From ec30770c506f005f0b621d85c3cd41e0832d3014 Mon Sep 17 00:00:00 2001 From: "Aaron D. Campbell" Date: Mon, 6 Mar 2017 13:37:43 +0000 Subject: [PATCH] Strip control characters before validating redirect. git-svn-id: https://develop.svn.wordpress.org/trunk@40183 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/pluggable.php | 2 +- tests/phpunit/tests/formatting/redirect.php | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php index 3e6fbe14d6..0de6b0cc78 100644 --- a/src/wp-includes/pluggable.php +++ b/src/wp-includes/pluggable.php @@ -1293,7 +1293,7 @@ if ( !function_exists('wp_validate_redirect') ) : * @return string redirect-sanitized URL **/ function wp_validate_redirect($location, $default = '') { - $location = trim( $location ); + $location = trim( $location, " \t\n\r\0\x08\x0B" ); // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//' if ( substr($location, 0, 2) == '//' ) $location = 'http:' . $location; diff --git a/tests/phpunit/tests/formatting/redirect.php b/tests/phpunit/tests/formatting/redirect.php index 8628bbf282..dee7d4d9da 100644 --- a/tests/phpunit/tests/formatting/redirect.php +++ b/tests/phpunit/tests/formatting/redirect.php @@ -59,6 +59,8 @@ class Tests_Formatting_Redirect extends WP_UnitTestCase { array( 'http://user@example.com/', 'http://user@example.com/' ), array( 'http://user:@example.com/', 'http://user:@example.com/' ), array( 'http://user:pass@example.com/', 'http://user:pass@example.com/' ), + array( " \t\n\r\0\x08\x0Bhttp://example.com", 'http://example.com' ), + array( " \t\n\r\0\x08\x0B//example.com", 'http://example.com' ), ); } @@ -71,6 +73,10 @@ class Tests_Formatting_Redirect extends WP_UnitTestCase { // non-safelisted domain array( 'http://non-safelisted.example/' ), + // non-safelisted domain (leading whitespace) + array( " \t\n\r\0\x08\x0Bhttp://non-safelisted.example.com" ), + array( " \t\n\r\0\x08\x0B//non-safelisted.example.com" ), + // unsupported schemes array( 'data:text/plain;charset=utf-8,Hello%20World!' ), array( 'file:///etc/passwd' ),