WordPress.org

Make WordPress Core

Changeset 25323


Ignore:
Timestamp:
09/10/13 18:42:32 (21 months ago)
Author:
nacin
Message:

Validate referrers to prevent off-domain redirects. Merges [25318] to 3.6.

Location:
branches/3.6
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/3.6

  • branches/3.6/wp-includes/functions.php

    r25322 r25323  
    12841284 
    12851285    if ( $ref && $ref !== wp_unslash( $_SERVER['REQUEST_URI'] ) ) 
    1286         return wp_unslash( $ref ); 
     1286        return wp_validate_redirect( $ref, false ); 
    12871287    return false; 
    12881288} 
     
    12991299function wp_get_original_referer() { 
    13001300    if ( !empty( $_REQUEST['_wp_original_http_referer'] ) ) 
    1301         return wp_unslash( $_REQUEST['_wp_original_http_referer'] ); 
     1301        return wp_validate_redirect( wp_unslash( $_REQUEST['_wp_original_http_referer'] ), false ); 
    13021302    return false; 
    13031303} 
  • branches/3.6/wp-includes/pluggable.php

    r24649 r25323  
    943943 **/ 
    944944function wp_validate_redirect($location, $default = '') { 
     945    $location = trim( $location ); 
    945946    // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//' 
    946947    if ( substr($location, 0, 2) == '//' ) 
Note: See TracChangeset for help on using the changeset viewer.