Changeset 36444

Timestamp:

02/02/2016 03:10:09 PM (10 years ago)

Author:

ocean90

Message:

Better validation of the URL used in HTTP redirects.

Location:

trunk

Files:

• src/wp-includes/pluggable.php (modified) (1 diff)
• tests/phpunit/tests/formatting/redirect.php (modified) (2 diffs)

trunk/src/wp-includes/pluggable.php

@@ -1337 +1337 @@
         return $default;
 
-    // Reject if scheme is set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
-    if ( isset($lp['scheme'])  && !isset($lp['host']) )
+    // Reject if certain components are set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
+    if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) {
         return $default;
+    }
+
+    // Reject malformed components parse_url() can return on odd inputs.
+    foreach ( array( 'user', 'pass', 'host' ) as $component ) {
+        if ( isset( $lp[ $component ] ) && strpbrk( $lp[ $component ], ':/?#@' ) ) {
+            return $default;
+        }
+    }
 
     $wpp = parse_url(home_url());

trunk/tests/phpunit/tests/formatting/redirect.php

@@ -4 +4 @@
  * @group pluggable
  * @group formatting
+ * @group redirect
  */
 class Tests_Formatting_Redirect extends WP_UnitTestCase {
+    function setUp() {
+        add_filter( 'home_url', array( $this, 'home_url' ) );
+    }
+
+    function tearDown() {
+        remove_filter( 'home_url', array( $this, 'home_url' ) );
+    }
+
+    function home_url() {
+        return 'http://example.com/';
+    }
+
     function test_wp_sanitize_redirect() {
         $this->assertEquals('http://example.com/watchthelinefeedgo', wp_sanitize_redirect('http://example.com/watchthelinefeed%0Ago'));
@@ -21 +34 @@
         $this->assertEquals('http://example.com/@username', wp_sanitize_redirect('http://example.com/@username'));
     }
+
+    /**
+     * @dataProvider valid_url_provider
+     */
+    function test_wp_validate_redirect_valid_url( $url, $expected ) {
+        $this->assertEquals( $expected, wp_validate_redirect( $url ) );
+    }
+
+    /**
+     * @dataProvider invalid_url_provider
+     */
+    function test_wp_validate_redirect_invalid_url( $url ) {
+        $this->assertEquals( false, wp_validate_redirect( $url, false ) );
+    }
+
+    function valid_url_provider() {
+        return array(
+            array( 'http://example.com', 'http://example.com' ),
+            array( 'http://example.com/', 'http://example.com/' ),
+            array( 'https://example.com/', 'https://example.com/' ),
+            array( '//example.com', 'http://example.com' ),
+            array( '//example.com/', 'http://example.com/' ),
+            array( 'http://example.com/?foo=http://example.com/', 'http://example.com/?foo=http://example.com/' ),
+            array( 'http://[email protected]/', 'http://[email protected]/' ),
+            array( 'http://user:@example.com/', 'http://user:@example.com/' ),
+            array( 'http://user:[email protected]/', 'http://user:[email protected]/' ),
+        );
+    }
+
+    function invalid_url_provider() {
+        return array(
+            // parse_url() fails
+            array( '' ),
+            array( 'http://:' ),
+
+            // non-safelisted domain
+            array( 'http://non-safelisted.example/' ),
+
+            // unsupported schemes
+            array( 'data:text/plain;charset=utf-8,Hello%20World!' ),
+            array( 'file:///etc/passwd' ),
+            array( 'ftp://example.com/' ),
+
+            // malformed input
+            array( 'http:example.com' ),
+            array( 'http:80' ),
+            array( 'http://example.com:1234:5678/' ),
+            array( 'http://user:pa:[email protected]/' ),
+
+            array( 'http://user@@example.com' ),
+            array( 'http://user@:example.com' ),
+            array( 'http://[email protected]' ),
+            array( 'http://user@?example.com' ),
+            array( 'http://user#@example.com' ),
+            array( 'http://user@#example.com' ),
+
+            array( 'http://user@@example.com/' ),
+            array( 'http://user@:example.com/' ),
+            array( 'http://[email protected]/' ),
+            array( 'http://user@?example.com/' ),
+            array( 'http://user#@example.com/' ),
+            array( 'http://user@#example.com/' ),
+
+            array( 'http://user:pass@@example.com' ),
+            array( 'http://user:pass@:example.com' ),
+            array( 'http://user:[email protected]' ),
+            array( 'http://user:pass@?example.com' ),
+            array( 'http://user:pass#@example.com' ),
+            array( 'http://user:pass@#example.com' ),
+
+            array( 'http://user:pass@@example.com/' ),
+            array( 'http://user:pass@:example.com/' ),
+            array( 'http://user:[email protected]/' ),
+            array( 'http://user:pass@?example.com/' ),
+            array( 'http://user:pass#@example.com/' ),
+            array( 'http://user:pass@#example.com/' ),
+
+            array( 'http://user.pass@@example.com' ),
+            array( 'http://user.pass@:example.com' ),
+            array( 'http://[email protected]' ),
+            array( 'http://user.pass@?example.com' ),
+            array( 'http://user.pass#@example.com' ),
+            array( 'http://user.pass@#example.com' ),
+
+            array( 'http://user.pass@@example.com/' ),
+            array( 'http://user.pass@:example.com/' ),
+            array( 'http://[email protected]/' ),
+            array( 'http://user.pass@?example.com/' ),
+            array( 'http://user.pass#@example.com/' ),
+            array( 'http://user.pass@#example.com/' ),
+        );
+    }
 }