Changeset 14449

Timestamp:

05/09/2025 10:07:55 AM (9 months ago)

Author:

paulkevan

Message:

Login: make sure values are cast as strings.

File:

• sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions.php (modified) (2 diffs)

sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions.php

@@ -466 +466 @@
 
     $from = 'wordpress.org';
+    // Make sure value is a string since it is compared next.
     if ( $redirect_to ) {
-        $from = $redirect_to;
+        $from = sanitize_text_field( $redirect_to );
     } elseif ( !empty( $_REQUEST['from'] ) ) {
-        $from = $_REQUEST['from'];
+        $from = sanitize_text_field( $_REQUEST['from'] );
     } elseif ( !empty( $_REQUEST['redirect_to'] ) ) {
-        $from = $_REQUEST['redirect_to'];
+        $from = sanitize_text_field( $_REQUEST['redirect_to'] );
     }
 
@@ -569 +570 @@
     }
 
-    $came_from = $_REQUEST['redirect_to'] ?? ( $_SERVER['HTTP_REFERER'] ?? '' );
+    // Make sure value is a string, since setcookie requires it to be.
+    $came_from = sanitize_text_field( $_REQUEST['redirect_to'] ?? ( $_SERVER['HTTP_REFERER'] ?? '' ) );
     if ( ! $came_from ) {
         return;