Fix feed location check and force HTTPS over HTTP.#1115
Fix feed location check and force HTTPS over HTTP.#1115message-dimke wants to merge 7 commits intodevelopfrom
Conversation
…reating the initial feed URL when posting it to Pinterest.
github-actions
Bot
added
changelog: fix
message-dimke
changed the title
get_site_url with wp_get_upload_dir as we use it when c…
|
If a site doesn't use HTTPS, what will happen? Would it make sense to check |
|
Also is this a draft still? |
|
Hey, @layoutd ! I believe that for any e-commerce store SSL is a must. Most payment gateways require it, etc. To my understanding |
There was a problem hiding this comment.
Pull request overview
This PR updates how the plugin detects/matches feed “location” URLs by basing comparisons on the uploads base URL (via wp_get_upload_dir()) instead of the site URL, and normalizes the feed URL scheme to HTTPS to avoid mismatches from HTTP upload URLs.
Changes:
- Update feed location matching logic to use uploads
baseurl+PINTEREST_FOR_WOOCOMMERCE_LOG_PREFIXprefix (instead ofget_site_url()). - Force HTTPS scheme when building local feed URLs and when matching feed locations.
- Update unit tests to mock uploads
baseurlvia theupload_dirfilter.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| tests/Unit/FeedsTest.php | Adjusts tests to stub uploads base URL via upload_dir filter for feed-location matching. |
| src/LocalFeedConfigs.php | Forces HTTPS when generating the feed URL base derived from uploads baseurl. |
| src/Feeds.php | Switches feed location matching from get_site_url() to uploads baseurl + prefix, forcing HTTPS. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| } | ||
|
|
||
| return 0 === strpos( $feed['location'] ?? '', get_site_url() ); | ||
| // Some sites may be misconfigured and return HTTP schema for the feed location URL. We force it to become HTTPS. |
There was a problem hiding this comment.
The comment says "HTTP schema", but for URLs the correct term is "scheme". Please update to avoid confusion.
| // Some sites may be misconfigured and return HTTP schema for the feed location URL. We force it to become HTTPS. | |
| // Some sites may be misconfigured and return HTTP scheme for the feed location URL. We force it to become HTTPS. |
| // Some sites may be misconfigured and return HTTP schema for the feed location URL. We force it to become HTTPS. | ||
| $force_https = str_replace( 'http:', 'https:', wp_get_upload_dir()['baseurl'] ); | ||
| $feed_location = trailingslashit( $force_https ) . PINTEREST_FOR_WOOCOMMERCE_LOG_PREFIX . '-'; | ||
|
|
||
| return 0 === strpos( $feed['location'] ?? '', $feed_location ); |
There was a problem hiding this comment.
does_feed_match() is called inside loops over remote feeds; calling wp_get_upload_dir() each time can be unnecessarily expensive and may behave inconsistently if upload_dir is filtered dynamically. Consider computing the normalized base URL/prefix once (e.g., in the caller or via a cached/static value) and reusing it for all comparisons.
| // Some sites may be misconfigured and return HTTP schema for the feed location URL. We force it to become HTTPS. | |
| $force_https = str_replace( 'http:', 'https:', wp_get_upload_dir()['baseurl'] ); | |
| $feed_location = trailingslashit( $force_https ) . PINTEREST_FOR_WOOCOMMERCE_LOG_PREFIX . '-'; | |
| return 0 === strpos( $feed['location'] ?? '', $feed_location ); | |
| static $feed_location_prefix = null; | |
| if ( null === $feed_location_prefix ) { | |
| // Some sites may be misconfigured and return HTTP schema for the feed location URL. We force it to become HTTPS. | |
| $force_https = str_replace( 'http:', 'https:', wp_get_upload_dir()['baseurl'] ); | |
| $feed_location_prefix = trailingslashit( $force_https ) . PINTEREST_FOR_WOOCOMMERCE_LOG_PREFIX . '-'; | |
| } | |
| return 0 === strpos( $feed['location'] ?? '', $feed_location_prefix ); |
| $file_name_base = trailingslashit( wp_get_upload_dir()['basedir'] ) . PINTEREST_FOR_WOOCOMMERCE_LOG_PREFIX . '-'; | ||
| $url_base = trailingslashit( wp_get_upload_dir()['baseurl'] ) . PINTEREST_FOR_WOOCOMMERCE_LOG_PREFIX . '-'; | ||
| // Some sites may be misconfigured and return HTTP schema for the feed location URL. We force it to become HTTPS. | ||
| $force_https = str_replace( 'http:', 'https:', wp_get_upload_dir()['baseurl'] ); | ||
| $url_base = trailingslashit( $force_https ) . PINTEREST_FOR_WOOCOMMERCE_LOG_PREFIX . '-'; |
There was a problem hiding this comment.
wp_get_upload_dir() is called multiple times here; it’s cleaner and avoids repeated work to store the result in a local variable and use it for both basedir and baseurl. Also, WordPress provides set_url_scheme( $url, 'https' ) which is more robust than a raw str_replace when forcing HTTPS.
There was a problem hiding this comment.
@copilot apply changes based on this feedback
…figs to avoid double wp_get_upload_dir() call Agent-Logs-Url: https://github.com/woocommerce/pinterest-for-woocommerce/sessions/1ddf8e31-dbd9-469f-8c34-d9d7ff6f9dbc Co-authored-by: simplysaru <2734132+simplysaru@users.noreply.github.com>
The HTTPS forcing is applied consistently in both places — when the feed URL is first created/registered with Pinterest ( For sites without a valid certificate, the feed URL would be HTTPS in Pinterest's records but the file might not be reachable over HTTPS — that's a broader hosting configuration issue separate from URL matching. Checking |
Changes proposed in this Pull Request:
get_site_urlwithwp_get_upload_dirfor the feed location check.Additional details:
Changelog entry