WordPress.org

Make WordPress Core


Ignore:
Timestamp:
02/19/2021 09:11:02 PM (9 months ago)
Author:
flixos90
Message:

Security: Fix bug in wp_is_local_html_output().

Prior to this changeset, the check for the correct RSD link output was relying on a specific protocol, although it needs to accept both the HTTP and HTTPS version of the URL.

Props TimothyBlynJacobs.
Fixes #52542. See #47577.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/https-detection.php

    r50284 r50391  
    172172    /**
    173173     * @ticket 47577
     174     * @ticket 52542
    174175     */
    175176    public function test_wp_is_local_html_output_via_rsd_link() {
     
    181182        // HTML includes modified RSD link but same URL.
    182183        $head_tag = str_replace( ' />', '>', get_echo( 'rsd_link' ) );
     184        $html     = $this->get_sample_html_string( $head_tag );
     185        $this->assertTrue( wp_is_local_html_output( $html ) );
     186
     187        // HTML includes RSD link with alternative URL scheme.
     188        $head_tag = get_echo( 'rsd_link' );
     189        $head_tag = false !== strpos( $head_tag, 'https://' ) ? str_replace( 'https://', 'http://', $head_tag ) : str_replace( 'http://', 'https://', $head_tag );
    183190        $html     = $this->get_sample_html_string( $head_tag );
    184191        $this->assertTrue( wp_is_local_html_output( $html ) );
Note: See TracChangeset for help on using the changeset viewer.