Ticket #17490: 17490-2.diff

wp-includes/class-http.php

@@ -1042 +1042 @@
                 curl_setopt( $handle, CURLOPT_SSL_VERIFYHOST, ( $ssl_verify === true ) ? 2 : false );
                 curl_setopt( $handle, CURLOPT_SSL_VERIFYPEER, $ssl_verify );
                 curl_setopt( $handle, CURLOPT_USERAGENT, $r['user-agent'] );
-                curl_setopt( $handle, CURLOPT_MAXREDIRS, $r['redirection'] );
+                curl_setopt( $handle, CURLOPT_MAXREDIRS, 0 );
 
                 switch ( $r['method'] ) {
                         case 'HEAD':
@@ -1074 +1074 @@
                         curl_setopt( $handle, CURLOPT_FILE, $stream_handle );
                 }
 
-                // The option doesn't work with safe mode or when open_basedir is set.
-                if ( !ini_get('safe_mode') && !ini_get('open_basedir') && 0 !== $r['_redirection'] )
-                        curl_setopt( $handle, CURLOPT_FOLLOWLOCATION, true );
+                // The option doesn't work with safe mode or when open_basedir is set, and there's a
+                // bug #17490 with redirected POST requests, so handle redirections outside Curl.
+                curl_setopt( $handle, CURLOPT_FOLLOWLOCATION, false );
 
                 if ( !empty( $r['headers'] ) ) {
                         // cURL expects full header strings in each element
@@ -1130 +1130 @@
                         fclose( $stream_handle );
 
                 // See #11305 - When running under safe mode, redirection is disabled above. Handle it manually.
-                if ( ! empty( $theHeaders['headers']['location'] ) && ( ini_get( 'safe_mode' ) || ini_get( 'open_basedir' ) ) && 0 !== $r['_redirection'] ) {
+                if ( ! empty( $theHeaders['headers']['location'] ) && 0 !== $r['_redirection'] ) {
                         if ( $r['redirection']-- > 0 ) {
                                 return $this->request( $theHeaders['headers']['location'], $r );
                         } else {