e3feb63e33
`wp-login.php` uses `wp_safe_redirect()` for all redirects, even those that do not involve unsafe data from the request or referer. When a user of a subdomain site attempts to login to a network site they do not have access to, the host in the redirect URL is treated as unsafe by `wp_safe_redirect()` as it has no immediate awareness as to which hosts are valid on the network. On a subdirectoy network, everything works as expected because the host is the same. In this specific block of `wp-login.php`, all URLs are generated by WordPress and we can use `wp_redirect()` to handle the redirects. Users authenticating via other network sites will now be redirected properly. Hosts passed via the `redirect_to` query var will continue to be handled by `wp_safe_redirect()`. Fixes #30598. git-svn-id: https://develop.svn.wordpress.org/trunk@36867 602fd350-edb4-49c9-b593-d223f7449a82 |
||
|---|---|---|
| src | ||
| tests | ||
| tools/i18n | ||
| .editorconfig | ||
| .gitignore | ||
| .jshintrc | ||
| .travis.yml | ||
| Gruntfile.js | ||
| package.json | ||
| phpunit.xml.dist | ||
| wp-cli.yml | ||
| wp-config-sample.php | ||
| wp-tests-config-sample.php | ||