[wp-trac] [WordPress Trac] #27152: wp_get_referer() no longer reports off-site referrers

WordPress Trac noreply at wordpress.org
Wed Feb 19 07:16:51 UTC 2014 

#27152: wp_get_referer() no longer reports off-site referrers
----------------------------+--------------------
 Reporter:  bpetty          |       Owner:
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  3.9
Component:  Bootstrap/Load  |     Version:  3.6.1
 Severity:  major           |  Resolution:
 Keywords:                  |     Focuses:
----------------------------+--------------------

Comment (by bpetty):

 Just for the sake of argument since this never saw any public debate or
 discussion, and since what was apparently such a significant oversight is
 now fixed anyway, I'd appreciate some feedback on this. It doesn't seem
 like the appropriate response to me, and I'd like to clear my concerns up
 before something like this happens again without notice.

 I wouldn't call it a "bug", it was doing it's job. The code using it might
 have been incorrect, but that's not the fault of `wp_get_referer()` (which
 is appropriately documented with the correct usage on the Codex).

 Why was it implausible to fix any incorrect usage in core? I'm fairly
 certain it didn't need fixed in more than a few places, but even if it
 was, I know there wasn't more than a maximum of about 50 locations in core
 that would have needed a review, and presumably, the reporter (or exploit)
 would have pointed out the location(s) to be concerned about.

 How do you know how frequently it's used incorrectly in plugins? Do you
 have some numbers?

 It just seems to me like this has diminished the reason for even having
 `wp_safe_redirect()` as well as leaving a very generically named
 `wp_get_referer()` method with only one single use case (redirecting form
 submissions), and no longer able to serve it's more globally identified
 purpose of (possibly more reliably) reporting where the user was referred
 from; something it was perfectly able to do before, and something the name
 of the method still indicates. This really just means that developers will
 be using `wp_get_referer()` incorrectly now instead, so I wouldn't really
 call it a "pretty obvious decision".

 This could have simply been resolved with better documentation and
 advocating better security practices including providing better examples
 of proper use in core code (which will never be fixed up to use
 `wp_safe_redirect()` now since there is no point).

 Part of my concern here is also that this was much more of an API design
 decision made by the security team rather than actually fixing security
 holes at their real points of exposure, all while ignoring the same advice
 we're still telling plugin developers. Normally this wouldn't even bother
 me if it was a good, quick fix for a serious issue that would have
 involved way more work to fix properly, but needed fixed immediately. This
 wan't one of those cases though.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/27152#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list