WordPress.org

Ready to get started?Download WordPress

Forums

Active Directory Integration
Insecure Stylesheet Locations (2 posts)

  1. Curtiss Grymala
    Member
    Posted 3 years ago #

    When you have FORCE_SSL_ADMIN enabled within WordPress, the Active Directory Integration plug-in (among many others, unfortunately) still tries to serve the stylesheet from an insecure location, resulting in security warnings within the browser.

    The problem lies in the fact that the stylesheet is included using the WP_PLUGIN_URL constant. Instead, the plugins_url() function should be used. The WP_PLUGIN_URL does not get altered to account for the fact that the admin area is being served over SSL, while the plugins_url() function does account for that.

    Therefore, within the load_styles() function for AD Integration, this plug-in should use something along the lines of:
    wp_register_style('adintegration', plugins_url( '/css/adintegration.css', __FILE__ ),false, '1.7.1', 'screen');
    instead of:
    wp_register_style('adintegration', ( (IS_WPMU) ? WPMU_PLUGIN_URL : WP_PLUGIN_URL ).'/'.ADINTEGRATION_FOLDER.'/css/adintegration.css',false, '1.7.1', 'screen');

    In order to correct this issue on my system without having to modify the source of the plug-in (so that my changes won't be discarded upon upgrade to a new version of the plug-in), I've placed the following code into a file within my mu-plugins directory. This code does the following things:

    1. It moves the action of registering the new stylesheet from "admin_print_styles" to "admin_enqueue_scripts". Unfortunately, with the stylesheet registration occurring at the time the stylesheets are being printed to the screen, there was no opportunity to modify that stylesheet registration. By moving it, I can manipulate the stylesheet registration before it gets printed to the screen.
    2. It adds an action to the "admin_print_styles" hook.
    3. It then pulls in the stylesheet registration information for the adintegration stylesheet, unregisters it, modifies the source URL and then re-registers the stylesheet.

    It's far from perfect, but it seemed like a decent way to fix the issue without having to actually touch the source of the plug-in.

    Here's the code I used:

    /**
     * Fix the insecure stylesheet URLs for the Active Directory Integration plug-in
     */
    function trigger_ad_style_fix() {
    	if( class_exists( 'ADIntegrationPlugin' ) ) {
    		global $AD_Integration_plugin;
    		remove_action( 'admin_print_styles', array($AD_Integration_plugin, 'load_styles') );
    		add_action( 'admin_enqueue_scripts', array(&$AD_Integration_plugin, 'load_styles') );
    		add_action( 'admin_print_styles', 'fix_ad_integration_style_location' );
    	}
    }
    
    function fix_ad_integration_style_location() {
    	global $wp_styles;
    
    	if( array_key_exists( 'adintegration', $wp_styles->registered ) ) {
    		$tmp_ad_style = clone $wp_styles->registered['adintegration'];
    		wp_deregister_style( 'adintegration' );
    		wp_register_style( 'adintegration', ( $_SERVER['HTTPS'] ) ? str_replace( 'http:', 'https:', $tmp_ad_style->src ) : $tmp_ad_style->src, $tmp_ad_style->deps, $tmp_ad_style->ver, $tmp_ad_style->args );
    		wp_enqueue_style( 'adintegration' );
    	}
    }
    
    add_action('plugins_loaded','trigger_ad_style_fix');
  2. glatze
    Member
    Plugin Author

    Posted 3 years ago #

    Hi Curtis,
    thanks for your report. This bug is now fixed in the current development version 1.0-RC2 (Rev. 345258).

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic