WordPress.org

Make WordPress Core

Changeset 36867


Ignore:
Timestamp:
03/06/2016 03:05:46 AM (4 years ago)
Author:
jeremyfelt
Message:

Multisite: Handle redirect to a user's subdomain properly during login

wp-login.php uses wp_safe_redirect() for all redirects, even those that do not involve unsafe data from the request or referer.

When a user of a subdomain site attempts to login to a network site they do not have access to, the host in the redirect URL is treated as unsafe by wp_safe_redirect() as it has no immediate awareness as to which hosts are valid on the network. On a subdirectoy network, everything works as expected because the host is the same.

In this specific block of wp-login.php, all URLs are generated by WordPress and we can use wp_redirect() to handle the redirects. Users authenticating via other network sites will now be redirected properly. Hosts passed via the redirect_to query var will continue to be handled by wp_safe_redirect().

Fixes #30598.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-login.php

    r36617 r36867  
    831831            elseif ( !$user->has_cap('edit_posts') )
    832832                $redirect_to = $user->has_cap( 'read' ) ? admin_url( 'profile.php' ) : home_url();
     833
     834            wp_redirect( $redirect_to );
     835            exit();
    833836        }
    834837        wp_safe_redirect($redirect_to);
Note: See TracChangeset for help on using the changeset viewer.