WordPress.org

Make WordPress Core

Opened 2 weeks ago

Last modified 4 days ago

#47980 assigned defect (bug)

New wp_validate_redirect() removes domain in some circumstances.

Reported by: rconde Owned by: SergeyBiryukov
Milestone: 5.2.4 Priority: normal
Severity: critical Version: 5.2.3
Component: General Keywords: has-patch
Focuses: Cc:

Description

Last change to wp_validate_redirect() (5.2.3) breaks the redirect in some cases. I've checked on other sites that runs linux and this doesn't happen. This is happening on XAMPP for Windows.

In my case everything was working fine until the 5.2.3 update and now I get:

https://wp-login.php/?loggedout=true
https://wp-login.php/?checkemail=confirm
https://wp-login.php/?checkemail=registered

As you can see, the domain is missing.

I've found the code causing this:

https://github.com/WordPress/WordPress/commit/c86ee39ff4c1a79b93c967eb88522f5c09614a28

Commenting this code everything works fine again.

I've done a clean install of WordPress 5.2.3 to check if it's something that I've modified on my end but on the clean install it's still happening.

So definitely a bug.

Attachments (1)

pluggable.php.diff (671 bytes) - added by Mat Lipe 9 days ago.
Patch the \wp-includes\pluggable.php file

Download all attachments as: .zip

Change History (17)

#1 follow-up: @whyisjake
2 weeks ago

Hi there @rconde,

Do you have any other filters/actions/plugins that are adding to those actions?

#2 follow-up: @jmmathc
2 weeks ago

Can confirm it happens on Windows when logging out. I'd say it's because dirname returns backslashes on Windows, and they're not stripped correctly.

I've temporarily patched my servers with this fix, on the line that left trims the slash from $path:

$location = '/' . ltrim( $path . '/', '/\\' ) . $location;

#3 in reply to: ↑ 1 @rconde
2 weeks ago

Replying to whyisjake:

Hi there @rconde,

Do you have any other filters/actions/plugins that are adding to those actions?

It was on a fresh install on Windows.

As @jmmathc as said, it's a bug on backslashes on Windows.

#4 @SergeyBiryukov
2 weeks ago

  • Milestone changed from Awaiting Review to 5.2.4

#5 @johnbillion
13 days ago

  • Focuses accessibility removed
  • Keywords needs-patch added
  • Version changed from trunk to 5.2.3

#6 @peterwilsoncc
13 days ago

#47995 was marked as a duplicate.

This ticket was mentioned in Slack in #forums by macmanx. View the logs.


10 days ago

#8 in reply to: ↑ 2 ; follow-up: @x2l2
9 days ago

Replying to jmmathc:

Can confirm it happens on Windows when logging out. I'd say it's because dirname returns backslashes on Windows, and they're not stripped correctly.

I've temporarily patched my servers with this fix, on the line that left trims the slash from $path:

$location = '/' . ltrim( $path . '/', '/\\' ) . $location;

I had the same redirect problem when try to login, but the server is not windows

I try this change in wp-inculdes/pluggable.php but doesnt works for me

Last edited 9 days ago by x2l2 (previous) (diff)

#9 in reply to: ↑ 8 @rconde
9 days ago

Try commenting this code in 'wp-includes/pluggable.php' and see if this works for you:

https://github.com/WordPress/WordPress/commit/c86ee39ff4c1a79b93c967eb88522f5c09614a28

This is equal to revert back to previous version of WP as this is the only change pluggable.php had on the latest update.

Also, it would be nice to know what system configuration do you have if it's not Windows.

@Mat Lipe
9 days ago

Patch the \wp-includes\pluggable.php file

#10 @Mat Lipe
9 days ago

  • Keywords has-patch added; needs-patch removed

I have tested against various environments and was able to recreate the issue as well as fix it with this patch.

#11 @davidbaumwald
8 days ago

#48017 was marked as a duplicate.

#12 follow-up: @Sixes
6 days ago

I am seeing the same issue on a Ubuntu server (18.04.3 LTS). The WordPress install is version 5.2.3 on a multi-site setup.

I have tried removing the section at https://github.com/WordPress/WordPress/commit/c86ee39ff4c1a79b93c967eb88522f5c09614a28 and this makes no difference. Clearly adding a backslash to the ltrim() statement also has no effect.

In any case, does ltrim() really take three parameters? According to the php manual:

 ltrim ( string $str [, string $character_mask ] ) : string

The only other odd thing about this setup is that Fear of Landing redirects through Cloudflare.com.

Any suggestions as to how to get round this issue? Currently none of my users can log in.

Edit: Having checked further, it seems that wp_validate_redirect() is not actually being called. Also this may be a different issue as the user is (sometimes) getting:

ERROR: Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress.

Last edited 6 days ago by Sixes (previous) (diff)

#13 in reply to: ↑ 12 @rconde
6 days ago

Replying to Sixes:

I am seeing the same issue on a Ubuntu server (18.04.3 LTS). The WordPress install is version 5.2.3 on a multi-site setup.

I have tried removing the section at https://github.com/WordPress/WordPress/commit/c86ee39ff4c1a79b93c967eb88522f5c09614a28 and this makes no difference. Clearly adding a backslash to the ltrim() statement also has no effect.

In any case, does ltrim() really take three parameters? According to the php manual:

 ltrim ( string $str [, string $character_mask ] ) : string

The only other odd thing about this setup is that Fear of Landing redirects through Cloudflare.com.

Any suggestions as to how to get round this issue? Currently none of my users can log in.

Edit: Having checked further, it seems that wp_validate_redirect() is not actually being called. Also this may be a different issue as the user is (sometimes) getting:

ERROR: Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress.

This seems unrelated to this ticket. Fortunately you have mentioned Cloudflare...

I can tell you what is happening:

wp-login.php creates php cookie 'wordpress_test_cookie' when you access this page.

So I guess that you have configured Cloudflare incorrectly, so when you access wp-login.php you are getting a cached page from Cloudflare, not from your server, hence your server is not creating any cookie because the request is not getting the page from your server but from cloudflare.

Try setting Cloudflare development mode ON and try to log in and see if the problem persists. Please set the development mode On, wait at least 1 minute, reload wp-login.php and try.

If this fixes the problem, its your Cloudflare config, not WordPress.

Then the fix for you is to create a page rule in Cloudflare under 'Page Rules' -> Create page rule -> in the url field insert https://fearoflanding.com/*.php* and then click add a setting and select 'Cache level' -> Bypass and save and deploy.

Hope this fixes your problem.

#14 @Sixes
6 days ago

Thank you so much for that response @rconde, it was very helpful.

However it doesn't seem to have fixed the problem. I have now turned on development mode and cleared the Cloudflare cache. I'm still getting the same issue.

Digging a little further using curl, I find that WordPress appears to be setting a slew of cookies on login but these all have the domain .blog.me.uk which is the "parent" domain for the Wordpress install.For example:

set-cookie: wordpress_test_cookie=WP+Cookie+check; path=/; domain=.blog.me.uk; secure

As I understand it, this cookie will not be sent back whilst accessing the https://fearoflanding.com domain. I assume it is the lack of this cookie (or one of the other cookies with the same domain) that is causing the issue.

Any more ideas? I really appreciate the help.

#15 @Sixes
6 days ago

Well, oddly just uncommenting the line define( 'SUNRISE', 'on' ); in wp-config.php solved the problem. The cookies now all have the correct domain.

I have no idea why.

Thanks again @rconde for the advice.

#16 @SergeyBiryukov
4 days ago

#48042 was marked as a duplicate.

Note: See TracTickets for help on using tickets.