From 5182bb6ff0fdfdd016429eb6be333bb0f5797bf0 Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Wed, 4 Sep 2019 17:12:11 +0000 Subject: [PATCH] Improve URL validation in `wp_validate_redirect()`. Merges [45971] to the 4.4 branch. Props vortfu, whyisjake, peterwilsoncc. git-svn-id: https://develop.svn.wordpress.org/branches/4.4@45981 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/pluggable.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php index 7a4244aba5..86d7b731a8 100644 --- a/src/wp-includes/pluggable.php +++ b/src/wp-includes/pluggable.php @@ -1340,6 +1340,14 @@ function wp_validate_redirect($location, $default = '') { if ( isset($lp['scheme']) && !('http' == $lp['scheme'] || 'https' == $lp['scheme']) ) return $default; + if ( ! isset( $lp['host'] ) && ! empty( $lp['path'] ) && '/' !== $lp['path'][0] ) { + $path = ''; + if ( ! empty( $_SERVER['REQUEST_URI'] ) ) { + $path = dirname( parse_url( 'http://placeholder' . $_SERVER['REQUEST_URI'], PHP_URL_PATH ) . '?' ); + } + $location = '/' . ltrim( $path . '/', '/' ) . $location; + } + // Reject if certain components are set but host is not. This catches urls like https:host.com for which parse_url does not set the host field. if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) { return $default;