[wp-trac] [WordPress Trac] #27152: wp_get_referer() no longer reports off-site referrers
WordPress Trac
noreply at wordpress.org
Wed Feb 19 05:02:01 UTC 2014
#27152: wp_get_referer() no longer reports off-site referrers
----------------------------+--------------------
Reporter: bpetty | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.9
Component: Bootstrap/Load | Version: 3.6.1
Severity: major | Resolution:
Keywords: | Focuses:
----------------------------+--------------------
Changes (by nacin):
* version: 3.7 => 3.6.1
Comment:
This was security hardening to avoid open redirection vulnerabilities. Too
often core and plugins were using wp_get_referer() without
wp_safe_redirect(). The addition of wp_validate_redirect() was very
deliberate and was signed off by the security team and the lead
developers.
This function is specifically a WordPress utility, given its checking of
the _wp_http_referer field. (If you wanted HTTP_REFERER, you should really
ask for it.) That, combined with the unreliability of referrers, the
danger of un-validated referrers, and the nature of it already allowing
for a silent failure, made it a pretty obvious decision.
This is a wontfix. It was a bug for this function to ever return a value
without first validating it. wp_validate_redirect() has a filter.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27152#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list