Connection: Loose Comparison for Port Number in Signatures #14111
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ures When WordPress is hosted behind a reverse proxy, we ask site owners to add a `X-Forwarded-Port` header from the reverse proxy to the origin so that Jetpack can know what port to use in the signature's input. We also allow site owners to define `JETPACK_SIGNATURE__HTTPS_PORT` and `JETPACK_SIGNATURE__HTTP_PORT` constants if adding a header is not possible. Often, site owners will add the following snippet to their wp-config.php to make use of those constants: ``` define( 'JETPACK_SIGNATURE__HTTP_PORT', $_SERVER['SERVER_PORT'] ); define( 'JETPACK_SIGNATURE__HTTPS_PORT', $_SERVER['SERVER_PORT'] ); ``` Unfortunately, we broke that snippet in #13489, since we moved to strict comparisons in: * https://github.com/Automattic/jetpack/blob/97cc7bb9b26d4184ba4915efd5928e59d4456b38/packages/connection/legacy/class-jetpack-signature.php#L95 * https://github.com/Automattic/jetpack/blob/97cc7bb9b26d4184ba4915efd5928e59d4456b38/packages/connection/legacy/class-jetpack-signature.php#L102 `$_SERVER['SERVER_PORT']` is a string in most environments, and the new code demands integers. Switch back to loose comparison.
mdawaffe
added
[Type] Bug
|
If we do a point release, this should be in it. |
This is an automated check which relies on |
|
Sorry about the |
|
Jetpack e2e tests were complaining about that change, so we figured this fix: #13523, which seems not fixing all the issues |
jeherve
pushed a commit
that referenced
this pull request
Nov 25, 2019
…ures (#14111) When WordPress is hosted behind a reverse proxy, we ask site owners to add a `X-Forwarded-Port` header from the reverse proxy to the origin so that Jetpack can know what port to use in the signature's input. We also allow site owners to define `JETPACK_SIGNATURE__HTTPS_PORT` and `JETPACK_SIGNATURE__HTTP_PORT` constants if adding a header is not possible. Often, site owners will add the following snippet to their wp-config.php to make use of those constants: ``` define( 'JETPACK_SIGNATURE__HTTP_PORT', $_SERVER['SERVER_PORT'] ); define( 'JETPACK_SIGNATURE__HTTPS_PORT', $_SERVER['SERVER_PORT'] ); ``` Unfortunately, we broke that snippet in #13489, since we moved to strict comparisons in: * https://github.com/Automattic/jetpack/blob/97cc7bb9b26d4184ba4915efd5928e59d4456b38/packages/connection/legacy/class-jetpack-signature.php#L95 * https://github.com/Automattic/jetpack/blob/97cc7bb9b26d4184ba4915efd5928e59d4456b38/packages/connection/legacy/class-jetpack-signature.php#L102 `$_SERVER['SERVER_PORT']` is a string in most environments, and the new code demands integers. Switch back to loose comparison.
|
Cherry-picked to |
jeherve
added
[Status] Has Changelog
and removed
[Status] Needs Cherry-Pick
[Status] Needs Package Release
jeherve
added a commit
that referenced
this pull request
Nov 25, 2019
* 8.0 Release: running changelog * Changelog: add #13921 * Changelog: add #13980 * Changelog: add #13905 * Changelog: add #13971 * Changelog: add #13984 * Changelog: add #14009 * Changelog: add #13620 * Remove things that will ship in 7.9.1 * Changelog: add 7.9.1 release (#14044) * Changelog: add base for 7.9.1 release * Update release date and post link * Changelog: add #14066 * Update changelog for 7.9.1 * Changelog: add #13405 * Changelog: add #13841 * Changelog: add #13924 * Changelog: add #13986 * Changelog: add #14010, #14028, #14053, #14055. * Changelog: add #14054 * Changelog: add #14031 * Changelog: add #14039 * Changelog: add #14050 * Changelog: add #14070 * Changelog: add #14082 * Changelog: add #14084 * Changelog: add #14111 * Changelog: add #13961 * Changelog: add #14047 * Changelog: add #14091 * Changelog: add #14108 * Changelog: add #14121
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes proposed in this Pull Request:
When WordPress is hosted behind a reverse proxy, we ask site owners to add a
X-Forwarded-Portheader from the reverse proxy to the origin so that Jetpack can know what port to use in the signature's input.We also allow site owners to define
JETPACK_SIGNATURE__HTTPS_PORTandJETPACK_SIGNATURE__HTTP_PORTconstants if adding a header is not possible.Often, site owners will add the following snippet to their wp-config.php to make use of those constants:
Unfortunately, we broke that snippet in #13489, since we moved to strict comparisons in:
jetpack/packages/connection/legacy/class-jetpack-signature.php
Line 95 in 97cc7bb
jetpack/packages/connection/legacy/class-jetpack-signature.php
Line 103 in 97cc7bb
$_SERVER['SERVER_PORT']is a string in most environments, and the new code demands integers.Switch back to loose comparison.
Is this a new feature or does it add/remove features to an existing part of Jetpack?
No: bug fix
Testing instructions:
There's not a good way to test this unless you have a site running on a custom port behind a reverse proxy running on a normal port :(
Proposed changelog entry for your changes: