Mark was trawling through the WordPress code, tracking down a bug in an extension, when he noticed this particular method for deciding whether or not WordPress is served via HTTPS or not.
function is_ssl() {
if ( isset($_SERVER['HTTPS']) ) {
if ( 'on' == strtolower($_SERVER['HTTPS']) )
return true;
if ( '1' == $_SERVER['HTTPS'] )
return true;
} elseif ( isset($_SERVER['SERVER_PORT']) && ( '443' == $_SERVER['SERVER_PORT'] ) ) {
return true;
}
return false;
}
So, the first half of this is ugly but forgivable, given the problems of truthiness. We first check if the HTTPS
server variable is set to either a 1
or an on
. According to the PHP docs, any non-empty value means it's running on HTTPS, so it's technically an incorrect check. I strongly suspect, though, that it's a workaround for a badly behaving web server- I see a world where some server running PHP sets that variable to off
or something equally inane, violating the spec.
Which brings us to the elseif
, which likely is the same thing- a compatibility hack for a badly behaving web server. If we're running on port 443, assume SSL. Is this an out-and-out mistake? Well, probably not. If we're getting picky about specifications, 443 is officially reserved for SSL, so you shouldn't be running anything but an SSL enabled web server on that port. So it's a good thing nobody runs things on non-standard ports ever.
I wouldn't call this particular function a WTF, but the problem it's solving- a messy, ugly, disastrous landscape of badly configured servers, coupled with a product that's meant to be easy to install and use for non-technical people, leads to a function that just raises my blood pressure and makes me stressed to look at. I don't like it.