[wp-trac] [WordPress Trac] #34028: wp_safe_redirect can return admin_url() when get_admin_url() is used

WordPress Trac noreply at wordpress.org
Fri Sep 25 20:47:50 UTC 2015


#34028: wp_safe_redirect can return admin_url() when get_admin_url() is used
--------------------------+-----------------------------
 Reporter:  layotte       |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 Setup your site like this:

 WordPress Address (URL): http://yourdomain.tld/ (without www)
 Site Address (URL): http://www.yourdomain.tld/ (with www)

 Example code (yes I know it's stupid code, but it's a working proof-of-
 concept):

 {{{
 <?php
 function unsafe_safe_redirect() {
         $pagenow   = empty( $GLOBALS['pagenow'] ) ? false :
 $GLOBALS['pagenow'];

         if ( empty( $pagenow ) || 'post-new.php' != $pagenow )
                 return;

         // Redirect for add new screen
         if ( 'post-new.php' == $pagenow ) {
                 wp_safe_redirect( get_admin_url() . 'plugins.php' );
                 die();
         }
 }
 add_action( 'admin_init', 'unsafe_safe_redirect' );
 }}}

 Visit: http://yourdomain.tld/wp-admin/post-new.php
 It will redirect you to: http://yourdomain.tld/wp-admin/
 But it should have redirected you to: http://yourdomain.tld/wp-
 admin/plugins.php

 The problem is that wp_validate_redirect() uses home_url() which can be
 different from site_url() which is used by get_admin_url().

 I propose that we use both in wp_validate_redirect(). Diff attached.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/34028>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list