[Summary view] [Print] [Text view]

   1  <?php
   2  /**
   3   * HTTPS detection functions.
   4   *
   5   * @package WordPress
   6   * @since 5.7.0
   7   */
   8  
   9  /**
  10   * Checks whether the website is using HTTPS.
  11   *
  12   * This is based on whether both the home and site URL are using HTTPS.
  13   *
  14   * @since 5.7.0
  15   * @see wp_is_home_url_using_https()
  16   * @see wp_is_site_url_using_https()
  17   *
  18   * @return bool True if using HTTPS, false otherwise.
  19   */
  20  function wp_is_using_https() {
  21      if ( ! wp_is_home_url_using_https() ) {
  22          return false;
  23      }
  24  
  25      return wp_is_site_url_using_https();
  26  }
  27  
  28  /**
  29   * Checks whether the current site URL is using HTTPS.
  30   *
  31   * @since 5.7.0
  32   * @see home_url()
  33   *
  34   * @return bool True if using HTTPS, false otherwise.
  35   */
  36  function wp_is_home_url_using_https() {
  37      return 'https' === wp_parse_url( home_url(), PHP_URL_SCHEME );
  38  }
  39  
  40  /**
  41   * Checks whether the current site's URL where WordPress is stored is using HTTPS.
  42   *
  43   * This checks the URL where WordPress application files (e.g. wp-blog-header.php or the wp-admin/ folder)
  44   * are accessible.
  45   *
  46   * @since 5.7.0
  47   * @see site_url()
  48   *
  49   * @return bool True if using HTTPS, false otherwise.
  50   */
  51  function wp_is_site_url_using_https() {
  52      /*
  53       * Use direct option access for 'siteurl' and manually run the 'site_url'
  54       * filter because `site_url()` will adjust the scheme based on what the
  55       * current request is using.
  56       */
  57      /** This filter is documented in wp-includes/link-template.php */
  58      $site_url = apply_filters( 'site_url', get_option( 'siteurl' ), '', null, null );
  59  
  60      return 'https' === wp_parse_url( $site_url, PHP_URL_SCHEME );
  61  }
  62  
  63  /**
  64   * Checks whether HTTPS is supported for the server and domain.
  65   *
  66   * This function makes an HTTP request through `wp_get_https_detection_errors()`
  67   * to check for HTTPS support. As this process can be resource-intensive,
  68   * it should be used cautiously, especially in performance-sensitive environments,
  69   * to avoid potential latency issues.
  70   *
  71   * @since 5.7.0
  72   *
  73   * @return bool True if HTTPS is supported, false otherwise.
  74   */
  75  function wp_is_https_supported() {
  76      $https_detection_errors = wp_get_https_detection_errors();
  77  
  78      // If there are errors, HTTPS is not supported.
  79      return empty( $https_detection_errors );
  80  }
  81  
  82  /**
  83   * Runs a remote HTTPS request to detect whether HTTPS supported, and stores potential errors.
  84   *
  85   * This function checks for HTTPS support by making an HTTP request. As this process can be resource-intensive,
  86   * it should be used cautiously, especially in performance-sensitive environments.
  87   * It is called when HTTPS support needs to be validated.
  88   *
  89   * @since 6.4.0
  90   * @access private
  91   *
  92   * @return array An array containing potential detection errors related to HTTPS, or an empty array if no errors are found.
  93   */
  94  function wp_get_https_detection_errors() {
  95      /**
  96       * Short-circuits the process of detecting errors related to HTTPS support.
  97       *
  98       * Returning a `WP_Error` from the filter will effectively short-circuit the default logic of trying a remote
  99       * request to the site over HTTPS, storing the errors array from the returned `WP_Error` instead.
 100       *
 101       * @since 6.4.0
 102       *
 103       * @param null|WP_Error $pre Error object to short-circuit detection,
 104       *                           or null to continue with the default behavior.
 105       * @return null|WP_Error Error object if HTTPS detection errors are found, null otherwise.
 106       */
 107      $support_errors = apply_filters( 'pre_wp_get_https_detection_errors', null );
 108      if ( is_wp_error( $support_errors ) ) {
 109          return $support_errors->errors;
 110      }
 111  
 112      $support_errors = new WP_Error();
 113  
 114      $response = wp_remote_request(
 115          home_url( '/', 'https' ),
 116          array(
 117              'headers'   => array(
 118                  'Cache-Control' => 'no-cache',
 119              ),
 120              'sslverify' => true,
 121          )
 122      );
 123  
 124      if ( is_wp_error( $response ) ) {
 125          $unverified_response = wp_remote_request(
 126              home_url( '/', 'https' ),
 127              array(
 128                  'headers'   => array(
 129                      'Cache-Control' => 'no-cache',
 130                  ),
 131                  'sslverify' => false,
 132              )
 133          );
 134  
 135          if ( is_wp_error( $unverified_response ) ) {
 136              $support_errors->add(
 137                  'https_request_failed',
 138                  __( 'HTTPS request failed.' )
 139              );
 140          } else {
 141              $support_errors->add(
 142                  'ssl_verification_failed',
 143                  __( 'SSL verification failed.' )
 144              );
 145          }
 146  
 147          $response = $unverified_response;
 148      }
 149  
 150      if ( ! is_wp_error( $response ) ) {
 151          if ( 200 !== wp_remote_retrieve_response_code( $response ) ) {
 152              $support_errors->add( 'bad_response_code', wp_remote_retrieve_response_message( $response ) );
 153          } elseif ( false === wp_is_local_html_output( wp_remote_retrieve_body( $response ) ) ) {
 154              $support_errors->add( 'bad_response_source', __( 'It looks like the response did not come from this site.' ) );
 155          }
 156      }
 157  
 158      return $support_errors->errors;
 159  }
 160  
 161  /**
 162   * Checks whether a given HTML string is likely an output from this WordPress site.
 163   *
 164   * This function attempts to check for various common WordPress patterns whether they are included in the HTML string.
 165   * Since any of these actions may be disabled through third-party code, this function may also return null to indicate
 166   * that it was not possible to determine ownership.
 167   *
 168   * @since 5.7.0
 169   * @access private
 170   *
 171   * @param string $html Full HTML output string, e.g. from a HTTP response.
 172   * @return bool|null True/false for whether HTML was generated by this site, null if unable to determine.
 173   */
 174  function wp_is_local_html_output( $html ) {
 175      // 1. Check if HTML includes the site's Really Simple Discovery link.
 176      if ( has_action( 'wp_head', 'rsd_link' ) ) {
 177          $pattern = preg_replace( '#^https?:(?=//)#', '', esc_url( site_url( 'xmlrpc.php?rsd', 'rpc' ) ) ); // See rsd_link().
 178          return str_contains( $html, $pattern );
 179      }
 180  
 181      // 2. Check if HTML includes the site's REST API link.
 182      if ( has_action( 'wp_head', 'rest_output_link_wp_head' ) ) {
 183          // Try both HTTPS and HTTP since the URL depends on context.
 184          $pattern = preg_replace( '#^https?:(?=//)#', '', esc_url( get_rest_url() ) ); // See rest_output_link_wp_head().
 185          return str_contains( $html, $pattern );
 186      }
 187  
 188      // Otherwise the result cannot be determined.
 189      return null;
 190  }