WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#18618 closed defect (bug) (invalid)

WordPress still relies on HTTP_REFERER for redirects which can be invalid

Reported by: _ck_ Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.2.1
Component: General Keywords:
Focuses: Cc:

Description

Apparently this has not been fixed in over six years either.

The HTTP_REFERER header is not a valid method of redirecting users. It can be forged, blocked, removed or replaced by proxies, firewalls, etc.

This can cause unexpected behavior in user and admin interfaces.

The most common situation is that the header has been removed by personal firewalls to protect privacy. So I suggest developers use a browser plugin to temporarily block the referer and see what behaviors happen.

One consistent example is to try re-checking for spam on comments in the WP admin with akismet but there are other obvious pitfalls in the WP codebase when you search for HTTP_REFERER

Change History (2)

comment:1 nacin3 years ago

Nowhere does WordPress rely first on HTTP_REFERER. This was addressed years ago.

Akismet is not core. That can be reported on http://plugins.trac.wordpress.org/. They should be using wp_get_referer().

wp_get_referer() falls back to HTTP_REFERER after checking for a _wp_http_referer field.

There are some old MU functions that we don't use that also fall back to HTTP_REFERER. Those can be addressed in another ticket.

N.B. _ck_, is the tone truly necessary?

comment:2 nacin3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

#18619

Otherwise marking as invalid.

Note: See TracTickets for help on using tickets.