WordPress.org

Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 18 months ago

#5114 closed enhancement (fixed)

wp_safe_redirect() case sensitive for hostnames

Reported by: BoltClock Owned by:
Milestone: 2.3.1 Priority: normal
Severity: normal Version: 2.3
Component: General Keywords: has-patch needs-testing
Focuses: Cc:
PR Number:

Description

For instance, when I enter a post password, no matter whether it was correct, I get redirected to my wp-admin folder instead of the form's page. I had set my hostname to contain uppercase letters as an experiment.

Exploring the source code made it apparent that the check in wp_safe_redirect() is case sensitive, i.e. hostname http://www.EXAMPLE.com does not match http://www.example.com.

Attachments (3)

pluggable.php.diff (665 bytes) - added by BoltClock 12 years ago.
5114.2.diff (640 bytes) - added by markjaquith 12 years ago.
5114.3.diff (594 bytes) - added by markjaquith 12 years ago.

Download all attachments as: .zip

Change History (13)

#1 @BoltClock
12 years ago

  • Type changed from defect to enhancement

#2 @BoltClock
12 years ago

  • Keywords 2nd-opinion needs-testing added; dev-feedback removed

#3 @westi
12 years ago

  • Keywords has-patch added; 2nd-opinion removed

@markjaquith
12 years ago

#4 @markjaquith
12 years ago

  • Milestone changed from 2.3.1 to 2.4

5114.2.diff adds a strtolower()'d version of the host into the allowed_hosts array. So you can match by being lowercase or by matching exactly. Milestone of 2.4 before 2.3.1

@markjaquith
12 years ago

#5 @markjaquith
12 years ago

5114.3.diff only does the strtolower() if the raw version doesn't match.

#6 @markjaquith
12 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [6219]) check for a match against a lowercase host in wp_safe_redirect(). props BoltClock. fixes #5114 for trunk

#7 @markjaquith
12 years ago

  • Milestone changed from 2.4 to 2.3.1
  • Resolution fixed deleted
  • Status changed from closed to reopened

#8 @markjaquith
12 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [6220]) check for a match against a lowercase host in wp_safe_redirect(). props BoltClock. fixes #5114 for 2.3.1

#9 @jorbin
4 years ago

In 36445:

Revert [35792]

This causes a regression and causes redirects to potentially fail.

See #5114 #34028
props ocean90

This ticket was mentioned in Slack in #mobile by suhankoh. View the logs.


18 months ago

Note: See TracTickets for help on using tickets.