Get WordPress

Make WordPress Core

Changeset 56844

Timestamp:
10/12/2023 01:24:56 PM (10 months ago)
Author:
audrasjb
Message:

Application Passwords: Prevent the use of some pseudo protocols in application passwords.

Props tykoted, xknown, peterwilsoncc, jorbin, timothyblynjacobs, martinkrcho, paulkevan, dd32, ehtis.
Merges [56837] to the 6.3 branch.

Location:
branches/6.3
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • branches/6.3

  • branches/6.3/src/wp-admin/includes/user.php

    r55988 r56844  
    637637 * @since 5.6.0
    638638 * @since 6.2.0 Allow insecure HTTP connections for the local environment.
     639
    639640 *
    640641 * @param array   $request {
     
    650651 */
    651652function wp_is_authorize_application_password_request_valid( $request, $user ) {
    652     $error    = new WP_Error();
    653     $is_local = 'local' === wp_get_environment_type();
    654 
    655     if ( ! empty( $request['success_url'] ) ) {
    656         $scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME );
    657 
    658         if ( 'http' === $scheme && ! $is_local ) {
     653    $error = new WP_Error();
     654
     655    if ( isset( $request['success_url'] ) ) {
     656        $validated_success_url = wp_is_authorize_application_redirect_url_valid( $request['success_url'] );
     657        if ( is_wp_error( $validated_success_url ) ) {
    659658            $error->add(
    660                 'invalid_redirect_scheme',
    661                 __( 'The success URL must be served over a secure connection.' )
     659                ,
     660                )
    662661            );
    663662        }
    664663    }
    665664
    666     if ( ! empty( $request['reject_url'] ) ) {
    667         $scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME );
    668 
    669         if ( 'http' === $scheme && ! $is_local ) {
     665    if ( isset( $request['reject_url'] ) ) {
     666        $validated_reject_url = wp_is_authorize_application_redirect_url_valid( $request['reject_url'] );
     667        if ( is_wp_error( $validated_reject_url ) ) {
    670668            $error->add(
    671                 'invalid_redirect_scheme',
    672                 __( 'The rejection URL must be served over a secure connection.' )
     669                ,
     670                )
    673671            );
    674672        }
     
    699697    return true;
    700698}
     699
     700
     701
     702
     703
     704
     705
     706
     707
     708
     709
     710
     711
     712
     713
     714
     715
     716
     717
     718
     719
     720
     721
     722
     723
     724
     725
     726
     727
     728
     729
     730
     731
     732
     733
     734
     735
     736
     737
     738
     739
     740
     741
     742
     743
     744
     745
     746
     747
     748
     749
     750
     751
     752
     753
     754
Note: See TracChangeset for help on using the changeset viewer.