1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
#! /bin/sh /usr/share/dpatch/dpatch-run
## CVE2007-3639.dpatch by <andrea.de.iacovo@gmail.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Closes CVE2007-3639
@DPATCH@
diff -Nru wordpress/wp-includes/pluggable-functions.php wordpress-etch/wp-includes/pluggable-functions.php
--- wordpress-etch/wp-includes/pluggable-functions.php 2007-03-26 01:12:38.000000000 +0200
+++ wordpress-etch/wp-includes/pluggable-functions.php 2008-04-22 13:14:13.000000000 +0200
@@ -120,6 +120,8 @@
if ( $userdata )
return $userdata;
+ $user_login = $wpdb->escape($user_login);
+
if ( !$user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE user_login = '$user_login'") )
return false;
@@ -257,18 +259,73 @@
function wp_redirect($location, $status = 302) {
global $is_IIS;
+ $location = apply_filters('wp_redirect', $location, $status);
+
+ if ( !$location ) // allows the wp_redirect filter to cancel a redirect
+ return false;
+
+ $location = wp_sanitize_redirect($location);
+
+ if ( $is_IIS ) {
+ header("Refresh: 0;url=$location");
+ } else {
+ if ( php_sapi_name() != 'cgi-fcgi' )
+ status_header($status); // This causes problems on IIS and some FastCGI setups
+ header("Location: $location");
+ }
+}
+endif;
+
+if ( !function_exists('wp_sanitize_redirect') ) :
+/**
+* sanitizes a URL for use in a redirect
+* @return string redirect-sanitized URL
+**/
+function wp_sanitize_redirect($location) {
$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location);
+ $location = wp_kses_no_null($location);
+ // remove %0d and %0a from location
$strip = array('%0d', '%0a');
- $location = str_replace($strip, '', $location);
-
- if ( $is_IIS ) {
- header("Refresh: 0;url=$location");
- } else {
- if ( php_sapi_name() != 'cgi-fcgi' )
- status_header($status); // This causes problems on IIS and some FastCGI setups
- header("Location: $location");
+ $found = true;
+ while($found) {
+ $found = false;
+ foreach($strip as $val) {
+ while(strpos($location, $val) !== false) {
+ $found = true;
+ $location = str_replace($val, '', $location);
+ }
+ }
}
+
+ return $location;
+}
+endif;
+
+if ( !function_exists('wp_safe_redirect') ) :
+/**
+* performs a safe (local) redirect, using wp_redirect()
+* @return void
+**/
+function wp_safe_redirect($location, $status = 302) {
+
+ // Need to look at the URL the way it will end up in wp_redirect()
+ $location = wp_sanitize_redirect($location);
+
+ // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
+ if ( substr($location, 0, 2) == '//' )
+ $location = 'http:' . $location;
+
+ $lp = parse_url($location);
+ $wpp = parse_url(get_option('home'));
+
+ $allowed_hosts = (array) apply_filters('allowed_redirect_hosts', array($wpp['host']));
+
+ if ( isset($lp['host']) && ( !in_array($lp['host'], $allowed_hosts) && $lp['host'] != strtolower($wpp['host'])) )
+ $location = get_option('siteurl') . '/wp-admin/';
+
+ wp_redirect($location, $status);
+
}
endif;
@@ -510,4 +567,4 @@
}
endif;
-?>
\ No newline at end of file
+?>
|
