Multisite: Handle redirect to a user's subdomain properly during login

`wp-login.php` uses `wp_safe_redirect()` for all redirects, even those that do not involve unsafe data from the request or referer.

When a user of a subdomain site attempts to login to a network site they do not have access to, the host in the redirect URL is treated as unsafe by `wp_safe_redirect()` as it has no immediate awareness as to which hosts are valid on the network. On a subdirectoy network, everything works as expected because the host is the same.

In this specific block of `wp-login.php`, all URLs are generated by WordPress and we can use `wp_redirect()` to handle the redirects. Users authenticating via other network sites will now be redirected properly. Hosts passed via the `redirect_to` query var will continue to be handled by `wp_safe_redirect()`.

Fixes #30598.

Built from https://develop.svn.wordpress.org/trunk@36867


git-svn-id: http://core.svn.wordpress.org/trunk@36834 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Jeremy Felt 2016-03-06 03:06:29 +00:00
parent 40f6779665
commit 27e29666a8
2 changed files with 4 additions and 1 deletions

View File

@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '4.5-beta2-36866';
$wp_version = '4.5-beta2-36867';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

View File

@ -830,6 +830,9 @@ default:
$redirect_to = get_dashboard_url( $user->ID );
elseif ( !$user->has_cap('edit_posts') )
$redirect_to = $user->has_cap( 'read' ) ? admin_url( 'profile.php' ) : home_url();
wp_redirect( $redirect_to );
exit();
}
wp_safe_redirect($redirect_to);
exit();