Upstream/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2024-06-24 05:45:02 +02:00
Code Issues Projects Releases Wiki Activity

Validate referrers to prevent off-domain redirects.

Browse Source 
Built from https://develop.svn.wordpress.org/trunk@25318


git-svn-id: http://core.svn.wordpress.org/trunk@25280 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Andrew Nacin 2013-09-10 18:07:10 +00:00
parent c8a7b53c65
commit cf3fddde96
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
wp-includes/functions.php
View File

@ -1296,7 +1296,7 @@ function wp_get_referer() {
$ref = wp_unslash( $_SERVER['HTTP_REFERER'] );
if ( $ref && $ref !== wp_unslash( $_SERVER['REQUEST_URI'] ) )
return wp_unslash( $ref );
return wp_validate_redirect( $ref, false );
return false;
}
@ -1311,7 +1311,7 @@ function wp_get_referer() {
*/
function wp_get_original_referer() {
if ( !empty( $_REQUEST['_wp_original_http_referer'] ) )
return wp_unslash( $_REQUEST['_wp_original_http_referer'] );
return wp_validate_redirect( wp_unslash( $_REQUEST['_wp_original_http_referer'] ), false );
return false;
}

1
wp-includes/pluggable.php
View File

@ -964,6 +964,7 @@ if ( !function_exists('wp_validate_redirect') ) :
* @return string redirect-sanitized URL
**/
function wp_validate_redirect($location, $default = '') {
$location = trim( $location );
// browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
if ( substr($location, 0, 2) == '//' )
$location = 'http:' . $location;