WordPress.org

Making WordPress.org

Changeset 3146


Ignore:
Timestamp:
05/14/2016 01:32:14 PM (4 years ago)
Author:
ocean90
Message:

WordPress.org SSO: Encode spaces in $_REQUEST['redirect_to'] so they don't get stripped by wp_sanitize_redirect().

Fixes URLs like https://login.wordpress.org/?redirect_to=https://core.trac.wordpress.org/newticket?component=Networks%20and%20Sites.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/common/includes/wporg-sso/class-wporg-sso.php

    r3145 r3146  
    101101            if ( ! empty( $_REQUEST['redirect_to'] ) ) {
    102102                // User is requesting a further redirect afterward, let's make sure it's a legit target.
     103                $redirect_to = str_replace( ' ', '%20', $_REQUEST['redirect_to'] ); // Encode spaces.
    103104                $redirect_to_requested = function_exists( 'wp_sanitize_redirect' ) ? wp_sanitize_redirect( $redirect_to ) : $redirect_to;
    104105                if ( $this->_is_valid_targeted_domain( $redirect_to_requested ) ) {
Note: See TracChangeset for help on using the changeset viewer.