Make WordPress Core

Ticket #57809: localhost-secure-context-app-passwords.patch

File localhost-secure-context-app-passwords.patch, 1.1 KB (added by aquarius, 2 years ago)

Small patch to make localhost HTTP urls acceptable as success_url and reject_url for the application password flow a la browser secure contexts

  • wordpress/wp-admin/includes/user.php

    old new  
    623623
    624624        if ( ! empty( $request['success_url'] ) ) {
    625625                $scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME );
     626                $host = wp_parse_url( $request['success_url'], PHP_URL_HOST );
     627                $host_is_localhost = preg_match('/^localhost(:[0-9]+)?$/i', $host);
    626628
    627                 if ( 'http' === $scheme ) {
     629                if ( 'http' === $scheme && !$host_is_localhost ) {
    628630                        $error->add(
    629631                                'invalid_redirect_scheme',
    630632                                __( 'The success URL must be served over a secure connection.' )
     
    634636
    635637        if ( ! empty( $request['reject_url'] ) ) {
    636638                $scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME );
     639                $host = wp_parse_url( $request['reject_url'], PHP_URL_HOST );
     640                $host_is_localhost = preg_match('/^localhost(:[0-9]+)?$/i', $host);
    637641
    638                 if ( 'http' === $scheme ) {
     642                if ( 'http' === $scheme && !$host_is_localhost ) {
    639643                        $error->add(
    640644                                'invalid_redirect_scheme',
    641645                                __( 'The rejection URL must be served over a secure connection.' )