Changeset 36447 for branches/4.4/src/wp-includes/pluggable.php

Timestamp:

02/02/2016 04:58:49 PM (10 years ago)

Author:

ocean90

Message:

Better validation of the URL used in HTTP redirects.

Merges [36444] to the 4.4 branch.

File:

• branches/4.4/src/wp-includes/pluggable.php (modified) (2 diffs)

branches/4.4/src/wp-includes/pluggable.php

@@ -1334 +1334 @@
     $test = ( $cut = strpos($location, '?') ) ? substr( $location, 0, $cut ) : $location;
 
-    $lp  = parse_url($test);
+    // @-operator is used to prevent possible warnings in PHP < 5.3.3.
+    $lp = @parse_url($test);
 
     // Give up if malformed URL
@@ -1344 +1345 @@
         return $default;
 
-    // Reject if scheme is set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
-    if ( isset($lp['scheme'])  && !isset($lp['host']) )
+    // Reject if certain components are set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
+    if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) {
         return $default;
+    }
+
+    // Reject malformed components parse_url() can return on odd inputs
+    foreach ( array( 'user', 'pass', 'host' ) as $component ) {
+        if ( isset( $lp[ $component ] ) && strpbrk( $lp[ $component ], ':/?#@' ) ) {
+            return $default;
+        }
+    }
 
     $wpp = parse_url(home_url());