[Bb-trac] [bbPress] #835: bb-login.php can mung urls
bbPress
bb-trac at lists.bbpress.org
Thu Mar 20 02:10:29 GMT 2008
#835: bb-login.php can mung urls
----------------------------+-----------------------------------------------
Reporter: mdawaffe | Owner:
Type: defect | Status: new
Priority: normal | Milestone: 0.9
Component: Administration | Version: 1.0-alpha (trunk)
Severity: normal | Keywords:
----------------------------+-----------------------------------------------
1. Go to http://wordpress.org/support/
2. Log out.
3. Go to http://wordpress.org/tags/archives
4. Log in.
5. Get redirected to
{{{http://wordpress.org/support/ttp://wordpress.org/tags/archives}}}
This happens because bbPress allows you to define a custom {{{tag_path}}}.
bb-login.php doesn't think that the redirect url
({{{http://wordpress.org/tags/archives}}}) is a safe place to redirect (it
doesn't start with bbPress's home URL:
{{{http://wordpress.org/support}}}).
The logic prepends the home url to a {{{substr()}}}'d version of the
redirect url (bb-login.php treats the redirect url as a relative URL since
it didn't pass the safety check).
Instead of doing
{{{
bb_get_common_paths( 'http://wordpress.org/support/',
'http://wordpress.org/tags/archives' )
}}}
we could do
{{{
bb_get_common_parts( 'http://wordpress.org/support/',
'http://wordpress.org/tags/archives', '/' )
}}}
Or we could forgo this precursor check and instead "absolutize" relative
links and just depend on bb_safe_redirect() to do the safety check for us
(which, in core, only looks at host info, not path info).
--
Ticket URL: <http://trac.bbpress.org/ticket/835>
bbPress <http://bbpress.org/>
Innovative forum development
More information about the Bb-trac
mailing list