WordPress.org

Make WordPress Core

#22666 closed defect (bug) (fixed)

When evaluating path in get_*_url(), '..' can match the query string

Reported by: wonderboymusic Owned by:
Milestone: 3.6 Priority: normal
Severity: normal Version:
Component: Permalinks Keywords: has-patch
Focuses: Cc:

Description

http://nacins-beard.com/gallery/?s=... is a valid URL. A common way to generate it and URLs like it is:

home_url( '/gallery/?s=..' )

This will return:

http://nacins-beard.com

Why? Because most of the get_*_url functions check for .. on the entire URI, not limited to the path. My patch fixes this and uses a function that all of the url functions share, eliminating a bunch of dupe'd code.

Attachments (1)

dot-dot.diff (6.5 KB) - added by wonderboymusic 20 months ago.

Download all attachments as: .zip

Change History (8)

wonderboymusic20 months ago

comment:1 nacin19 months ago

add_to_path() sounds a bit like join_with_slashes(), see #19796 for patches.

comment:2 wonderboymusic19 months ago

  • Milestone changed from Awaiting Review to 3.6

join_with_slashes never made it into 3.5 - add_path_to_url works generically with any URL that already has a path or not and the passed path. The main point of it: it condenses code that is repeated all over the place (10 other functions!), and join_with_slashes does not.

comment:3 wonderboymusic19 months ago

#23098 was marked as a duplicate.

comment:4 DrewAPicture19 months ago

  • Cc xoodrew@… added

+1 for dot-dot.diff.

Version 0, edited 19 months ago by DrewAPicture (next)

comment:5 DrewAPicture19 months ago

Rereading dot-dot.diff, wouldn't you want to require $url? set_url_scheme() is going to return a formed host regardless but the path will only be appended if it both exists and is valid.

comment:6 SergeyBiryukov17 months ago

Related: #19032

Appears to be fixed in [23537].

comment:7 nacin17 months ago

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.