[wp-hackers] Bug in wp_sanitize_redirect() on IIS ???

Callum Macdonald lists.automattic.com at callum-macdonald.com
Wed Sep 26 15:19:27 GMT 2007


Aha, yes, good point. Damn those regular expressions, I've never managed 
to get my head round it. I see now, it strips all invalid characters.

Could it be this?
if ( $is_IIS ) {
         header("Refresh: 0;url=$location");

Something to do with the way IIS outputs that header? Anyone got an IIS 
box they could test it on? I don't...

Cheers - Callum.

Peter Westwood wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Callum Macdonald wrote:
>   
>> G'day,
>>
>> I haven't experienced this personally, but some users of my WP Mail
>> SMTP[1] plugin have reported that the Options page redirection doesn't
>> work properly under IIS. It seems to work fine on LAMP.
>>
>> After clicking "Update Options" the options page redirects to this url:
>> wp-admin/options-general.php?page=wp-mail-smtp2Fwp_mail_smtp.php&updated=true
>>
>>
>> It seems the % is being stripped from the / in the URL. The correct url is:
>> wp-admin/options-general.php?page=wp-mail-smtp%2Fwp_mail_smtp.php&updated=true
>>
>>
>> It seems that this is being stripped out in the
>> wp_sanitize_redirect()[2] function. I can't figure out why it's being
>> re-introduced under Apache though. As far as I can tell the code strips
>> out the % but doesn't add it back anywhere before redirecting.
>>
>> Anyone got any ideas?
>>     
>
> Firstly, the preg_replace character class in wp_santize_redirect starts
> with a ^ and is therefore negated - we allow % in those urls so that
> should not be stripping it out I believe.
>
> Could it be an issue with the parse_url call in wp_safe_redirect?
>
> westi
> - --
> Peter Westwood
> http://blog.ftwr.co.uk
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFG+nSuVPRdzag0AcURAp6NAKCgNnSMR73KKlIxWShNKaTOtsUUOQCfbgFB
> ZIaEhbZkXwCFMWEbmZsPIgY=
> =mM2X
> -----END PGP SIGNATURE-----
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>
>   



More information about the wp-hackers mailing list