Make WordPress Core

Changeset 40186


Ignore:
Timestamp:
03/06/2017 01:40:49 PM (7 years ago)
Author:
aaroncampbell
Message:

Strip control characters before validating redirect.

Merges [40183] to 4.5 branch.

Location:
branches/4.5
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/4.5

  • branches/4.5/src/wp-includes/pluggable.php

    r37757 r40186  
    12721272 **/
    12731273function wp_validate_redirect($location, $default = '') {
    1274     $location = trim( $location );
     1274    $location = trim( $location, " \t\n\r\0\x08\x0B" );
    12751275    // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
    12761276    if ( substr($location, 0, 2) == '//' )
  • branches/4.5/tests/phpunit/tests/formatting/redirect.php

    r36444 r40186  
    6060            array( 'http://user:@example.com/', 'http://user:@example.com/' ),
    6161            array( 'http://user:pass@example.com/', 'http://user:pass@example.com/' ),
     62            array( " \t\n\r\0\x08\x0Bhttp://example.com", 'http://example.com' ),
     63            array( " \t\n\r\0\x08\x0B//example.com", 'http://example.com' ),
    6264        );
    6365    }
     
    7173            // non-safelisted domain
    7274            array( 'http://non-safelisted.example/' ),
     75
     76            // non-safelisted domain (leading whitespace)
     77            array( " \t\n\r\0\x08\x0Bhttp://non-safelisted.example.com" ),
     78            array( " \t\n\r\0\x08\x0B//non-safelisted.example.com" ),
    7379
    7480            // unsupported schemes
Note: See TracChangeset for help on using the changeset viewer.