Make WordPress Core

Opened 3 years ago

Last modified 3 years ago

#55336 new defect (bug)

Query strings with reserved characters get wrongly redirected to encoded variant at the root level.

Reported by: madstegge's profile madstegge Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords: 2nd-opinion needs-testing has-testing-info
Focuses: Cc:

Description

The asterisk ("*", ASCII 2A hex) and exclamation mark ("!" , ASCII 21 hex) are reserved for use as having special significance within specific schemes. Source: https://www.w3.org/Addressing/URL/4_URI_Recommentations.html

More here: https://developers.google.com/maps/url-encoding

WordPress however, redirects to a URI encoded variant when the query string at the root level contains these reserved characters.

So, https://wordpress.org/plugins/?test=123*456 doesn't redirect.

While https://wordpress.org/?test=123*456 redirects to https://wordpress.org/?test=123%2A456.

This is quite problematic for all WordPress sites that use for example Google Analytics 4 (GA4) cross-domain tracking. GA4 relies on a query string containing asterisks. Source: https://support.google.com/analytics/answer/10071811?hl=en

Change History (4)

#1 in reply to: ↑ description ; follow-up: @SergeyBiryukov
3 years ago

Hi there, welcome to WordPress Trac! Thanks for the report.

Replying to madstegge:

WordPress however, redirects to a URI encoded variant when the query string at the root level contains these reserved characters.

So, https://wordpress.org/plugins/?test=123*456 doesn't redirect.

While https://wordpress.org/?test=123*456 redirects to https://wordpress.org/?test=123%2A456.

I could not reproduce the issue on a clean install. Testing with some other sites like https://ma.tt/?test=123*456, they don't redirect either.

WordPress.org does indeed redirect as noted, but I think that might be something specific to that particular network.

#2 in reply to: ↑ 1 @madstegge
3 years ago

Replying to SergeyBiryukov:

I could not reproduce the issue on a clean install. Testing with some other sites like https://ma.tt/?test=123*456, they don't redirect either.

WordPress.org does indeed redirect as noted, but I think that might be something specific to that particular network.

That's interesting. All WordPress sites that I know of present this behavior. But it might be caused by a widespread plugin then. I'm not a developer, so can't give any more details about the affected configurations.

#3 @madstegge
3 years ago

The good news is that Google Analytics seems to handle the encoded query string correctly after all. But it might cause difficulties for other applications...

#4 @costdev
3 years ago

  • Keywords 2nd-opinion needs-testing has-testing-info added
  • Version trunk deleted

Removing trunk as this has existed since before the 6.0 release cycle.

I can reproduce this on one site, and not on another. I've compared the plugins/themes/permalink settings and there's no difference that should have any impact on URLs/query strings. Both sites have existed for at least two years and both are currently running 5.9.3.

If I find out more, I'll post it. Until then, if others can reproduce this and try to track down the cause, that would be great.

Reproduction steps:

  1. Visit http://yoursite.com/?test=123*456

If the asterisk is converted to %2A, the issue was reproduced.

Last edited 3 years ago by costdev (previous) (diff)
Note: See TracTickets for help on using tickets.