Make WordPress Core


Ignore:
Timestamp:
09/13/2022 07:48:45 PM (2 years ago)
Author:
davidbaumwald
Message:

General: Correct path replacement regex in wp_guess_url.

In wp_guess_url, the regex to check for wp-login.php in the URL is slightly too permissive, not escaping . in "wp-login.php". . is a token in regex that matches any character.

This change simply escapes the . and adds unit test coverage for wp_guess_url.

Props cfinke, ocean90, jrf, voldemortensen, jdgrimes, curdin, netweb, petitphp, SergeyBiryukov, costdev.
Fixes #36827.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/functions.php

    r54097 r54146  
    60346034        // The request is for the admin.
    60356035        if ( strpos( $_SERVER['REQUEST_URI'], 'wp-admin' ) !== false || strpos( $_SERVER['REQUEST_URI'], 'wp-login.php' ) !== false ) {
    6036             $path = preg_replace( '#/(wp-admin/.*|wp-login.php)#i', '', $_SERVER['REQUEST_URI'] );
     6036            $path = preg_replace( '#/(wp-admin/?.*|wp-login\.php.*)#i', '', $_SERVER['REQUEST_URI'] );
    60376037
    60386038            // The request is for a file in ABSPATH.
Note: See TracChangeset for help on using the changeset viewer.