WordPress.org

Make WordPress Core

Ticket #34028: 34028.diff

File 34028.diff, 2.4 KB (added by layotte, 5 years ago)
  • wp-includes/pluggable.php

    diff --git wp-includes/pluggable.php wp-includes/pluggable.php
    index d58f189..7410233 100644
    if ( !function_exists('wp_validate_redirect') ) : 
    13211321function wp_validate_redirect($location, $default = '') {
    13221322        $location = trim( $location );
    13231323        // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
    1324         if ( substr($location, 0, 2) == '//' )
     1324        if ( substr($location, 0, 2) == '//' ) {
    13251325                $location = 'http:' . $location;
     1326        }
    13261327
    13271328        // In php 5 parse_url may fail if the URL query part contains http://, bug #38143
    13281329        $test = ( $cut = strpos($location, '?') ) ? substr( $location, 0, $cut ) : $location;
    function wp_validate_redirect($location, $default = '') { 
    13301331        $lp  = parse_url($test);
    13311332
    13321333        // Give up if malformed URL
    1333         if ( false === $lp )
     1334        if ( false === $lp ) {
    13341335                return $default;
     1336        }
    13351337
    13361338        // Allow only http and https schemes. No data:, etc.
    1337         if ( isset($lp['scheme']) && !('http' == $lp['scheme'] || 'https' == $lp['scheme']) )
     1339        if ( isset($lp['scheme']) && !('http' == $lp['scheme'] || 'https' == $lp['scheme']) ) {
    13381340                return $default;
     1341        }
    13391342
    13401343        // Reject if scheme is set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
    1341         if ( isset($lp['scheme'])  && !isset($lp['host']) )
     1344        if ( isset($lp['scheme'])  && !isset($lp['host']) ) {
    13421345                return $default;
     1346        }
    13431347
    1344         $wpp = parse_url(home_url());
     1348        $home = parse_url(home_url());
     1349        $site = parse_url(site_url());
    13451350
    13461351        /**
    13471352         * Filter the whitelist of hosts to redirect to.
    function wp_validate_redirect($location, $default = '') { 
    13511356         * @param array       $hosts An array of allowed hosts.
    13521357         * @param bool|string $host  The parsed host; empty if not isset.
    13531358         */
    1354         $allowed_hosts = (array) apply_filters( 'allowed_redirect_hosts', array($wpp['host']), isset($lp['host']) ? $lp['host'] : '' );
     1359        $allowed_hosts = (array) apply_filters( 'allowed_redirect_hosts', array( $home['host'], $site['host'] ), isset( $lp['host'] ) ? $lp['host'] : '' );
    13551360
    1356         if ( isset($lp['host']) && ( !in_array($lp['host'], $allowed_hosts) && $lp['host'] != strtolower($wpp['host'])) )
     1361        if ( isset( $lp['host'] ) && ( !in_array( $lp['host'], $allowed_hosts ) && ( $lp['host'] != strtolower( $home['host'] ) || $lp['host'] != strtolower( $site['host'] ) ) ) ) {
    13571362                $location = $default;
     1363        }
    13581364
    13591365        return $location;
    13601366}