Changeset 6134

Show
Ignore:
Timestamp:
09/19/07 03:47:37 (1 year ago)
Author:
markjaquith
Message:

More robust wp_safe_redirect(). Introducing wp_sanitize_redirect() for use in wp_redirect() and wp_safe_redirect(). fixes #4606

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • trunk/wp-includes/pluggable.php

    r6131 r6134  
    374374        return false; 
    375375 
     376    $location = wp_sanitize_redirect($location); 
     377 
     378    if ( $is_IIS ) { 
     379        header("Refresh: 0;url=$location"); 
     380    } else { 
     381        if ( php_sapi_name() != 'cgi-fcgi' ) 
     382            status_header($status); // This causes problems on IIS and some FastCGI setups 
     383        header("Location: $location"); 
     384    } 
     385} 
     386endif; 
     387 
     388if ( !function_exists('wp_sanitize_redirect') ) : 
     389/** 
     390 * sanitizes a URL for use in a redirect 
     391 * @return string redirect-sanitized URL 
     392 **/ 
     393function wp_sanitize_redirect($location) { 
    376394    $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location); 
    377395    $location = wp_kses_no_null($location); 
     
    389407        } 
    390408    } 
    391  
    392     if ( $is_IIS ) { 
    393         header("Refresh: 0;url=$location"); 
    394     } else { 
    395         if ( php_sapi_name() != 'cgi-fcgi' ) 
    396             status_header($status); // This causes problems on IIS and some FastCGI setups 
    397         header("Location: $location"); 
    398     } 
     409    return $location; 
    399410} 
    400411endif; 
     
    406417 **/ 
    407418function wp_safe_redirect($location, $status = 302) { 
    408     if ( $location{0} == '/' ) { 
    409         if ( $location{1} == '/' ) 
    410             $location = get_option('home') . '/'; 
    411     } else { 
    412         if ( substr($location, 0, strlen(get_option('home'))) != get_option('home') ) 
    413             $location = get_option('home') . '/'; 
    414     } 
     419 
     420    // Need to look at the URL the way it will end up in wp_redirect() 
     421    $location = wp_sanitize_redirect($location); 
     422 
     423    // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//' 
     424    if ( substr($location, 0, 2) == '//' ) 
     425        $location = 'http:' . $location; 
     426 
     427    $lp  = parse_url($location); 
     428    $wpp = parse_url(get_option('home')); 
     429 
     430    if ( isset($lp['host']) && $lp['host'] != $wpp['host'] ) 
     431        $location = get_option('siteurl') . '/wp-admin/'; 
    415432 
    416433    wp_redirect($location, $status);