From e3feb63e333c5486aa4144000246dcedfdb14fc4 Mon Sep 17 00:00:00 2001
From: Jeremy Felt <jeremyfelt@git.wordpress.org>
Date: Sun, 6 Mar 2016 03:05:46 +0000
Subject: [PATCH] Multisite: Handle redirect to a user's subdomain properly
 during login

`wp-login.php` uses `wp_safe_redirect()` for all redirects, even those that do not involve unsafe data from the request or referer.

When a user of a subdomain site attempts to login to a network site they do not have access to, the host in the redirect URL is treated as unsafe by `wp_safe_redirect()` as it has no immediate awareness as to which hosts are valid on the network. On a subdirectoy network, everything works as expected because the host is the same.

In this specific block of `wp-login.php`, all URLs are generated by WordPress and we can use `wp_redirect()` to handle the redirects. Users authenticating via other network sites will now be redirected properly. Hosts passed via the `redirect_to` query var will continue to be handled by `wp_safe_redirect()`.

Fixes #30598.


git-svn-id: https://develop.svn.wordpress.org/trunk@36867 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-login.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/wp-login.php b/src/wp-login.php
index 64852134da..ed3878c293 100644
--- a/src/wp-login.php
+++ b/src/wp-login.php
@@ -830,6 +830,9 @@ default:
 				$redirect_to = get_dashboard_url( $user->ID );
 			elseif ( !$user->has_cap('edit_posts') )
 				$redirect_to = $user->has_cap( 'read' ) ? admin_url( 'profile.php' ) : home_url();
+
+			wp_redirect( $redirect_to );
+			exit();
 		}
 		wp_safe_redirect($redirect_to);
 		exit();