Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#14062 closed defect (bug) (fixed)

some Location headers are using relative url's

Reported by: hakre Owned by: dd32
Milestone: 3.1 Priority: normal
Severity: normal Version: 3.0
Component: Administration Keywords: has-patch
Focuses: Cc:


While being on my HTTP related work lately I came over another issue. Many Redirects are violating the HTTP RFC in a way that the Location header is not containing an absolute URI as of which is to be used:

The Location response-header field is used to redirect the recipient
to a location other than the Request-URI for completion of the
request or identification of a new resource. For 201 (Created)
responses, the Location is that of the new resource which was created
by the request. For 3xx responses, the location SHOULD indicate the
server's preferred URI for automatic redirection to the resource. The
field value consists of a single absolute URI.

Location = "Location" ":" absoluteURI

An example is:

Location: http://www.w3.org/pub/WWW/People.html

14.30 Location/RFC 2616; HTTP/1.1; June 1999

When I analyze the output, I get the following location header line:

Location: plugins.php?deactivate=true&plugin_status=active&paged=1

This is a relative URI, not a absolute one.

Attachments (3)

14062.diff (1.2 KB) - added by PeteMall 5 years ago.
Use self_admin_url to ensure network admin compatibility.
14062.2.diff (5.6 KB) - added by PeteMall 5 years ago.
Use self_admin_url() in plugins.php.
14062.patch (1.2 KB) - added by ocean90 5 years ago.

Download all attachments as: .zip

Change History (23)

comment:1 @hakre5 years ago

Related: #13909

comment:2 @dd325 years ago

  • Component changed from HTTP to Administration
  • Owner set to dd32
  • Status changed from new to accepted
  • Summary changed from plugins.php violates Location Header HTTP 1.1 Specification to some Location headers are using relative url's

comment:3 @miqrogroove5 years ago

+1. I've seen invalid Location headers cause problems, especially for robots.

comment:4 @voyagerfan57615 years ago

  • Cc WordPress@… added

comment:5 @hakre5 years ago

One way would be to check each call of wp_redirect(). Another idea I have is to integreate a warning inside my better redirects plugin that does throw warnings if WP_DEBUG is enabled. Can help with plugin development as well.

comment:6 @dd325 years ago

Cross reference to a problem caused by this: #14904 (Install page not redirecting to wp-admin/ on IIS6)

comment:7 @dd325 years ago

(In [15680]) utilise wp_guess_url() in installation redirection to provide an Absolute URL. See #14062. See #14904

comment:8 @dd325 years ago

  • Milestone changed from Awaiting Review to 3.1

comment:9 @dd325 years ago

I'm considering what we should accept for wp_redirect();

Right now, I'm thinking that the addition of a wp_admin_redirect() which wraps the url with admin_url() before passing into wp_redirect() would be useful.

The other possibility is something such as this in wp_redirect:

if ( ! is a absolute url starting with a scheme ) {
   $url = is_admin() ? admin_url($url) : site_url($url);

That will catch more faulty redirects - but may break some plugins. In core it's mainly admin redirects which do not specify a full url, and wp-login.php.

comment:10 @jane5 years ago

  • Keywords needs-patch added

If someone wants to do something about this for 3.1, it needs a patch to be posted now, or be punted to 3.2, as we are coming up on freeze.

comment:11 @dd325 years ago

(In [16006]) Use Absolute URL's in header redirects in wp-admin/plugin.php. See #14062

comment:12 @dd325 years ago

(In [16008]) Use Absolute URL's & API's in header redirects in more locations. See #14062

@PeteMall5 years ago

Use self_admin_url to ensure network admin compatibility.

comment:13 @ryan5 years ago

(In [16015]) Use self_admin_url(). Props PeteMall. see #14062

@PeteMall5 years ago

Use self_admin_url() in plugins.php.

comment:14 @ocean905 years ago

  • Keywords has-patch added; needs-patch removed

@ocean905 years ago

comment:16 @ocean905 years ago

Use self_admin_url() in class-wp-plugin-install-list-table.php.

comment:17 @nacin5 years ago

[16499] missed the ticket. I meant "see" not "fixes". Leaving this open.

comment:18 @nacin5 years ago

Good for 3.1?

comment:19 @ryan5 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

Let's call it done.

comment:20 @hakre5 years ago

Follow-Up Ticket (some were left): #16909

Note: See TracTickets for help on using tickets.