Changeset 50391 for trunk/src/wp-includes/https-detection.php

Timestamp:

02/19/2021 09:11:02 PM (3 years ago)

Author:

flixos90

Message:

Security: Fix bug in wp_is_local_html_output().

Prior to this changeset, the check for the correct RSD link output was relying on a specific protocol, although it needs to accept both the HTTP and HTTPS version of the URL.

Props TimothyBlynJacobs.
Fixes #52542. See #47577.

File:

• trunk/src/wp-includes/https-detection.php (modified) (2 diffs)

trunk/src/wp-includes/https-detection.php

@@ -205 +205 @@
     // 1. Check if HTML includes the site's Really Simple Discovery link.
     if ( has_action( 'wp_head', 'rsd_link' ) ) {
-        $pattern = esc_url( site_url( 'xmlrpc.php?rsd', 'rpc' ) ); // See rsd_link().
+        $pattern = preg_replace( '#^https?:(?=//)#', '', esc_url( site_url( 'xmlrpc.php?rsd', 'rpc' ) ) ); // See rsd_link().
         return false !== strpos( $html, $pattern );
     }
@@ -219 +219 @@
     if ( has_action( 'wp_head', 'rest_output_link_wp_head' ) ) {
         // Try both HTTPS and HTTP since the URL depends on context.
-        $pattern = esc_url( preg_replace( '#^https?:(?=//)#', '', get_rest_url() ) ); // See rest_output_link_wp_head().
+        $pattern = preg_replace( '#^https?:(?=//)#', '', esc_url( get_rest_url() ) ); // See rest_output_link_wp_head().
         return false !== strpos( $html, $pattern );
     }