From 27e29666a8737a652092e3f32f1f2cdac563e7ac Mon Sep 17 00:00:00 2001 From: Jeremy Felt Date: Sun, 6 Mar 2016 03:06:29 +0000 Subject: [PATCH] Multisite: Handle redirect to a user's subdomain properly during login `wp-login.php` uses `wp_safe_redirect()` for all redirects, even those that do not involve unsafe data from the request or referer. When a user of a subdomain site attempts to login to a network site they do not have access to, the host in the redirect URL is treated as unsafe by `wp_safe_redirect()` as it has no immediate awareness as to which hosts are valid on the network. On a subdirectoy network, everything works as expected because the host is the same. In this specific block of `wp-login.php`, all URLs are generated by WordPress and we can use `wp_redirect()` to handle the redirects. Users authenticating via other network sites will now be redirected properly. Hosts passed via the `redirect_to` query var will continue to be handled by `wp_safe_redirect()`. Fixes #30598. Built from https://develop.svn.wordpress.org/trunk@36867 git-svn-id: http://core.svn.wordpress.org/trunk@36834 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/version.php | 2 +- wp-login.php | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/wp-includes/version.php b/wp-includes/version.php index 06dbaebb30..57ec67ef72 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.5-beta2-36866'; +$wp_version = '4.5-beta2-36867'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. diff --git a/wp-login.php b/wp-login.php index 64852134da..ed3878c293 100644 --- a/wp-login.php +++ b/wp-login.php @@ -830,6 +830,9 @@ default: $redirect_to = get_dashboard_url( $user->ID ); elseif ( !$user->has_cap('edit_posts') ) $redirect_to = $user->has_cap( 'read' ) ? admin_url( 'profile.php' ) : home_url(); + + wp_redirect( $redirect_to ); + exit(); } wp_safe_redirect($redirect_to); exit();