WordPress.org
Get WordPress

Make WordPress Core

Opened 6 months ago

Last modified 5 months ago

#63896 new defect (bug)

is_login() will trigger on non-login pages

Reported by: govpress's profile govpress Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.8.2
Component: Login and Registration Keywords:
Focuses: Cc:

Description

The test for is_login() will falsely issue "true" in two circumstances we've observed.

1) the root page "/"
2) any page request that matches a part of the URL that follows a "/"

eg in this example a request for "/d" is a login page, but "/d/" is not.

php > $url = "https://documents.example.com/wp-login.php";
php > echo stripos($url, "/");
6
php > echo stripos($url, "/documents");
7
php > echo stripos($url, "/doc");
7
php > echo stripos($url, "/d");
7
php > echo stripos($url, "/d/");
php > echo stripos($url, "/wp-login.php");
29
php > echo stripos($url, "/w");
29
php > echo stripos($url, "/xxx");
php >

Attachments (1)

63896.patch (521 bytes) - added by rishabhwp 6 months ago.

Download all attachments as: .zip

Change History (3)

#1 @govpress
6 months ago

I should note that this is on a server nginx + fastcgi php-fm with the parameter

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;

where the value of _SERVER['SCRIPT_NAME'] will usually be the path of the requested URL, not /index.php.

_SERVER['SCRIPT_NAME'] = /
_SERVER['SCRIPT_FILENAME'] = /var/www/html/index.php
Last edited 6 months ago by govpress (previous) (diff)

@rishabhwp
6 months ago

#2 @sabernhardt
5 months ago

  • Component changed from General to Login and Registration
Note: See TracTickets for help on using tickets.