WordPress.org

Make WordPress Core

Changeset 36266


Ignore:
Timestamp:
01/12/2016 08:31:10 AM (4 years ago)
Author:
swissspidy
Message:

Introduce wp_get_raw_referer() to retrieve unvalidated referer.

For things like redirects wp_get_referer() should be used instead.

Props voldemortensen for initial patch.
Fixes #27152.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/functions.php

    r36242 r36266  
    15181518 */
    15191519function wp_get_referer() {
    1520     if ( ! function_exists( 'wp_validate_redirect' ) )
     1520    if ( ! function_exists( 'wp_validate_redirect' ) ) {
    15211521        return false;
    1522     $ref = false;
    1523     if ( ! empty( $_REQUEST['_wp_http_referer'] ) )
    1524         $ref = wp_unslash( $_REQUEST['_wp_http_referer'] );
    1525     elseif ( ! empty( $_SERVER['HTTP_REFERER'] ) )
    1526         $ref = wp_unslash( $_SERVER['HTTP_REFERER'] );
     1522    }
     1523
     1524    $ref = wp_get_raw_referer();
    15271525
    15281526    if ( $ref && $ref !== wp_unslash( $_SERVER['REQUEST_URI'] ) && $ref !== home_url() . wp_unslash( $_SERVER['REQUEST_URI'] ) ) {
    15291527        return wp_validate_redirect( $ref, false );
     1528    }
     1529
     1530    return false;
     1531}
     1532
     1533/**
     1534 * Retrieve unvalidated referer from '_wp_http_referer' or HTTP referer.
     1535 *
     1536 * Do not use for redirects, use wp_get_referer() instead.
     1537 *
     1538 * @since 4.5.0
     1539 *
     1540 * @return string|bool Referer URL on success, false on failure.
     1541 */
     1542function wp_get_raw_referer() {
     1543    if ( ! empty( $_REQUEST['_wp_http_referer'] ) ) {
     1544        return wp_unslash( $_REQUEST['_wp_http_referer'] );
     1545    } else if ( ! empty( $_SERVER['HTTP_REFERER'] ) ) {
     1546        return wp_unslash( $_SERVER['HTTP_REFERER'] );
    15301547    }
    15311548
  • trunk/tests/phpunit/tests/functions/referer.php

    r36242 r36266  
    77 */
    88class Tests_Functions_Referer extends WP_UnitTestCase {
    9     private $request = array();
    10     private $server = array();
    11 
    129    public function setUp() {
    1310        parent::setUp();
    1411
    15         $this->server  = $_SERVER;
    16         $this->request = $_REQUEST;
     12        $_SERVER['HTTP_REFERER']      = '';
     13        $_SERVER['REQUEST_URI']       = '';
     14        $_REQUEST['_wp_http_referer'] = '';
    1715    }
    1816
     
    2018        parent::tearDown();
    2119
    22         $_SERVER  = $this->server;
    23         $_REQUEST = $this->request;
     20        $_SERVER['HTTP_REFERER']      = '';
     21        $_SERVER['REQUEST_URI']       = '';
     22        $_REQUEST['_wp_http_referer'] = '';
    2423    }
    2524
     
    123122        remove_filter( 'allowed_redirect_hosts', array( $this, 'filter_allowed_redirect_hosts' ) );
    124123    }
     124
     125    /**
     126     * @ticket 27152
     127     */
     128    public function test_raw_referer_empty(  ) {
     129        $this->assertFalse( wp_get_raw_referer() );
     130    }
     131
     132    /**
     133     * @ticket 27152
     134     */
     135    public function test_raw_referer(  ) {
     136        $_SERVER['HTTP_REFERER'] = addslashes( 'http://example.com/foo?bar' );
     137        $this->assertSame( 'http://example.com/foo?bar', wp_get_raw_referer() );
     138    }
     139
     140    /**
     141     * @ticket 27152
     142     */
     143    public function test_raw_referer_from_request(  ) {
     144        $_REQUEST['_wp_http_referer'] = addslashes( 'http://foo.bar/baz' );
     145        $this->assertSame( 'http://foo.bar/baz', wp_get_raw_referer() );
     146    }
     147
     148    /**
     149     * @ticket 27152
     150     */
     151    public function test_raw_referer_both(  ) {
     152        $_SERVER['HTTP_REFERER'] = addslashes( 'http://example.com/foo?bar' );
     153        $_REQUEST['_wp_http_referer'] = addslashes( 'http://foo.bar/baz' );
     154        $this->assertSame( 'http://foo.bar/baz', wp_get_raw_referer() );
     155    }
    125156}
Note: See TracChangeset for help on using the changeset viewer.