Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#41766 closed defect (bug) (invalid)

Infinite redirection loop on accessing wp-admin/user/

Reported by: Butuzov Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.1
Component: Users Keywords:
Focuses: administration, multisite Cc:


Infinite redirection loop on accessing wp-admin/user/

I am having a highly customized WP Multisite Network Installation and different kinds of limited users. Today I got report about person that stuck in Infinite Redirection Loop while trying to access to URL https://domain.com/cms/wp-admin/user/

After future research, I stuck into a problem in wp-admin/user/admin.php on line 29.

wp_redirect( user_admin_url() );

Based on the logic of this it's going and redirecting the user back to the same spot. And here we got a problem.

Is it a copy/paste that end up in release code unchecked?

Affected User:

Has limited capabilities (can be listed on request)

How that Happened?:

Password Retrieved, Login Process, Infinite Redirection Loop.

Version: 4.8.1

Custom Multisite Install: (With Subdomains and sub directories installs same time).

Previously installed: 4.6.1

Attachments (1)

patch.diff (522 bytes) - added by Butuzov 4 years ago.

Download all attachments as: .zip

Change History (10)

4 years ago


#1 @SergeyBiryukov
4 years ago

  • Component changed from Administration to Users

#2 @Butuzov
4 years ago

Not sure is patch in the correct format. Installation is located in cms/ directory and I have removed that part of the patch file, however, there are two hashes and I am not sure is it really matters.

#3 @SergeyBiryukov
4 years ago

  • Version changed from 4.8.1 to 3.1

Introduced in [15746], modified in [17668].

Since this is a first report in 7 years, it looks like there's a plugin doing something wrong with either user_admin_url or redirect_user_admin_request filter.

Last edited 4 years ago by SergeyBiryukov (previous) (diff)

#4 @SergeyBiryukov
4 years ago

Could not reproduce the issue on a clean install. When visiting wp-admin/user/ on one of the sites in a network, the code properly redirects to the main network site.

#5 @Butuzov
4 years ago

I will try to reproduce it myself on clean install as soon as I will have time, and compare all settings while it happening.

both filters not used not used in my system, however, it's possible that I am unluckily stuck into the combination of different factors.

#6 @danieltj
4 years ago

I tried this on a clean install and didn't get a redirect loop. A third party is causing this error for sure.

#7 @danieltj
4 years ago

  • Keywords reporter-feedback added

#8 @Butuzov
4 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Thank you so much for testing of what I called "a bug". I also have a chance to test all of my assumptions in "clean install test". I was able to reproduce "bug" (in quotes because now I am not sure this is a bug at all after test case...).

Steps to repeat "bug":

1) Create cms directory in server root.
2) Create wp-config.php (or copy) with default install values (DB_* constants and AUTH salts contacts).
3) Move WordPress code into cms directory.
4) Proceed to install. At this step, we have a normal WordPress install in the custom directory.
5) Change Site Adress URL in Settings->General->Site Address (URL) to point to server home directory (https://example.org), while WP Adress will point to https://example.org/cms/

7) Prepare to Multidomain install. Add WP_ALLOW_MULTISITE to wp-config.php and setup wildcard domain .

define('WP_ALLOW_MULTISITE', true);

8) Open Tools->Network Setup and Pick "Sub-domains", then proceed to "Install".
9) Copy Contants to wp-config.php (except PATH_CURRENT_SITE and SUBDOMAIN_INSTALL)

Now I am able to log example.org/cms/wp-admin and use example.org. But because $current_blog->path isn't same as $current_site->path (1st is '/' and 2nd one is '/cms/'), it's impossible to use user admin and network admin without infinite redirection loop. I still struggling to understand a meaning of redirection to network_admin_url() and user_admin_url() in (network|user)/admin.php but I guess, it's my messed up settings brought a problem I am describing.


1) None of .htaccess contents isn't copied, so we can't disclose wp-admin directory to attackers (ones that trying to break-in backend using dictionaries ).

2) Defining PATH_CURRENT_SITE to '/' require also rewrite rules, from note 1

3) Constants PATH_CURRENT_SITE and SUBDOMAIN_INSTALL are defined in wp-config later based on requested domain (some of the websites are allowed to be installed in "sub-directories")

I am really sorry for your wasted time and hope never repeat myself on "false bug reporting" again. In anycase thank you for your time.

#9 @netweb
4 years ago

  • Keywords reporter-feedback removed
  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.