[wp-trac] [WordPress Trac] #27152: wp_get_referer() no longer reports off-site referrers
WordPress Trac
noreply at wordpress.org
Tue Feb 18 23:12:49 UTC 2014
#27152: wp_get_referer() no longer reports off-site referrers
----------------------------+------------------------------
Reporter: bpetty | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.9
Component: Bootstrap/Load | Version: 3.7
Severity: major | Keywords: needs-unit-tests
Focuses: |
----------------------------+------------------------------
In r25318, a redirect validation was added to `wp_get_referer()` and
`wp_get_original_referer()` by @nacin (there's no ticket for this change
btw).
The problem here is that this has broken calls to these functions with the
purpose of simply fetching the referrer for logging or stats, and not
necessarily for redirection. This is a silent failure since callers were
already expected to handle a false return value, and now off-site referers
return false as well.
This is a regression from 3.6.
We shouldn't just assume that a call to these methods are strictly for the
purpose of redirection, and leave the responsibility of validating the URL
for redirection up to the method actually performing the redirection. We
have `wp_safe_redirect()` for this, and if this is required for form
actions or elsewhere, they should be handling validation themselves.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27152>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list