Make WordPress Core

Opened 14 years ago

Closed 13 years ago

#7270 closed defect (bug) (worksforme)

tilde character encoded by mod_proxy creates a redirect loop on login

Reported by: hopson's profile hopson Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.5.1
Component: Administration Keywords: has-patch tested dev-feedback
Focuses: Cc:

Description

When unix user accounts are frontended by Apache+mod_proxy, the tilde character (~) is encoded as %7E. RFC 2396 states that it does not need to be encoded, and Apache 2.3 has fixed this:

http://svn.apache.org/repos/asf/httpd/httpd/trunk/CHANGES

In wp-includes/pluggable.php, function auth_redirect (line 612 in wordpress 2.5.1):

wp_redirect(get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));

creates a redirect loop, because REQUEST_URI already contains the decoded %7E, so it is double-encoded, and then fails the path check (against wp_settings('home'); I believe).

The attached patch (for Wordpress 2.5.1) adds a call to urldecode() before urlencode(), to turn the %7E back into tilde.

Attachments (3)

tilde-encoding.patch (462 bytes) - added by hopson 14 years ago.
7270.diff (527 bytes) - added by jacobsantos 14 years ago.
Patch for fix in the comments.
7270.2.diff (638 bytes) - added by bryanmaupin 11 years ago.
I've had this issue with every version of Wordpress. This patch is for Wordpress 3.0.6 r17715

Download all attachments as: .zip

Change History (11)

#1 @hopson
14 years ago

  • Keywords has-patch added
  • Milestone 2.7 deleted
  • Version set to 2.5.1

#2 @matt
14 years ago

  • Milestone set to 2.7

#3 @dougieha
14 years ago

  • Cc dougieha@… added

It seems that the tilde character causes all sorts of problems. See this link: http://www.wwco.com/~wls/blog/2006/11/19/wordpress-tilde-hack-for-home-directories/

I was encountering a problem that I believe is related to this one. I'm using WP 2.6.2 and every time I start to edit a new post, go to add an image, and click on either the "Gallery" or "Media Library" tabs, I was redirected to the wp-login page. Upon attempting to login (which I was already), I get stuck in the redirect loop. Based on a careful examination of the links to the two tabs, it looks like the tilde is being double-escaped. By adding this line:

$_SERVER['REQUEST_URI'] = preg_replace( "/%7[Ee]/", "~", $_SERVER['REQUEST_URI'] );

to wp-settings.php (around line 57, before the IIS fixes), I was able to solve my problems. Since wp-includes/pluggable.php has changed quite a bit since 2.5.1 (which is what the current patch is for), I hope this helps to provide a solution for newer versions.

@jacobsantos
14 years ago

Patch for fix in the comments.

#4 @jacobsantos
14 years ago

  • Keywords needs-testing dev-feedback added

Patch from dougieha in better placement in wp-settings.

#5 follow-up: @markjaquith
13 years ago

  • Milestone 2.7 deleted
  • Resolution set to worksforme
  • Status changed from new to closed

I cannot reproduce in WP 2.7.

I placed this in my wp-config.php to simulate the Apache issue:

$_SERVER['REQUEST_URI'] = str_replace('~', '%7E', $_SERVER['REQUEST_URI']);

#6 in reply to: ↑ 5 @dougieha
13 years ago

  • Resolution worksforme deleted
  • Status changed from closed to reopened

Replying to markjaquith:

I cannot reproduce in WP 2.7.

I placed this in my wp-config.php to simulate the Apache issue:

$_SERVER['REQUEST_URI'] = str_replace('~', '%7E', $_SERVER['REQUEST_URI']);

Hmmm...I can still reproduce in WP 2.7 (2.7-RC1-10119). For example, I just went to fix the time setting on the General settings page (to correct the wrong DST time), and WP prompted me for my admin username and password (even though I was already logged in). Upon entering the correct information, I was redirected back to the same login page in an endless loop.

By adding the patch from jacobsantos and then doing the same thing, the setting was saved right away, without any prompt for the login page. I've verified this several times, by adding and removing the patch. Without, I get the login page and get stuck in a redirect loop; with the patch, it works fine.

#7 @Denis-de-Bernardy
13 years ago

  • Keywords tested added; needs-testing removed
  • Milestone set to 2.8

well, the patch works. but I wasn't able to actual reproduce on my Mac either...

#8 @Denis-de-Bernardy
13 years ago

  • Milestone 2.8 deleted
  • Resolution set to worksforme
  • Status changed from reopened to closed

please re-open with a step by step test case

@bryanmaupin
11 years ago

I've had this issue with every version of Wordpress. This patch is for Wordpress 3.0.6 r17715

Note: See TracTickets for help on using tickets.