Restrict schemes allowed in wp_validate_redirect()

git-svn-id: https://develop.svn.wordpress.org/trunk@13657 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Ryan Boren 2010-03-11 14:54:11 +00:00
parent ef7e0ef243
commit 182873dfaa
1 changed files with 9 additions and 0 deletions

View File

@ -984,6 +984,15 @@ function wp_validate_redirect($location, $default = '') {
$test = ( $cut = strpos($location, '?') ) ? substr( $location, 0, $cut ) : $location; $test = ( $cut = strpos($location, '?') ) ? substr( $location, 0, $cut ) : $location;
$lp = parse_url($test); $lp = parse_url($test);
// Give up if malformed URL
if ( false === $lp )
return $default;
// Allow only http and https schemes. No data:, etc.
if ( isset($lp['scheme']) && !('http' == $lp['scheme'] || 'https' == $lp['scheme']) )
return $default;
$wpp = parse_url(home_url()); $wpp = parse_url(home_url());
$allowed_hosts = (array) apply_filters('allowed_redirect_hosts', array($wpp['host']), isset($lp['host']) ? $lp['host'] : ''); $allowed_hosts = (array) apply_filters('allowed_redirect_hosts', array($wpp['host']), isset($lp['host']) ? $lp['host'] : '');