Make WordPress Core

Changeset 50391


Ignore:
Timestamp:
02/19/2021 09:11:02 PM (4 years ago)
Author:
flixos90
Message:

Security: Fix bug in wp_is_local_html_output().

Prior to this changeset, the check for the correct RSD link output was relying on a specific protocol, although it needs to accept both the HTTP and HTTPS version of the URL.

Props TimothyBlynJacobs.
Fixes #52542. See #47577.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/https-detection.php

    r50075 r50391  
    205205    // 1. Check if HTML includes the site's Really Simple Discovery link.
    206206    if ( has_action( 'wp_head', 'rsd_link' ) ) {
    207         $pattern = esc_url( site_url( 'xmlrpc.php?rsd', 'rpc' ) ); // See rsd_link().
     207        $pattern = preg_replace( '#^https?:(?=//)#', '', esc_url( site_url( 'xmlrpc.php?rsd', 'rpc' ) ) ); // See rsd_link().
    208208        return false !== strpos( $html, $pattern );
    209209    }
     
    219219    if ( has_action( 'wp_head', 'rest_output_link_wp_head' ) ) {
    220220        // Try both HTTPS and HTTP since the URL depends on context.
    221         $pattern = esc_url( preg_replace( '#^https?:(?=//)#', '', get_rest_url() ) ); // See rest_output_link_wp_head().
     221        $pattern = preg_replace( '#^https?:(?=//)#', '', esc_url( get_rest_url() ) ); // See rest_output_link_wp_head().
    222222        return false !== strpos( $html, $pattern );
    223223    }
  • trunk/tests/phpunit/tests/https-detection.php

    r50284 r50391  
    172172    /**
    173173     * @ticket 47577
     174     * @ticket 52542
    174175     */
    175176    public function test_wp_is_local_html_output_via_rsd_link() {
     
    181182        // HTML includes modified RSD link but same URL.
    182183        $head_tag = str_replace( ' />', '>', get_echo( 'rsd_link' ) );
     184        $html     = $this->get_sample_html_string( $head_tag );
     185        $this->assertTrue( wp_is_local_html_output( $html ) );
     186
     187        // HTML includes RSD link with alternative URL scheme.
     188        $head_tag = get_echo( 'rsd_link' );
     189        $head_tag = false !== strpos( $head_tag, 'https://' ) ? str_replace( 'https://', 'http://', $head_tag ) : str_replace( 'http://', 'https://', $head_tag );
    183190        $html     = $this->get_sample_html_string( $head_tag );
    184191        $this->assertTrue( wp_is_local_html_output( $html ) );
Note: See TracChangeset for help on using the changeset viewer.