Opened 13 years ago
Closed 12 years ago
#19032 closed defect (bug) (fixed)
home_url() malfunctions when the passed URL contains two dots in a row ("..")
Reported by: | markjaquith | Owned by: | markjaquith |
---|---|---|---|
Milestone: | 3.6 | Priority: | high |
Severity: | normal | Version: | 2.6 |
Component: | General | Keywords: | has-patch 2nd-opinion |
Focuses: | Cc: |
Description
home_url()
(and a bunch of other similar functions) will spit back your WordPress Site URL if the URL/path you pass in to it has two dots ("..") in a row. It was an unexplained addition to the original code that has persisted.
Reproduction:
echo home_url( '/foo-bar/elipsis...no-work/' );
Observed:
http://example.com
Expected:
http://example.com/foo-bar/elipsis...no-work/
It is due to this:
if ( !empty( $path ) && is_string( $path ) && strpos( $path, '..' ) === false ) $url .= '/' . ltrim( $path, '/' );
We should just remove that part of the condition. It doesn't serve any legitimate purpose that Nacin or I can tell, and it makes legitimate URLs with two (or more) dots fail in a very unexpected way.
Attachments (3)
Change History (14)
#1
@
13 years ago
- Keywords has-patch 2nd-opinion needs-unit-tests added
- Owner set to markjaquith
- Status changed from new to accepted
#2
@
13 years ago
In IRC we tracked this down to #7001. It was codified into unit tests, specifically TestSSLLinks::test_admin_url_invalid(), but I think the original case was invalid. We're talking about URL paths rather than anything that will touch the filesystem.
#8
@
12 years ago
Updated unit test for the new test runner. Verified test still fails without patch and still passes with patch.
#10
@
12 years ago
In 1225/tests:
Patch removes that part of the logic from 10 functions. Someone else test and give me a sanity check.