[wp-trac] [WordPress Trac] #18618: WordPress still relies on HTTP_REFERER for redirects which can be invalid
WordPress Trac
wp-trac at lists.automattic.com
Thu Sep 8 12:10:10 UTC 2011
#18618: WordPress still relies on HTTP_REFERER for redirects which can be invalid
--------------------------+-----------------------------
Reporter: _ck_ | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 3.2.1
Severity: normal | Keywords:
--------------------------+-----------------------------
Apparently this has not been fixed in over six years either.
The HTTP_REFERER header is not a valid method of redirecting users. It can
be forged, blocked, removed or replaced by proxies, firewalls, etc.
This can cause unexpected behavior in user and admin interfaces.
The most common situation is that the header has been removed by personal
firewalls to protect privacy. So I suggest developers use a browser plugin
to temporarily block the referer and see what behaviors happen.
One consistent example is to try re-checking for spam on comments in the
WP admin with akismet but there are other obvious pitfalls in the WP
codebase when you search for HTTP_REFERER
--
Ticket URL: <http://core.trac.wordpress.org/ticket/18618>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list