Posts, Post Types: Explicitly pass a redirect URL for the post permalink when submitting the post password form.

This allows the subsequent redirect to behave as expected if a site is using a strict referrer policy on the front end which prevents the full referrer from being sent. Props zodiac1978, yogeshbhutkar, hbhalodia, mukesh27. Fixes #62881 Built from https://develop.svn.wordpress.org/trunk@59753 git-svn-id: http://core.svn.wordpress.org/trunk@59095 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2025-03-11 22:29:48 +01:00 · 2025-02-03 16:55:23 +00:00 · 2025-02-03 16:55:23 +00:00 · ec037b17fa
commit ec037b17fa
parent b39c7d7b4b
3 changed files with 17 additions and 8 deletions
--- a/wp-includes/post-template.php
+++ b/wp-includes/post-template.php
@ -1780,6 +1780,7 @@ function get_the_password_form( $post = 0 ) {
 	$invalid_password_html = '';
 	$aria                  = '';
 	$class                 = '';
+	$redirect_field        = '';

 	// If the referrer is the same as the current request, the user has entered an invalid password.
 	if ( ! empty( $post->ID ) && wp_get_raw_referer() === get_permalink( $post->ID ) && isset( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] ) ) {
@ -1798,7 +1799,14 @@ function get_the_password_form( $post = 0 ) {
 		$class                 = ' password-form-error';
 	}

-	$output = '<form action="' . esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) ) . '" class="post-password-form' . $class . '" method="post">' . $invalid_password_html . '
+	if ( ! empty( $post->ID ) ) {
+		$redirect_field = sprintf(
+			'<input type="hidden" name="redirect_to" value="%s" />',
+			esc_attr( get_permalink( $post->ID ) )
+		);
+	}
+
+	$output = '<form action="' . esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) ) . '" class="post-password-form' . $class . '" method="post">' . $redirect_field . $invalid_password_html . '
 	<p>' . __( 'This content is password protected. To view it please enter your password below:' ) . '</p>
 	<p><label for="' . $field_id . '">' . __( 'Password:' ) . ' <input name="post_password" id="' . $field_id . '" type="password" spellcheck="false" required size="20"' . $aria . ' /></label> <input type="submit" name="Submit" value="' . esc_attr_x( 'Enter', 'post password form' ) . '" /></p></form>
 	';
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -16,7 +16,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '6.8-alpha-59752';
+$wp_version = '6.8-alpha-59753';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
--- a/wp-login.php
+++ b/wp-login.php
@ -764,8 +764,10 @@ switch ( $action ) {
 		break;

 	case 'postpass':
+		$redirect_to = $_POST['redirect_to'] ?? wp_get_referer();
+
 		if ( ! isset( $_POST['post_password'] ) || ! is_string( $_POST['post_password'] ) ) {
-			wp_safe_redirect( wp_get_referer() );
+			wp_safe_redirect( $redirect_to );
 			exit;
 		}

@ -782,18 +784,17 @@ switch ( $action ) {
 		 *
 		 * @param int $expires The expiry time, as passed to setcookie().
 		 */
-		$expire  = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
-		$referer = wp_get_referer();
+		$expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );

-		if ( $referer ) {
-			$secure = ( 'https' === parse_url( $referer, PHP_URL_SCHEME ) );
+		if ( $redirect_to ) {
+			$secure = ( 'https' === parse_url( $redirect_to, PHP_URL_SCHEME ) );
 		} else {
 			$secure = false;
 		}

 		setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );

-		wp_safe_redirect( wp_get_referer() );
+		wp_safe_redirect( $redirect_to );
 		exit;

 	case 'logout':