Skip to content

Commit 9d9ecdf

Browse files
committed
v1.4.1: sanitize forwarded-proto input, fix WPCS style violations
- Wrap $_SERVER['HTTP_X_FORWARDED_PROTO'] read in wp_unslash()/sanitize_text_field() - Flip 4 comparisons to Yoda condition style - Add missing @Package docblock tag, fix docblock spacing - No functional/behavioral changes from v1.4.0
1 parent b7ddb3d commit 9d9ecdf

2 files changed

Lines changed: 50 additions & 27 deletions

File tree

CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,12 @@
22

33
All notable changes to this project will be documented in this file.
44

5+
## [1.4.1] - 2026-06-19
6+
### Changed
7+
- `$_SERVER['HTTP_X_FORWARDED_PROTO']` is now unslashed and sanitized before use, following WPCS input-handling conventions (no functional or security impact — the value was only used in a string comparison; behavior is identical to v1.4.0)
8+
- Flipped four comparisons to Yoda condition style (no behavior change)
9+
- Added missing `@package` docblock tag and corrected docblock spacing (code-style only)
10+
511
## [1.4] - 2026-06-19
612
### Fixed
713
- HTTPS detection no longer uses a hostname-based heuristic (checking for a dot in `HTTP_HOST`). It now relies exclusively on a genuine `X-Forwarded-Proto: https` header, preventing false HTTPS detection on direct, non-proxied connections.

proxy-aware-https-fix.php

Lines changed: 44 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -1,39 +1,56 @@
11
<?php
2-
32
/**
43
* Plugin Name: Proxy-Aware HTTPS Fix
54
* Description: Enforces HTTPS detection and correct REST API resolution behind reverse proxies.
6-
* Version: 1.4
5+
* Version: 1.4.1
76
* Author: BitCryptic
7+
*
8+
* @package Proxy_Aware_Https_Fix
89
*/
910

10-
if (defined('WP_CLI') && WP_CLI) return;
11+
if ( defined( 'WP_CLI' ) && WP_CLI ) {
12+
return;
13+
}
1114

12-
add_action('plugins_loaded', function() {
13-
$proto = $_SERVER['HTTP_X_FORWARDED_PROTO'] ?? '';
15+
add_action(
16+
'plugins_loaded',
17+
function () {
18+
$proto = isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] )
19+
? sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) )
20+
: '';
1421

15-
if (
16-
(!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] !== 'on') &&
17-
$proto === 'https'
18-
) {
19-
$_SERVER['HTTPS'] = 'on';
20-
}
21-
});
22+
if (
23+
( ! isset( $_SERVER['HTTPS'] ) || 'on' !== $_SERVER['HTTPS'] ) &&
24+
'https' === $proto
25+
) {
26+
$_SERVER['HTTPS'] = 'on';
27+
}
28+
}
29+
);
2230

23-
add_filter('home_url', function($url) {
24-
if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') {
25-
return str_starts_with($url, 'http:') ? 'https:' . substr($url, 5) : $url;
26-
}
27-
return $url;
28-
});
31+
add_filter(
32+
'home_url',
33+
function ( $url ) {
34+
if ( ! empty( $_SERVER['HTTPS'] ) && 'on' === $_SERVER['HTTPS'] ) {
35+
return str_starts_with( $url, 'http:' ) ? 'https:' . substr( $url, 5 ) : $url;
36+
}
37+
return $url;
38+
}
39+
);
2940

30-
add_filter('site_url', function($url) {
31-
if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') {
32-
return str_starts_with($url, 'http:') ? 'https:' . substr($url, 5) : $url;
33-
}
34-
return $url;
35-
});
41+
add_filter(
42+
'site_url',
43+
function ( $url ) {
44+
if ( ! empty( $_SERVER['HTTPS'] ) && 'on' === $_SERVER['HTTPS'] ) {
45+
return str_starts_with( $url, 'http:' ) ? 'https:' . substr( $url, 5 ) : $url;
46+
}
47+
return $url;
48+
}
49+
);
3650

37-
add_filter('rank_math/rest_api_url', function() {
38-
return get_site_url(null, '/wp-json/');
39-
});
51+
add_filter(
52+
'rank_math/rest_api_url',
53+
function () {
54+
return get_site_url( null, '/wp-json/' );
55+
}
56+
);

0 commit comments

Comments
 (0)