Issue with update code and HTTPS redirect

  • ls5302

    (@ls5302)


    12 years ago

    There appears to be an issue with the code that updates from bwps_enable_ssl to itsec_enable_ssl meta_key.

    I noticed this because pages which were previously forced to SSL stopped being redirected. The code I believe is at fault is in ssl_redirect method of the ITSEC_SSL class.

    $bwps_ssl    = get_post_meta( $post->ID, 'bwps_enable_ssl', true );

if ( $bwps_ssl == true ) {
	delete_post_meta( $post->ID, 'bwps_enable_ssl' );
	update_post_meta( $post->ID, 'itsec_enable_ssl', true );
} elseif ( $bwps_ssl == false ) {
	delete_post_meta( $post->ID, 'bwps_enable_ssl' );
	update_post_meta( $post->ID, 'itsec_enable_ssl', false );
}

    I think the issue is caused because get_post_meta returns an empty string when the ‘bwps_enable_ssl’ meta_key does not exist. When compared with ==, an empty string evaluates to false, and thus itsec_enable_ssl is set to empty in the database. Adding an explicit test for an empty string ( ” != $bwps_ssl ) would fix this.

    I also think, the upgrade code may be “bad” because the first time a legacy HTTPS page is viewed it is does not redirect to HTTPS. Moving the code from line 54 to 68 would fix this issue.

    https://wordpress.org/plugins/better-wp-security/

Viewing 15 replies - 1 through 15 (of 15 total)
  • Thread Starter ls5302

    (@ls5302)

    12 years ago

    This revised code appears to work for me…

    $bwps_ssl = get_post_meta( $post->ID, 'bwps_enable_ssl', true );

if ( $bwps_ssl == true ) {

	delete_post_meta( $post->ID, 'bwps_enable_ssl' );
	update_post_meta( $post->ID, 'itsec_enable_ssl', true );

} elseif ( '' != $bwps_ssl && $bwps_ssl == false ) {

	delete_post_meta( $post->ID, 'bwps_enable_ssl' );
	update_post_meta( $post->ID, 'itsec_enable_ssl', false );

}

$require_ssl = get_post_meta( $post->ID, 'itsec_enable_ssl', true );
    wpdv

    (@wpdv)

    12 years ago

    WoW! Have you heard anything from the developer re your suggested fix?

    wpdv

    (@wpdv)

    12 years ago

    I cannot find the better-wp-secuity or ithemes in my plugins folder thru ftp. It’s there when viewed and setup in my wp dashboard. Very strange. I thought I had fixed it with your code above, however, I updated the wrong site. So, I deleted iThemes from my WP dashboard and reinstalled and it is still not in my plugins folder. I have refreshed and have hidden folders showing. Any suggestions where else this plugin might be located? I do see an iThemes folder in my uploads folder, but that is it.

    wpdv

    (@wpdv)

    12 years ago

    This first line of code was already existing within the class-itsec-ssl file $require_ssl = get_post_meta( $post->ID, 'itsec_enable_ssl', true ); … I see you have added it to the bottom of your suggested code. Should this first instance be deleted or kept? Thanks!

    $require_ssl = get_post_meta( $post->ID, 'itsec_enable_ssl', true );
			$bwps_ssl = get_post_meta( $post->ID, 'bwps_enable_ssl', true );

if ( $bwps_ssl == true ) {

	delete_post_meta( $post->ID, 'bwps_enable_ssl' );
	update_post_meta( $post->ID, 'itsec_enable_ssl', true );

} elseif ( '' != $bwps_ssl && $bwps_ssl == false ) {

	delete_post_meta( $post->ID, 'bwps_enable_ssl' );
	update_post_meta( $post->ID, 'itsec_enable_ssl', false );

}

$require_ssl = get_post_meta( $post->ID, 'itsec_enable_ssl', true );
    wpdv

    (@wpdv)

    12 years ago

    I left the aforementioned original line of code intact and now everything appears to be working exactly as it should. Thank you very much for your suggestion!

    Thread Starter ls5302

    (@ls5302)

    12 years ago

    I’m pleased it has helped.

    I moved the itsec_enable_ssl get_post_meta function call because otherwise the first time the code is used to display an SSL page it will not be redirect to use HTTPS. This only happens once, and occurs because the meta key used to decide if to show the page securely does not exist until it has been converted by the subsequent code. By retrieving the “new” metadata after the conversion it should also perform as expected during the first get request.

    PS I have not heard anything from iThemes. 🙁

    Nando_lavras

    (@nando_lavras)

    12 years ago

    I’ve tried the modification, but my “Enable SSL” checkbox keeps disabling right after i visit the “ssl enabled” page, these occour when i try in the “Per Content” mode…..

    Thanks in advance.

    EDIT: Sorry, your code works!!! I’ve not see a little change in the middle of the code, after change this part too all it’s working as expect.

    Thanks a lot!!!!

    wpdv

    (@wpdv)

    12 years ago

    I just removed the original extra line of code I left in there and everything is still working. Thank you very, very much for all of your help!

    Thread Starter ls5302

    (@ls5302)

    12 years ago

    Just updated to 4.0.8 and the original problem persists… but fortunately my revised code still works. Just replace lines 54 to 67 in modules/free/ssl/class-itsec-ssl.php with above code.

    Nando_lavras

    (@nando_lavras)

    12 years ago

    Oh great! New update and the problem persists…. unbelivable! So many problems that they do not know what to fix first

    mfaulk

    (@mfaulk)

    12 years ago

    I had the same issues, and using ls5302’s fix has worked for the time being.

    Nando_lavras

    (@nando_lavras)

    12 years ago

    HTTPS issue solved in 4.0.10…

    But…. After update to 4.0.10 my google authenticator plugin not work anymore… in the admin login screen there should be a third field to enter the code from google authenticator after this update the field simply disappeared and now I’m going straight with only username and password….

    Damm…. New bug!

    Thread Starter ls5302

    (@ls5302)

    12 years ago

    Official fix is in v4.0.10.

    Code is still a bit sloppy IMHO. On the face of it the elseif could be just an else. However, the code makes repeated calls to delete post metadata which doesn’t exist after the initial update. This happens for every single non-SSL page.

    Checking $bwps_ssl is not an empty string rather then not equal to 1 in the elseif would avoid this.

    From WP Docs:

    If there is nothing to return the function will return an empty array unless $single has been set to true, in which case an empty string is returned.

    respectyoda

    (@respectyoda)

    12 years ago

    ls5302, I have a question. If I set the option in Better WPS for the backend to be served under HTTPS, but later I decide to not have it be served under HTTPS, how can I ensure that the backend will be served under plain HTTP? I deleted this from wp-config.php just to make sure:

    define('FORCE_SSL_ADMIN', true);

    But the backend is still served under HTTPS.

    verhijden

    (@verhijden)

    11 years, 11 months ago

    I still have have the problem in V4.1.5.

    I can not set the SSL flag in pages…. ;-(

Viewing 15 replies - 1 through 15 (of 15 total)

The topic ‘Issue with update code and HTTPS redirect’ is closed to new replies.