[wp-trac] [WordPress Trac] #32413: Certain file suffixes in $_GET variable break user session
WordPress Trac
noreply at wordpress.org
Fri May 15 16:02:30 UTC 2015
#32413: Certain file suffixes in $_GET variable break user session
--------------------------+-----------------------------
Reporter: zergling81 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 4.2.2
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
In 4.2.2 (but not 4.1.5) including a URL in a $_GET variable will prevent
WordPress from identifying the current user via functions like
current_user_can and get_currentuserinfo, breaking any functionality
dependent on same, such as access to private pages, etc.
Reproduction steps:
1. Install clean 4.2.2 with no plugins and the Twenty Fifteen theme.
2. Create private page.
3. Visit private page to confirm that you can see it normally.
4. Add a URL as the value of a $_GET variable, and reload the page with
the modified URL.
The issue seems to have to do with string matching, as it occurs
regardless of URL encoding and ONLY occurs with a complete "http://*." or
"https://*." string (where * is a wildcard) - omitting any character of
the string averts the issue.
Thus, any of the following would produce the error:
http://www.example.com?page_id=5&randomvariable=http://www.yahoo.com
http://www.example.com?page_id=5&randomvariable=http%3A%2F%2Fwww.yahoo.com
http://www.example.com?page_id=5&randomvariable=http://www.
but these would not:
http://www.example.com?page_id=5&randomvariable=www.yahoo.com
http://www.example.com?page_id=5&randomvariable=www.yahoo.com
http://www.example.com?page_id=5&randomvariable=http://www
http:/www.example.com?page_id=5&randomvariable=http:/www.yahoo.com
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32413>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list