[wp-trac] [WordPress Trac] #34028: wp_safe_redirect can return admin_url() when get_admin_url() is used
WordPress Trac
noreply at wordpress.org
Fri Sep 25 20:47:50 UTC 2015
#34028: wp_safe_redirect can return admin_url() when get_admin_url() is used
--------------------------+-----------------------------
Reporter: layotte | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Setup your site like this:
WordPress Address (URL): http://yourdomain.tld/ (without www)
Site Address (URL): http://www.yourdomain.tld/ (with www)
Example code (yes I know it's stupid code, but it's a working proof-of-
concept):
{{{
<?php
function unsafe_safe_redirect() {
$pagenow = empty( $GLOBALS['pagenow'] ) ? false :
$GLOBALS['pagenow'];
if ( empty( $pagenow ) || 'post-new.php' != $pagenow )
return;
// Redirect for add new screen
if ( 'post-new.php' == $pagenow ) {
wp_safe_redirect( get_admin_url() . 'plugins.php' );
die();
}
}
add_action( 'admin_init', 'unsafe_safe_redirect' );
}}}
Visit: http://yourdomain.tld/wp-admin/post-new.php
It will redirect you to: http://yourdomain.tld/wp-admin/
But it should have redirected you to: http://yourdomain.tld/wp-
admin/plugins.php
The problem is that wp_validate_redirect() uses home_url() which can be
different from site_url() which is used by get_admin_url().
I propose that we use both in wp_validate_redirect(). Diff attached.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/34028>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list