Opened 16 years ago
Closed 15 years ago
#7270 closed defect (bug) (worksforme)
tilde character encoded by mod_proxy creates a redirect loop on login
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 2.5.1 |
| Component: | Administration | Keywords: | has-patch tested dev-feedback |
| Focuses: | Cc: |
Description
When unix user accounts are frontended by Apache+mod_proxy, the tilde character (~) is encoded as %7E. RFC 2396 states that it does not need to be encoded, and Apache 2.3 has fixed this:
In wp-includes/pluggable.php, function auth_redirect (line 612 in wordpress 2.5.1):
wp_redirect(get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
creates a redirect loop, because REQUEST_URI already contains the decoded %7E, so it is double-encoded, and then fails the path check (against wp_settings('home'); I believe).
The attached patch (for Wordpress 2.5.1) adds a call to urldecode() before urlencode(), to turn the %7E back into tilde.
Attachments (3)
Change History (11)
#4
@
15 years ago
- Keywords needs-testing dev-feedback added
Patch from dougieha in better placement in wp-settings.
#5
follow-up:
↓ 6
@
15 years ago
- Milestone 2.7 deleted
- Resolution set to worksforme
- Status changed from new to closed
I cannot reproduce in WP 2.7.
I placed this in my wp-config.php to simulate the Apache issue:
$_SERVER['REQUEST_URI'] = str_replace('~', '%7E', $_SERVER['REQUEST_URI']);
#6
in reply to:
↑ 5
@
15 years ago
- Resolution worksforme deleted
- Status changed from closed to reopened
Replying to markjaquith:
I cannot reproduce in WP 2.7.
I placed this in my wp-config.php to simulate the Apache issue:
$_SERVER['REQUEST_URI'] = str_replace('~', '%7E', $_SERVER['REQUEST_URI']);
Hmmm...I can still reproduce in WP 2.7 (2.7-RC1-10119). For example, I just went to fix the time setting on the General settings page (to correct the wrong DST time), and WP prompted me for my admin username and password (even though I was already logged in). Upon entering the correct information, I was redirected back to the same login page in an endless loop.
By adding the patch from jacobsantos and then doing the same thing, the setting was saved right away, without any prompt for the login page. I've verified this several times, by adding and removing the patch. Without, I get the login page and get stuck in a redirect loop; with the patch, it works fine.
#7
@
15 years ago
- Keywords tested added; needs-testing removed
- Milestone set to 2.8
well, the patch works. but I wasn't able to actual reproduce on my Mac either...
It seems that the tilde character causes all sorts of problems. See this link: http://www.wwco.com/~wls/blog/2006/11/19/wordpress-tilde-hack-for-home-directories/
I was encountering a problem that I believe is related to this one. I'm using WP 2.6.2 and every time I start to edit a new post, go to add an image, and click on either the "Gallery" or "Media Library" tabs, I was redirected to the wp-login page. Upon attempting to login (which I was already), I get stuck in the redirect loop. Based on a careful examination of the links to the two tabs, it looks like the tilde is being double-escaped. By adding this line:
to wp-settings.php (around line 57, before the IIS fixes), I was able to solve my problems. Since wp-includes/pluggable.php has changed quite a bit since 2.5.1 (which is what the current patch is for), I hope this helps to provide a solution for newer versions.