get_option('siteurl')" which obtains an hard-coded value from the database (put there during install time) to be http. The desired scheme may not always be http.

==R-A-Y's proposal==
Replacing the line in bp-core.php with the one recommended by R-A-Y should work well.

[bp-core.php PROPOSAL]
8: define( 'BP_PLUGIN_URL', plugins_url($path = '/buddypress');

plugins_url as of [TRUNK @ 09.04.2009] does a proper scheme lookup based on is_ssl().

==Patch==
Patch provided. Thanks R-A-Y!

@Jason_JM
12 years ago

V1 of patch for ticket #959.

#5 @Jason_JM
12 years ago

  • Keywords Security added
  • Priority changed from minor to major

Security & SSL related, bumping priority because of it.

#6 @apeatling
12 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

(In [1787]) Fixes #959 props r-a-y, jason_jm

Note: See TracTickets for help on using tickets.