[wp-trac] [WordPress Trac] #26855: get_blogaddress_by_id used in wp-activate.php limits functionality in MU Domain Mapped Sites

WordPress Trac noreply at wordpress.org
Fri Jan 17 00:28:20 UTC 2014


#26855: get_blogaddress_by_id used in wp-activate.php limits functionality in MU
Domain Mapped Sites
--------------------------+-----------------------------------
 Reporter:  boboudreau    |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Multisite     |    Version:  trunk
 Severity:  normal        |   Keywords:  2nd-opinion has-patch
--------------------------+-----------------------------------
 Is there any reason that wp-activate.php uses get_blogaddress_by_id() to
 fetch the URL of a multi-site blog? Line 98, wordpress/wp-activate.php.

 Most areas in WordPress that need to get a site URL will get it using
 get_site_url() - from wordpress/wp-includes/link-template.php.

 If you have the blog_id, you could switch to the blog in question, and get
 the URL with get_site_url(). Or even, call:

 {{{
 $url = get_site_url($blog_id);
 $login_url = get_site_url($blog_id, 'wp-login.php');
 }}}

 I point this out because get_site_url passes the result to a filter, which
 allows plugins to manipulate the "home page" of a blog. Anyone who uses a
 domain mapping plugin for their child sites (http://wordpress.org/plugins
 /wordpress-mu-domain-mapping/) does not want their home URL to be
 http://basesite.com/fakechildpath, but rather http://childsite.com.

 This in itself isn't a huge problem, as http://basesite.com/fakechildpath
 will eventually map to the right place, but it doesn't look nice.

 The real problem occurs when you combine a domain mapping plugin with a
 WordPress security plugin (which forces users to login with a security
 argument in the querystring which is checked in the Referrer). Here, you'd
 want to rewrite any request for get_site_url with path='wp-login.php' to
 contain the additional querystring.

 There's no rewriting if get_blogaddress_by_id is passed, and so the
 initial login page is forced to be:


 {{{
 <p class="view"><?php printf( __('Your account is now activated. <a
 href="%1$s">View your site</a> or <a href="%2$s">Log in</a>'), $url, $url
 . 'wp-login.php' ); ?></p>
 }}}

 Where $url is http://basesite.com/fakechildpath and the login page looks
 like http://basesite.com/fakechildpath/wp-login.php which will fail, given
 the requirements placed on the login page (to keep out spambots!)

 Not having the ability to do this is forcing me to modify WP Core, which
 will just get clobbered the next time I update WordPress.

 Thoughts?  I went ahead and created the following patch off of SVN
 (attached):


 {{{
 Index: wp-activate.php
 ===================================================================
 --- wp-activate.php     (revision 26845)
 +++ wp-activate.php     (working copy)
 @@ -106,7 +106,7 @@
                         }
                 } else {
                         extract($result);
 -                       $url = get_blogaddress_by_id( (int) $blog_id);
 +                       $url = get_site_url( (int) $blog_id);
                         $user = get_userdata( (int) $user_id);
                         ?>
                         <h2><?php _e('Your account is now active!');
 ?></h2>
 @@ -117,7 +117,7 @@
                         </div>

                         <?php if ( $url != network_home_url('', 'http') )
 : ?>
 -                               <p class="view"><?php printf( __('Your
 account is now activated. <a href="%1$s">View your site</a> or <a
 href="%2$s">Log in</a>'), $url, $url . 'wp-login.php' ); ?></p>
 +                               <p class="view"><?php printf( __('Your
 account is now activated. <a href="%1$s">View your site</a> or <a
 href="%2$s">Log in</a>'), $url, get_site_url( (int) $blog_id, 'wp-
 login.php') ); ?></p>
                         <?php else: ?>
                                 <p class="view"><?php printf( __('Your
 account is now activated. <a href="%1$s">Log in</a> or go back to the <a
 href="%2$s">homepage</a>.' ), network_site_url('wp-login.php', 'login'),
 network_home_url() ); ?></p>
                         <?php endif;

 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/26855>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list