From 361ed7a3d6592cc46a93bbd562d04847bfc132a4 Mon Sep 17 00:00:00 2001 From: Dominik Schilling Date: Tue, 2 Feb 2016 15:11:28 +0000 Subject: [PATCH] Better validation of the URL used in HTTP redirects. Built from https://develop.svn.wordpress.org/trunk@36444 git-svn-id: http://core.svn.wordpress.org/trunk@36411 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/pluggable.php | 12 ++++++++++-- wp-includes/version.php | 2 +- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index 5227262378..3b65e45089 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -1336,9 +1336,17 @@ function wp_validate_redirect($location, $default = '') { if ( isset($lp['scheme']) && !('http' == $lp['scheme'] || 'https' == $lp['scheme']) ) return $default; - // Reject if scheme is set but host is not. This catches urls like https:host.com for which parse_url does not set the host field. - if ( isset($lp['scheme']) && !isset($lp['host']) ) + // Reject if certain components are set but host is not. This catches urls like https:host.com for which parse_url does not set the host field. + if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) { return $default; + } + + // Reject malformed components parse_url() can return on odd inputs. + foreach ( array( 'user', 'pass', 'host' ) as $component ) { + if ( isset( $lp[ $component ] ) && strpbrk( $lp[ $component ], ':/?#@' ) ) { + return $default; + } + } $wpp = parse_url(home_url()); $site = parse_url( site_url() ); diff --git a/wp-includes/version.php b/wp-includes/version.php index fd3c941c91..fb7cdb2c06 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.5-alpha-36435'; +$wp_version = '4.5-alpha-36444'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.