Make WordPress Core

Opened 7 years ago

Closed 6 years ago

#43745 closed defect (bug) (fixed)

(Yet another ;-) Redirect loop with encoded query keys

Reported by: wrwrwr0's profile wrwrwr0 Owned by: pento's profile pento
Milestone: 5.2 Priority: normal
Severity: minor Version: 5.1
Component: Canonical Keywords: has-patch has-unit-tests
Focuses: Cc:

Description

Some live examples:

https://news.microsoft.com/?%C2%A2
https://newsroom.fb.com/?%C2%A2
https://www.thewaltdisneycompany.com/?%C2%A2

(At the time of writing these show "page isn't redirecting properly" / "redirected you too many times" notice.)

To reproduce on a fresh install set some permalink structure and put a static page on front, for convenience:

wp rewrite structure '/%year%/%monthnum%/%postname%/'
wp option update show_on_front page
wp option update page_on_front 2

Observe a 301 with the location exactly matching the request:

curl -I http://test.local/?%C2%A2

(Query with any character in a key matching the first regex in
wp_sanitize_redirect().)

redirect_canonical() is hooked by default to template_redirect. Under some circumstances $redirect_url can be set to more or less the same as $requested_url in the somewhat lengthy "is 404" conditional. The code that readds additional query args, around line 360 of the function, uses rawurlencode_deep(), which leaves keys unencoded. In consequence, $requested_url and $redirect_url around line 490 may differ only in query encoding. Further, wp_sanitize_request(), applied after the chained redirects check, reencodes some multibyte characters.

Attachments (1)

43745.diff (1.4 KB) - added by soulseekah 7 years ago.
fix + tests

Download all attachments as: .zip

Change History (11)

@soulseekah
7 years ago

fix + tests

#1 @soulseekah
7 years ago

  • Keywords has-patch has-unit-tests added

Welcome to Trac!

Thanks for your detailed explanation and the steps to reproduce.

43745.diff contains a fix and a test.

#2 @SergeyBiryukov
7 years ago

  • Milestone changed from Awaiting Review to 5.0
  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#3 @SergeyBiryukov
6 years ago

  • Milestone changed from 5.0 to 5.0.1

#4 @pento
6 years ago

  • Milestone changed from 5.0.1 to 5.0.2

#5 @pento
6 years ago

  • Milestone changed from 5.0.2 to 5.0.3

This ticket was mentioned in Slack in #core by audrasjb. View the logs.


6 years ago

#7 @audrasjb
6 years ago

  • Milestone changed from 5.0.3 to 5.1

Hi,

Per today's bug scrub, let's address this ticket in the next major, 5.1, scheduled in February.

#8 @pento
6 years ago

  • Milestone changed from 5.1 to 5.2

Bumping to 5.2, as this needs review, testing, and soak time.

#9 @pento
6 years ago

  • Owner changed from SergeyBiryukov to pento
  • Status changed from reviewing to accepted

#10 @pento
6 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 45133:

Canonical: Ensure redirect query keys are URL encoded.

This prevents an infinite redirect loop when a request containing URL-encoded characters triggers is_404().

Props soulseekah, wrwrwr0.
Fixes #43745.

Note: See TracTickets for help on using tickets.