#36827 closed defect (bug) (fixed)
Regular expression in wp_guess_url() is slightly too permissive.
Reported by: | cfinke | Owned by: | davidbaumwald |
---|---|---|---|
Milestone: | 6.1 | Priority: | normal |
Severity: | normal | Version: | 3.4 |
Component: | General | Keywords: | has-patch good-first-bug has-unit-tests |
Focuses: | Cc: |
Description
In wp_guess_url()
, there is a regular expression is supposed to replace wp-admin/*
or wp-login.php
in a URL:
$path = preg_replace( '#/(wp-admin/.*|wp-login.php)#i', '', $_SERVER['REQUEST_URI'] );
However, the dot in wp-login.php
is not escaped, so the replacement will also run when any character is in that position, not just a period. The enclosing if ()
statement makes this exceedingly unlikely to happen, but the dot should be escaped regardless.
Attachments (4)
Change History (27)
This ticket was mentioned in Slack in #core by voldemortensen. View the logs.
8 years ago
#5
follow-up:
↓ 7
@
8 years ago
Looking at the regex, I can see two more variants which would not be caught:
http://mysite.com/wp-admin http://mysite.com/wp-login.php?var=somevar
I've seen that last one sometimes when plugins try to secure a url.
Changing the regex to the below will fix that and catch both:
'#/(wp-admin(?:$|/.*)|wp-login\.php.*)#i'
#7
in reply to:
↑ 5
@
8 years ago
Replying to jrf:
Looking at the regex, I can see two more variants which would not be caught:
http://mysite.com/wp-admin http://mysite.com/wp-login.php?var=somevarI've seen that last one sometimes when plugins try to secure a url.
Changing the regex to the below will fix that and catch both:
'#/(wp-admin(?:$|/.*)|wp-login\.php.*)#i'
In the case of http://mysite.com/wp-login.php?var=somevar
it will still remove wp-login.php
and return http://mysite.com?var=somevar
. We may need to keep that behavior for back-compat (although I'm not aware of anything that depends on this).
#8
@
8 years ago
If you try to access a site that hasn't been installed yet using http://example.com/wp-login.php?redirect_to=/somewhere
, you will be shown the error page saying that the site is not installed yet. But the "Create wp-config.php" button won't work, because wp_guess_url()
doesn't strip the query string from the URL. The link URL will be wrong, because wp-load.php
just does this:
$path = wp_guess_url() . '/wp-admin/setup-config.php';
Resulting in http://example.com/?redirect_to=/somewhere/wp-admin/setup-config.php
@
8 years ago
Regex pattern updated to correct wp-login dot issue and capture urls with query parameters. Added common urls identified earlier as unit tests. This is my first core patch, please let me know if I don't follow some convention ;)
#11
in reply to:
↑ 10
@
8 years ago
- Owner set to curdin
- Status changed from new to assigned
Assigning the ticket to mark the good-first-bug as "claimed".
Replying to curdin:
This is my first core patch, please let me know if I don't follow some convention ;)
@curdin Thanks for the patch :)
In the future you should add a file extension to the filename, e.g. 36827.diff
, this makes the patch more easily read here in Trac, e.g. you see the red and green diff highlights when viewing wp_guess_url_regex.patch but not 36827_guess_url_patch_and_test ;)
See https://make.wordpress.org/core/handbook/tutorials/trac/submitting-a-patch/
#12
follow-up:
↓ 13
@
8 years ago
Thanks for the headsup @netweb. I'll reupload with the correct file extension.
A couple of other questions - is it ok to create patches that also contain the test?
And what's the expected change to status so it may progress? I added the has-unit-tests tag (it already had has-patch) - is this useful and expected?
#13
in reply to:
↑ 12
@
8 years ago
Replying to curdin:
A couple of other questions - is it ok to create patches that also contain the test?
Yes
And what's the expected change to status so it may progress? I added the has-unit-tests tag (it already had has-patch) - is this useful and expected?
Nothing else is needed for now, someone will review the patch and add further comments if needed and update the status as needed
This ticket was mentioned in Slack in #core by sergey. View the logs.
2 years ago
#16
@
2 years ago
I took a look at the latest patch and I didn't see any issues, tests ran successfully.
I also checked the edge case mentioned in comment:8 and the patch did fix it.
This ticket was mentioned in Slack in #core by petitphp. View the logs.
2 years ago
This ticket was mentioned in Slack in #core by sergey. View the logs.
2 years ago
#19
@
2 years ago
- Owner changed from curdin to davidbaumwald
- Status changed from assigned to reviewing
#20
@
2 years ago
Thanks for the patch! 36827.patch looks OK to me in general, though it could use some cleanup:
- Changing camelCase to snake_case and resolving WPCS issues.
- Moving the test to a better place, as
tests/includes/helpers.php
is only meant for some helper functions from the test suite itself.
As we don't have a dedicated test file for wp_guess_url()
yet, and it's located in wp-includes/functions.php
, the test should probably be somewhere in tests/functions.php, perhaps after the validate_file()
test. Or we could create a new file and add some more tests :)
Testing the patch with all the cases mentioned above would be very welcome! Are they all included in the unit test?
Escapes the dot in the regex.