From 16195095b8fd392130700ac9a515526f495d7f1d Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov.ru@gmail.com>
Date: Wed, 4 Sep 2019 17:14:19 +0000
Subject: [PATCH] Improve URL validation in `wp_validate_redirect()`.

Merges [45971] to the 4.4 branch.
Props vortfu, whyisjake, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.4@45981


git-svn-id: http://core.svn.wordpress.org/branches/4.4@45792 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/pluggable.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php
index 7a4244aba5..86d7b731a8 100644
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -1340,6 +1340,14 @@ function wp_validate_redirect($location, $default = '') {
 	if ( isset($lp['scheme']) && !('http' == $lp['scheme'] || 'https' == $lp['scheme']) )
 		return $default;
 
+	if ( ! isset( $lp['host'] ) && ! empty( $lp['path'] ) && '/' !== $lp['path'][0] ) {
+		$path = '';
+		if ( ! empty( $_SERVER['REQUEST_URI'] ) ) {
+			$path = dirname( parse_url( 'http://placeholder' . $_SERVER['REQUEST_URI'], PHP_URL_PATH ) . '?' );
+		}
+		$location = '/' . ltrim( $path . '/', '/' ) . $location;
+	}
+
 	// Reject if certain components are set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
 	if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) {
 		return $default;