home_url() malfunctions when the passed URL contains two dots in a row ("..")

[markjaquith]

home_url() (and a bunch of other similar functions) will spit back your WordPress Site URL if the URL/path you pass in to it has two dots ("..") in a row. It was an unexplained addition to the original code that has persisted.

Reproduction:

echo home_url( '/foo-bar/elipsis...no-work/' );

Observed:

http://example.com

Expected:

http://example.com/foo-bar/elipsis...no-work/

It is due to this:

if ( !empty( $path ) && is_string( $path ) && strpos( $path, '..' ) === false )
    $url .= '/' . ltrim( $path, '/' );

We should just remove that part of the condition. It doesn't serve any legitimate purpose that Nacin or I can tell, and it makes legitimate URLs with two (or more) dots fail in a very unexpected way.

Patch removes that part of the logic from 10 functions. Someone else test and give me a sanity check.

In IRC we tracked this down to #7001. It was codified into unit tests, specifically TestSSLLinks::test_admin_url_invalid(), but I think the original case was invalid. We're talking about URL paths rather than anything that will touch the filesystem.

Related: #12756

Unit test

Related: #22666

Updated unit test for the new test runner. Verified test still fails without patch and still passes with patch.

#23489 was marked as a duplicate.

In 1225/tests:

Test for allowing .. in paths passed to *_url functions. see #19032.

In 23537:

Allow paths with two consecutive dots to be passed to home_url() and all related *_url() functions.

props markjaquith.
fixes #19032.