Description: Better validation of the URL used in HTTP redirects.
Author: ocean90@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/36444
Bug-Debian: https://bugs.debian.org/813697
Applied-Upstream: 4.4.2
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2016-02-06
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -960,9 +960,17 @@
 	if ( isset($lp['scheme']) && !('http' == $lp['scheme'] || 'https' == $lp['scheme']) )
 		return $default;
 
-	// Reject if scheme is set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
-	if ( isset($lp['scheme'])  && !isset($lp['host']) )
+	// Reject if certain components are set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
+	if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) {
 		return $default;
+	}
+
+	// Reject malformed components parse_url() can return on odd inputs.
+	foreach ( array( 'user', 'pass', 'host' ) as $component ) {
+		if ( isset( $lp[ $component ] ) && strpbrk( $lp[ $component ], ':/?#@' ) ) {
+			return $default;
+		}
+	}
 
 	$wpp = parse_url(home_url());
 
