Make WordPress Core

Changeset 25318 for trunk/src


Ignore:
Timestamp:
09/10/2013 06:06:43 PM (11 years ago)
Author:
nacin
Message:

Validate referrers to prevent off-domain redirects.

Location:
trunk/src/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/functions.php

    r25317 r25318  
    12971297
    12981298    if ( $ref && $ref !== wp_unslash( $_SERVER['REQUEST_URI'] ) )
    1299         return wp_unslash( $ref );
     1299        return wp_validate_redirect( $ref, false );
    13001300    return false;
    13011301}
     
    13121312function wp_get_original_referer() {
    13131313    if ( !empty( $_REQUEST['_wp_original_http_referer'] ) )
    1314         return wp_unslash( $_REQUEST['_wp_original_http_referer'] );
     1314        return wp_validate_redirect( wp_unslash( $_REQUEST['_wp_original_http_referer'] ), false );
    13151315    return false;
    13161316}
  • trunk/src/wp-includes/pluggable.php

    r25273 r25318  
    965965 **/
    966966function wp_validate_redirect($location, $default = '') {
     967    $location = trim( $location );
    967968    // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
    968969    if ( substr($location, 0, 2) == '//' )
Note: See TracChangeset for help on using the changeset viewer.