WordPress.org

Make WordPress Core

Changeset 25323


Ignore:
Timestamp:
09/10/2013 06:42:32 PM (5 years ago)
Author:
nacin
Message:

Validate referrers to prevent off-domain redirects. Merges [25318] to 3.6.

Location:
branches/3.6
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/3.6

  • branches/3.6/wp-includes/functions.php

    r25322 r25323  
    12841284
    12851285    if ( $ref && $ref !== wp_unslash( $_SERVER['REQUEST_URI'] ) )
    1286         return wp_unslash( $ref );
     1286        return wp_validate_redirect( $ref, false );
    12871287    return false;
    12881288}
     
    12991299function wp_get_original_referer() {
    13001300    if ( !empty( $_REQUEST['_wp_original_http_referer'] ) )
    1301         return wp_unslash( $_REQUEST['_wp_original_http_referer'] );
     1301        return wp_validate_redirect( wp_unslash( $_REQUEST['_wp_original_http_referer'] ), false );
    13021302    return false;
    13031303}
  • branches/3.6/wp-includes/pluggable.php

    r24649 r25323  
    943943 **/
    944944function wp_validate_redirect($location, $default = '') {
     945    $location = trim( $location );
    945946    // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
    946947    if ( substr($location, 0, 2) == '//' )
Note: See TracChangeset for help on using the changeset viewer.