[wp-hackers] Bug in wp_sanitize_redirect() on IIS ???

Peter Westwood peter.westwood at ftwr.co.uk
Wed Sep 26 15:03:10 GMT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Callum Macdonald wrote:
> G'day,
> 
> I haven't experienced this personally, but some users of my WP Mail
> SMTP[1] plugin have reported that the Options page redirection doesn't
> work properly under IIS. It seems to work fine on LAMP.
> 
> After clicking "Update Options" the options page redirects to this url:
> wp-admin/options-general.php?page=wp-mail-smtp2Fwp_mail_smtp.php&updated=true
> 
> 
> It seems the % is being stripped from the / in the URL. The correct url is:
> wp-admin/options-general.php?page=wp-mail-smtp%2Fwp_mail_smtp.php&updated=true
> 
> 
> It seems that this is being stripped out in the
> wp_sanitize_redirect()[2] function. I can't figure out why it's being
> re-introduced under Apache though. As far as I can tell the code strips
> out the % but doesn't add it back anywhere before redirecting.
> 
> Anyone got any ideas?

Firstly, the preg_replace character class in wp_santize_redirect starts
with a ^ and is therefore negated - we allow % in those urls so that
should not be stripping it out I believe.

Could it be an issue with the parse_url call in wp_safe_redirect?

westi
- --
Peter Westwood
http://blog.ftwr.co.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG+nSuVPRdzag0AcURAp6NAKCgNnSMR73KKlIxWShNKaTOtsUUOQCfbgFB
ZIaEhbZkXwCFMWEbmZsPIgY=
=mM2X
-----END PGP SIGNATURE-----


More information about the wp-hackers mailing list