diff --git a/wp-includes/functions.php b/wp-includes/functions.php index 6dbc510af5..b3fddfd2b8 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -1517,13 +1517,11 @@ function wp_original_referer_field( $echo = true, $jump_back_to = 'current' ) { * @return false|string False on failure. Referer URL on success. */ function wp_get_referer() { - if ( ! function_exists( 'wp_validate_redirect' ) ) + if ( ! function_exists( 'wp_validate_redirect' ) ) { return false; - $ref = false; - if ( ! empty( $_REQUEST['_wp_http_referer'] ) ) - $ref = wp_unslash( $_REQUEST['_wp_http_referer'] ); - elseif ( ! empty( $_SERVER['HTTP_REFERER'] ) ) - $ref = wp_unslash( $_SERVER['HTTP_REFERER'] ); + } + + $ref = wp_get_raw_referer(); if ( $ref && $ref !== wp_unslash( $_SERVER['REQUEST_URI'] ) && $ref !== home_url() . wp_unslash( $_SERVER['REQUEST_URI'] ) ) { return wp_validate_redirect( $ref, false ); @@ -1532,6 +1530,25 @@ function wp_get_referer() { return false; } +/** + * Retrieve unvalidated referer from '_wp_http_referer' or HTTP referer. + * + * Do not use for redirects, use wp_get_referer() instead. + * + * @since 4.5.0 + * + * @return string|bool Referer URL on success, false on failure. + */ +function wp_get_raw_referer() { + if ( ! empty( $_REQUEST['_wp_http_referer'] ) ) { + return wp_unslash( $_REQUEST['_wp_http_referer'] ); + } else if ( ! empty( $_SERVER['HTTP_REFERER'] ) ) { + return wp_unslash( $_SERVER['HTTP_REFERER'] ); + } + + return false; +} + /** * Retrieve original referer that was posted, if it exists. * diff --git a/wp-includes/version.php b/wp-includes/version.php index 5391435d0f..2e1b88fefe 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.5-alpha-36265'; +$wp_version = '4.5-alpha-36266'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.