[wp-trac] [WordPress Trac] #16837: New sanitize_option siteurl breaks https, cookies, sessions, load balancing, moves, devel etc.

WordPress Trac wp-trac at lists.automattic.com
Sat Mar 12 22:43:36 UTC 2011 

#16837: New sanitize_option siteurl breaks https, cookies, sessions, load
balancing, moves, devel etc.
--------------------------+------------------------------
 Reporter:  raymor        |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Formatting    |     Version:
 Severity:  normal        |  Resolution:
 Keywords:  dev-feedback  |
--------------------------+------------------------------
Changes (by scribu):

 * keywords:   => dev-feedback
 * component:  General => Formatting


Old description:

> In wp-includes/formatting.php, function wp-includes/formatting.php,
> the following code has been added:
>

> {{{
>
>                 case 'siteurl':
>                         if ( (bool)preg_match( '#http(s?)://(.+)#i',
> $value) ) {
>                                 $value = esc_url_raw($value);
>                         } else {
>                                 $value = get_option( $option ); // Resets
> option to stored value in the case of failed sanitization
>                                 if (
> function_exists('add_settings_error') )
>                                         add_settings_error('siteurl',
> 'invalid_siteurl', __('The WordPress address you entered did not appear
> to be a valid URL. Please enter a valid URL.'));
>                         }
>                         break;
>
>                 case 'home':
>                         if ( (bool)preg_match( '#http(s?)://(.+)#i',
> $value) ) {
>                                 $value = esc_url_raw($value);
>
> }}}
>

> Forcing qualified URLs breaks a LOT of things.
> Some of the bigger problems you see on all browsers
> are:
>
> Breaks if your site is accessible via https as well as http.
> Breaks anything that uses cookies and is accessible as
> www.site.com and site.com.
> Breaks PHP sessions in many cases.
> Breaks load balancing such as www1.site.com
> and www2.site.com
> Makes moves, renames, and devel sites a real pain
> For more on these problems and more, see for example:
> http://codex.wordpress.org/Changing_The_Site_URL
> http://wordpress.org/support/topic/dont-save-fully-qualified-domains-in-
> the-database
> http://wordpress.org/support/topic/htaccess-038-wordpress
> http://wordpress.org/support/topic/site-in-a-infinite-loop
>

> I could go on and on, requiring the use of fully qualified
> URLs via the new "validation" of the base URL, or doing
> the same thing with "canonical redirects" just really
> screws up a lot of things.
>
> On the other hand, it does help your Google rank, but only
> in the land of fairy tales.  In the real world, Google already
> assumes that www.site.com and site.com are the normally the same.
> So the actual benefit is .. nothing.
>
> Suggested action:
> Remove the check which forces fully qualified URLs in formatting.php

New description:

 In wp-includes/formatting.php, function wp-includes/formatting.php,
 the following code has been added:


 {{{

                 case 'siteurl':
                         if ( (bool)preg_match( '#http(s?)://(.+)#i',
 $value) ) {
                                 $value = esc_url_raw($value);
                         } else {
                                 $value = get_option( $option ); // Resets
 option to stored value in the case of failed sanitization
                                 if ( function_exists('add_settings_error')
 )
                                         add_settings_error('siteurl',
 'invalid_siteurl', __('The WordPress address you entered did not appear to
 be a valid URL. Please enter a valid URL.'));
                         }
                         break;

                 case 'home':
                         if ( (bool)preg_match( '#http(s?)://(.+)#i',
 $value) ) {
                                 $value = esc_url_raw($value);

 }}}


 Forcing qualified URLs breaks a LOT of things.
 Some of the bigger problems you see on all browsers
 are:

 Breaks if your site is accessible via https as well as http.
 Breaks anything that uses cookies and is accessible as
 www.site.com and site.com.
 Breaks PHP sessions in many cases.
 Breaks load balancing such as www1.site.com
 and www2.site.com
 Makes moves, renames, and devel sites a real pain
 For more on these problems and more, see for example:
 * http://codex.wordpress.org/Changing_The_Site_URL
 * http://wordpress.org/support/topic/dont-save-fully-qualified-domains-in-
 the-database
 * http://wordpress.org/support/topic/htaccess-038-wordpress
 * http://wordpress.org/support/topic/site-in-a-infinite-loop


 I could go on and on, requiring the use of fully qualified
 URLs via the new "validation" of the base URL, or doing
 the same thing with "canonical redirects" just really
 screws up a lot of things.

 On the other hand, it does help your Google rank, but only
 in the land of fairy tales.  In the real world, Google already
 assumes that www.site.com and site.com are the normally the same.
 So the actual benefit is .. nothing.

 Suggested action:
 Remove the check which forces fully qualified URLs in formatting.php

--

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/16837#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list