# wordpress-1.2.2-httpsify.patch v1.0 # by Gunnlaugur Thor Briem || http://fugato.net/ # # This patch applies against WordPress 1.2.2 and makes the # login and admin interface protected by https, while leaving # the rest (including comments) usable through plain http. # # Yes, there may be better approaches to achieving this goal, # but I didn't find one in a quick googling. :) # # Apply by going to your htdocs (or wherever your WordPress # installation is located) and typing: # # patch -p 6 < /path/to/httpsify.patch # # (If you are running on Windows, you may need to install the # patch command to do this. Can't help you there.) # # I hope this is useful to somebody. Please send any # suggestions or corrections my way: # gthb at confuse those evil spam robots hi.is diff -urN usr/share/webapps/wordpress/1.2/htdocs/index.php /usr/share/webapps/wordpress/1.2/htdocs/index.php --- usr/share/webapps/wordpress/1.2/htdocs/index.php 2004-11-28 03:38:50.000000000 +0000 +++ /usr/share/webapps/wordpress/1.2/htdocs/index.php 2004-07-11 17:41:07.000000000 +0000 @@ -12,10 +12,10 @@ - + @@ -90,8 +90,8 @@
  • diff -urN usr/share/webapps/wordpress/1.2/htdocs/wp-admin/admin-functions.php /usr/share/webapps/wordpress/1.2/htdocs/wp-admin/admin-functions.php --- usr/share/webapps/wordpress/1.2/htdocs/wp-admin/admin-functions.php 2004-11-28 03:38:50.000000000 +0000 +++ /usr/share/webapps/wordpress/1.2/htdocs/wp-admin/admin-functions.php 2004-09-11 22:20:03.000000000 +0000 @@ -368,7 +368,7 @@ } function check_admin_referer() { - $adminurl = strtolower(get_settings('siteurl')).'/wp-admin'; + $adminurl = strtolower(httpsify(get_settings('siteurl'))).'/wp-admin'; $referer = strtolower($_SERVER['HTTP_REFERER']); if ( !strstr($referer, $adminurl) ) { die('Sorry, you need to enable sending referrers, for this feature to work.'); diff -urN usr/share/webapps/wordpress/1.2/htdocs/wp-admin/auth.php /usr/share/webapps/wordpress/1.2/htdocs/wp-admin/auth.php --- usr/share/webapps/wordpress/1.2/htdocs/wp-admin/auth.php 2004-11-28 03:38:50.000000000 +0000 +++ /usr/share/webapps/wordpress/1.2/htdocs/wp-admin/auth.php 2004-09-11 22:20:56.000000000 +0000 @@ -8,7 +8,7 @@ header('Cache-Control: no-cache, must-revalidate'); header('Pragma: no-cache'); - header('Location: ' . get_settings('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI'])); + header('Location: ' . httpsify(get_settings('siteurl')) . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI'])); exit(); } diff -urN usr/share/webapps/wordpress/1.2/htdocs/wp-admin/index.php /usr/share/webapps/wordpress/1.2/htdocs/wp-admin/index.php --- usr/share/webapps/wordpress/1.2/htdocs/wp-admin/index.php 2004-11-28 03:38:50.000000000 +0000 +++ /usr/share/webapps/wordpress/1.2/htdocs/wp-admin/index.php 2004-09-11 22:21:25.000000000 +0000 @@ -6,9 +6,9 @@ get_currentuserinfo(); if (0 == $user_level) { - $redirect_to = get_settings('siteurl') . '/wp-admin/profile.php'; + $redirect_to = httpsify(get_settings('siteurl')) . '/wp-admin/profile.php'; } else { - $redirect_to = get_settings('siteurl') . '/wp-admin/post.php'; + $redirect_to = httpsify(get_settings('siteurl')) . '/wp-admin/post.php'; } header ("Location: $redirect_to"); ?> \ No newline at end of file diff -urN usr/share/webapps/wordpress/1.2/htdocs/wp-admin/install.php /usr/share/webapps/wordpress/1.2/htdocs/wp-admin/install.php --- usr/share/webapps/wordpress/1.2/htdocs/wp-admin/install.php 2004-11-28 03:38:50.000000000 +0000 +++ /usr/share/webapps/wordpress/1.2/htdocs/wp-admin/install.php 2004-09-11 22:21:52.000000000 +0000 @@ -748,7 +748,7 @@

    User setup successful!

    -

    Now you can log in with the login +

    Now you can log in with the login "admin" and password "".

    Note that password carefully! It is a random password that was generated just for you. If you lose it, you diff -urN usr/share/webapps/wordpress/1.2/htdocs/wp-admin/menu.php /usr/share/webapps/wordpress/1.2/htdocs/wp-admin/menu.php --- usr/share/webapps/wordpress/1.2/htdocs/wp-admin/menu.php 2004-11-28 03:38:50.000000000 +0000 +++ /usr/share/webapps/wordpress/1.2/htdocs/wp-admin/menu.php 2004-07-23 19:50:59.000000000 +0000 @@ -38,7 +38,7 @@ } ?> -

  • »
    • -
  • " title=""> »
    • +
    • diff -urN usr/share/webapps/wordpress/1.2/htdocs/wp-admin/profile.php /usr/share/webapps/wordpress/1.2/htdocs/wp-admin/profile.php --- usr/share/webapps/wordpress/1.2/htdocs/wp-admin/profile.php 2004-11-28 03:38:50.000000000 +0000 +++ /usr/share/webapps/wordpress/1.2/htdocs/wp-admin/profile.php 2004-07-09 16:31:27.000000000 +0000 @@ -79,8 +79,8 @@ die (__("ERROR: you typed two different passwords. Go back to correct that.")); $newuser_pass = $_POST["pass1"]; $updatepassword = "user_pass=MD5('$newuser_pass'), "; - setcookie('wordpresspass_'.$cookiehash, " ", time() - 31536000, COOKIEPATH); - setcookie('wordpresspass_'.$cookiehash, md5(md5($newuser_pass)), time() + 31536000, COOKIEPATH); + setcookie('wordpresspass_'.$cookiehash, " ", time() - 31536000, COOKIEPATH, $HTTP_HOST, 1); + setcookie('wordpresspass_'.$cookiehash, md5(md5($newuser_pass)), time() + 31536000, COOKIEPATH, $HTTP_HOST, 1); } $newuser_firstname=addslashes(stripslashes($_POST['newuser_firstname'])); diff -urN usr/share/webapps/wordpress/1.2/htdocs/wp-includes/functions.php /usr/share/webapps/wordpress/1.2/htdocs/wp-includes/functions.php --- usr/share/webapps/wordpress/1.2/htdocs/wp-includes/functions.php 2004-11-28 03:38:50.000000000 +0000 +++ /usr/share/webapps/wordpress/1.2/htdocs/wp-includes/functions.php 2004-11-27 17:37:36.000000000 +0000 @@ -1034,10 +1034,10 @@ $notify_message .= "URL : $comment->comment_author_url\r\n"; $notify_message .= "Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=$comment->comment_author_IP\r\n"; $notify_message .= "Comment:\r\n".stripslashes($comment->comment_content)."\r\n\r\n"; - $notify_message .= "To approve this comment, visit: " . get_settings('siteurl') . "/wp-admin/post.php?action=mailapprovecomment&p=".$comment->comment_post_ID."&comment=$comment_id\r\n"; - $notify_message .= "To delete this comment, visit: " . get_settings('siteurl') . "/wp-admin/post.php?action=confirmdeletecomment&p=".$comment->comment_post_ID."&comment=$comment_id\r\n"; + $notify_message .= "To approve this comment, visit: " . httpsify(get_settings('siteurl')) . "/wp-admin/post.php?action=mailapprovecomment&p=".$comment->comment_post_ID."&comment=$comment_id\r\n"; + $notify_message .= "To delete this comment, visit: " . httpsify(get_settings('siteurl')) . "/wp-admin/post.php?action=confirmdeletecomment&p=".$comment->comment_post_ID."&comment=$comment_id\r\n"; $notify_message .= "Currently $comments_waiting comments are waiting for approval. Please visit the moderation panel:\r\n"; - $notify_message .= get_settings('siteurl') . "/wp-admin/moderation.php\r\n"; + $notify_message .= httpsify(get_settings('siteurl')) . "/wp-admin/moderation.php\r\n"; $subject = '[' . stripslashes(get_settings('blogname')) . '] Please approve: "' .stripslashes($post->post_title).'"'; $admin_email = get_settings("admin_email"); @@ -1425,4 +1425,34 @@ return $text; } -?> \ No newline at end of file +// Enable/disable HTTPS for admin pages +$is_https_admin = true; +function httpsify($url) { +# if($is_https_admin) { + return preg_replace('/http:\/\//i', "https://", $url); +# } else { +# return $url; +# } +} + +function is_obvious_spam_url($url) +{ + if('http://www.golimar.com' == $url) return true; + if(strpos($url, 'poker') !== false) return true; + if(strpos($url, 'hold-em') !== false) return true; + if(strpos($url, 'holdem') !== false) return true; + if(strpos($url, 'holdem') !== false) return true; + if(strpos($url, '.ownsthis.com') !== false) return true; + if(strpos($url, 'phentermine') !== false) return true; + if(strpos($url, '.yoll.net') !== false) return true; + if(strpos($url, '.8i.com') !== false) return true; + return false; +} + +function is_obvious_spammer_email($email) +{ + if(strncmp($email, 'byob', 4) == 0) return true; + return false; +} + +?> diff -urN usr/share/webapps/wordpress/1.2/htdocs/wp-includes/template-functions-links.php /usr/share/webapps/wordpress/1.2/htdocs/wp-includes/template-functions-links.php --- usr/share/webapps/wordpress/1.2/htdocs/wp-includes/template-functions-links.php 2004-11-28 03:38:50.000000000 +0000 +++ /usr/share/webapps/wordpress/1.2/htdocs/wp-includes/template-functions-links.php 2004-09-11 22:23:42.000000000 +0000 @@ -130,7 +130,7 @@ return; } - $location = get_settings('siteurl') . "/wp-admin/post.php?action=edit&post=$post->ID"; + $location = httpsify(get_settings('siteurl')) . "/wp-admin/post.php?action=edit&post=$post->ID"; echo "$before $link $after"; } @@ -148,7 +148,7 @@ return; } - $location = get_settings('siteurl') . "/wp-admin/post.php?action=editcomment&comment=$comment->comment_ID"; + $location = httpsify(get_settings('siteurl')) . "/wp-admin/post.php?action=editcomment&comment=$comment->comment_ID"; echo "$before $link $after"; } diff -urN usr/share/webapps/wordpress/1.2/htdocs/wp-includes/vars.php /usr/share/webapps/wordpress/1.2/htdocs/wp-includes/vars.php --- usr/share/webapps/wordpress/1.2/htdocs/wp-includes/vars.php 2004-11-28 03:38:50.000000000 +0000 +++ /usr/share/webapps/wordpress/1.2/htdocs/wp-includes/vars.php 2004-09-11 22:24:09.000000000 +0000 @@ -173,7 +173,7 @@ } // Path for cookies -define('COOKIEPATH', preg_replace('|http://[^/]+|i', '', get_settings('home') . '/' ) ); +define('COOKIEPATH', preg_replace('|https?://[^/]+|i', '', get_settings('home') . '/' ) ); // Some default filters add_filter('category_description', 'wptexturize'); diff -urN usr/share/webapps/wordpress/1.2/htdocs/wp-login.php /usr/share/webapps/wordpress/1.2/htdocs/wp-login.php --- usr/share/webapps/wordpress/1.2/htdocs/wp-login.php 2004-11-28 03:38:50.000000000 +0000 +++ /usr/share/webapps/wordpress/1.2/htdocs/wp-login.php 2004-07-11 18:16:00.000000000 +0000 @@ -1,6 +1,14 @@ $v) { @@ -48,13 +56,13 @@ case 'logout': - setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH); - setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH); + setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, $HTTP_HOST, 1); + setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, $HTTP_HOST, 1); if ($is_IIS) - header('Refresh: 0;url=wp-login.php'); + header('Refresh: 0;url=' . httpsify(get_settings('siteurl')) . '/wp-login.php'); else - header('Location: wp-login.php'); + header('Location: ' . httpsify(get_settings('siteurl')) . '/wp-login.php'); exit(); break; @@ -115,7 +123,7 @@ $wpdb->query("UPDATE $wpdb->users SET user_pass = MD5('$user_pass') WHERE user_login = '$user_login'"); $message = __('Login') . ": $user_login\r\n"; $message .= __('Password') . ": $user_pass\r\n"; - $message .= get_settings('siteurl') . '/wp-login.php'; + $message .= httpsify(get_settings('siteurl')) . '/wp-login.php'; $m = wp_mail($user_email, sprintf(__("[%s] Your login and password"), get_settings('blogname')), $message); @@ -152,20 +160,20 @@ $user_pass = $_COOKIE['wordpresspass_' . COOKIEHASH]; $using_cookie = true; } - $redirect_to = 'wp-admin/'; + $redirect_to = httpsify(get_settings('siteurl')) . '/wp-admin/'; } $user = get_userdatabylogin($user_login); if (0 == $user->user_level) { - $redirect_to = get_settings('siteurl') . '/wp-admin/profile.php'; + $redirect_to = httpsify(get_settings('siteurl')) . '/wp-admin/profile.php'; } if ($user_login && $user_pass) { if ( wp_login($user_login, $user_pass, $using_cookie) ) { if (! $using_cookie) { $user_pass = md5(md5($user_pass)); // Double hash the password in the cookie. - setcookie('wordpressuser_'. COOKIEHASH, $user_login, time() + 31536000, COOKIEPATH); - setcookie('wordpresspass_'. COOKIEHASH, $user_pass, time() + 31536000, COOKIEPATH); + setcookie('wordpressuser_'. COOKIEHASH, $user_login, time() + 31536000, COOKIEPATH, $HTTP_HOST, 1); + setcookie('wordpresspass_'. COOKIEHASH, $user_pass, time() + 31536000, COOKIEPATH, $HTTP_HOST, 1); } if ($is_IIS) @@ -217,9 +225,9 @@ diff -urN usr/share/webapps/wordpress/1.2/htdocs/wp-register.php /usr/share/webapps/wordpress/1.2/htdocs/wp-register.php --- usr/share/webapps/wordpress/1.2/htdocs/wp-register.php 2004-11-28 03:38:50.000000000 +0000 +++ /usr/share/webapps/wordpress/1.2/htdocs/wp-register.php 2004-09-11 22:25:05.000000000 +0000 @@ -1,6 +1,14 @@ $v) { if (is_array($v)) { @@ -146,7 +154,7 @@


    - +

    // trackback is done by a POST $request_array = 'HTTP_POST_VARS'; diff -urN usr/share/webapps/wordpress/1.2/htdocs/wp.php /usr/share/webapps/wordpress/1.2/htdocs/wp.php --- usr/share/webapps/wordpress/1.2/htdocs/wp.php 2004-11-28 03:38:50.000000000 +0000 +++ /usr/share/webapps/wordpress/1.2/htdocs/wp.php 2004-09-11 22:25:34.000000000 +0000 @@ -35,7 +35,7 @@
    Powered by Wordpress

    -login
    +login
    register