Ticket #4606: 4606.patch

File 4606.patch, 0.7 kB (added by hakre, 1 year ago)
Patch to solve remote 302 redirect injection flaw #4606

wp-pass.php

old	new
7	7	// 10 days
8	8	setcookie('wp-postpass_' . COOKIEHASH, $_POST['post_password'], time() + 864000, COOKIEPATH);
9	9
10		wp_redirect(wp_get_referer());
	10
	11	/*
	12	* ensure to only redirect to pages on the same domain
	13	*
	14	* @see #4606
	15	*/
	16	$redirect_url = wp_get_referer();
	17	$bloghome_url = get_option('home');
	18
	19	if (substr($redirect_url, 0, strlen($bloghome_url)) != $bloghome_url) {
	20	wp_die('Request Error. Please contact the Administrator.');
	21	} else {
	22	wp_redirect($redirect_url);
	23	}
11	24	?>