WordPress.org

Make WordPress Core

Changeset 40194 for branches/3.7


Ignore:
Timestamp:
03/06/2017 01:46:01 PM (4 years ago)
Author:
aaroncampbell
Message:

Strip control characters before validating redirect.

Merges [40183] to 3.7 branch.

Location:
branches/3.7
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/3.7

  • branches/3.7/src

  • branches/3.7/src/wp-includes/pluggable.php

    r37766 r40194  
    973973 **/
    974974function wp_validate_redirect($location, $default = '') {
    975     $location = trim( $location );
     975    $location = trim( $location, " \t\n\r\0\x08\x0B" );
    976976    // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
    977977    if ( substr($location, 0, 2) == '//' )
  • branches/3.7/tests/phpunit/tests/formatting/redirect.php

    r36454 r40194  
    5454            array( 'http://user:@example.com/', 'http://user:@example.com/' ),
    5555            array( 'http://user:pass@example.com/', 'http://user:pass@example.com/' ),
     56            array( " \t\n\r\0\x08\x0Bhttp://example.com", 'http://example.com' ),
     57            array( " \t\n\r\0\x08\x0B//example.com", 'http://example.com' ),
    5658        );
    5759    }
     
    6567            // non-safelisted domain
    6668            array( 'http://non-safelisted.example/' ),
     69
     70            // non-safelisted domain (leading whitespace)
     71            array( " \t\n\r\0\x08\x0Bhttp://non-safelisted.example.com" ),
     72            array( " \t\n\r\0\x08\x0B//non-safelisted.example.com" ),
    6773
    6874            // unsupported schemes
Note: See TracChangeset for help on using the changeset viewer.