Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#22666 closed defect (bug) (fixed)

When evaluating path in get_*_url(), '..' can match the query string

Reported by: wonderboymusic Owned by:
Milestone: 3.6 Priority: normal
Severity: normal Version:
Component: Permalinks Keywords: has-patch
Focuses: Cc:


http://nacins-beard.com/gallery/?s=... is a valid URL. A common way to generate it and URLs like it is:

home_url( '/gallery/?s=..' )

This will return:


Why? Because most of the get_*_url functions check for .. on the entire URI, not limited to the path. My patch fixes this and uses a function that all of the url functions share, eliminating a bunch of dupe'd code.

Attachments (1)

dot-dot.diff (6.5 KB) - added by wonderboymusic 3 years ago.

Download all attachments as: .zip

Change History (8)

@wonderboymusic3 years ago

comment:1 @nacin3 years ago

add_to_path() sounds a bit like join_with_slashes(), see #19796 for patches.

comment:2 @wonderboymusic3 years ago

  • Milestone changed from Awaiting Review to 3.6

join_with_slashes never made it into 3.5 - add_path_to_url works generically with any URL that already has a path or not and the passed path. The main point of it: it condenses code that is repeated all over the place (10 other functions!), and join_with_slashes does not.

comment:3 @wonderboymusic3 years ago

#23098 was marked as a duplicate.

comment:4 @DrewAPicture3 years ago

  • Cc xoodrew@… added
Last edited 3 years ago by DrewAPicture (previous) (diff)

comment:5 @DrewAPicture3 years ago

Rereading dot-dot.diff, wouldn't you want to require $url? set_url_scheme() is going to return a formed host regardless but the path will only be appended if it both exists and is valid.

comment:6 @SergeyBiryukov3 years ago

Related: #19032

Appears to be fixed in [23537].

comment:7 @nacin3 years ago

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.