Opened 16 months ago
Last modified 9 days ago
#19856 new defect (bug)
wp_get_referer() doesn't return false when the referer URL is the same as the current URL
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | 3.6 |
| Component: | General | Version: | 3.3.1 |
| Severity: | normal | Keywords: | has-patch |
| Cc: | bpetty, pippin@… |
Description
Inside wp_get_referer(), there's this conditional statement:
if ( $ref && $ref !== $_SERVER['REQUEST_URI'] )
It is there to ensure that wp_get_referer() doesn't return the same page I'm on. This is useful when redirecting because I can detect and avoid infinite redirection.
According to PHP documentation, $_SERVER['REQUEST_URI'] is only the URI on the host. As a result, the conditional statement above fails in this case:
Let's say I was redirected from http://example.com/sample-uri to itself (either by clicking a link or a form submission). Then:
$ref = 'http://example.com/sample-uri'; $_SERVER['REQUEST_URI'] = '/sample-uri';
So technically, the referrer is the same page, but wp_get_referer() doesn't return false as expected, because $ref !== $_SERVER['REQUEST_URI'].
A better conditional statement would be:
if ( $ref && parse_url( $ref, PHP_URL_PATH ) !== $_SERVER['REQUEST_URI'] )
Patch attached.
I'm using PHP 5.3.6, Apache 2.2.20.
Attachments (3)
Change History (9)
comment:1
SergeyBiryukov — 15 months ago
- Milestone changed from Awaiting Review to 3.4
- Keywords needs-unit-tests added
- Milestone changed from 3.4 to Future Release
- Keywords needs-unit-tests removed
The original patch here breaks referer URLs from different query variables, and also doesn't account for URLs from the different servers, but (coincidentally) the same resource.
If we use get_site_url() in wp_get_referer() for comparison instead, it fixes this and accounts for query variables and different servers.
I've also attached unit tests for this.
use get_site_url() in wp_get_referer() checks