WordPress.org

Make WordPress Core


Ignore:
Timestamp:
02/19/2021 09:11:02 PM (2 months ago)
Author:
flixos90
Message:

Security: Fix bug in wp_is_local_html_output().

Prior to this changeset, the check for the correct RSD link output was relying on a specific protocol, although it needs to accept both the HTTP and HTTPS version of the URL.

Props TimothyBlynJacobs.
Fixes #52542. See #47577.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/https-detection.php

    r50075 r50391  
    205205    // 1. Check if HTML includes the site's Really Simple Discovery link.
    206206    if ( has_action( 'wp_head', 'rsd_link' ) ) {
    207         $pattern = esc_url( site_url( 'xmlrpc.php?rsd', 'rpc' ) ); // See rsd_link().
     207        $pattern = preg_replace( '#^https?:(?=//)#', '', esc_url( site_url( 'xmlrpc.php?rsd', 'rpc' ) ) ); // See rsd_link().
    208208        return false !== strpos( $html, $pattern );
    209209    }
     
    219219    if ( has_action( 'wp_head', 'rest_output_link_wp_head' ) ) {
    220220        // Try both HTTPS and HTTP since the URL depends on context.
    221         $pattern = esc_url( preg_replace( '#^https?:(?=//)#', '', get_rest_url() ) ); // See rest_output_link_wp_head().
     221        $pattern = preg_replace( '#^https?:(?=//)#', '', esc_url( get_rest_url() ) ); // See rest_output_link_wp_head().
    222222        return false !== strpos( $html, $pattern );
    223223    }
Note: See TracChangeset for help on using the changeset viewer.