[HTTPS-E Rulesets] WordPress ruleset fix

Alexander Gieg alexgieg at gmail.com
Sun Aug 21 08:45:05 PDT 2011


Dear all,

I found an error in how the WordPress ruleset handles certain requests
to subdomains of wordpress.org. Here's a description of the problem,
how it can be reproduced, and a working fix to the ruleset:

A few WordPress addons have the option of using services available in
subdomains of wordpress.org. One such addon is "WP LaTeX", found at
http://wordpress.org/extend/plugins/wp-latex/, which allows one to
write equations using LaTeX syntax and get it rendered as an image of
the actual equation. Now, unless the blog owner installs LaTeX at his
own server, which isn't usually possible, such images render from
"http://s.wordpress.com/latex.php?...". The problem then is that the
current WordPress ruleset rewrites such links as
"https://wordpress.com/latex.php?...", causing the process to fail and
resulting in the rendering of scary red-on-yellow warnings.

You can see an example of this at the http://www.askamathematician.com
blog, which relies heavily on WP LaTeX-rendered images. Go there with
the WordPress ruleset enabled, and you'll see the text filled with
warning messages. Disable the WordPress ruleset, and all works fine.

I've checked whether the "s.wordpress.com" subdomain can be accessed
via HTTPS. It can, and the images render properly, but the certificate
is invalid, so that isn't an option. Looking at the current ruleset I
saw a reference to "s-ssl.wordpress.com", so I tried it and it worked
flawlessly. Thus, here's a patched version of the WordPress ruleset
with the second rule changed from redirecting "http://s.wordpress.*"
to "https://wordpress.*", to redirecting it to
"https://s-ssl.wordpress.*". I've tested it and, at least in the above
mentioned blog, it works fine, but I guess more testing is needed to
be sure it doesn't cause breakage elsewhere:

<ruleset name="WordPress">
  <target host="wordpress.com" />
  <target host="*.wordpress.com" />
  <target host="wordpress.org" />
  <target host="*.wordpress.org" />
  <target host="*.trac.wordpress.org" />
  <target host="*.svn.wordpress.org" />
  <target host="*.files.wordpress.com" />
  <target host="*.wp.com" />

  <exclusion pattern="^http://([^/:@]*)\.blog\.wordpress\.com/"/>
  <exclusion pattern="^http://([^/:@]*)\.blog\.files\.wordpress\.com/"/>
  <exclusion pattern="^http://([^/:@]*)\.forums\.wordpress\.com/"/>
  <exclusion pattern="^http://([^/:@]*)\.support\.wordpress\.com/"/>

  <rule from="^http://wordpress\.(com|org)/"
          to="https://wordpress.$1/"/>
  <rule from="^http://s\.wordpress\.(com|org)/"
      to="https://s-ssl.wordpress.$1/"/>
  <rule from="^http://s[0-9]\.wordpress\.(com|org)/"
      to="https://secure.wordpress.$1/"/>
  <rule from="^http://([^/:@]+)\.wordpress\.(com|org)/"
      to="https://$1.wordpress.$2/"/>
  <rule from="^http://([^/:@]+)\.(trac|svn)\.wordpress\.org/"
      to="https://$1.$2.wordpress.org/"/>
  <rule from="^http://([^/:@]+)\.files\.wordpress\.com/"
      to="https://$1.files.wordpress.com/"/>
  <rule from="^http://s\d*\.wp\.com/(\?custom-css|i/|wp-content/|wp-includes/)"
      to="https://s-ssl.wordpress.com/$1" />
</ruleset>

I hope this helps!

Sincerely,

Alexander Gieg



More information about the HTTPS-Everywhere-Rules mailing list