Including URL in $_GET variable value breaks user session
-
In 4.2.2 (but not 4.1.5) including a URL in a $_GET variable will prevent WordPress from identifying the current user via functions like current_user_can and get_currentuserinfo, breaking any functionality dependent on same, such as access to private pages, etc.
Reproduction steps:
1. Install clean 4.2.2 with no plugins and the Twenty Fifteen theme.
2. Create private page.
3. Visit private page to confirm that you can see it normally.
4. Add a URL as the value of a $_GET variable, and reload the page with the modified URL.The issue seems to have to do with string matching, as it occurs regardless of URL encoding and ONLY occurs with a complete “https://*.” or “https://*.” string (where * is a wildcard) – omitting any character of the string averts the issue.
Thus, any of the following would produce the error:
https://www.example.com?page_id=5&randomvariable=https://www.yahoo.com
https://www.example.com?page_id=5&randomvariable=http%3A%2F%2Fwww.yahoo.com
https://www.example.com?page_id=5&randomvariable=https://www.but these would not:
https://www.example.com?page_id=5&randomvariable=www.yahoo.com
https://www.example.com?page_id=5&randomvariable=www.yahoo.com
https://www.example.com?page_id=5&randomvariable=https://www
http:/www.example.com?page_id=5&randomvariable=www.yahoo.com
- The topic ‘Including URL in $_GET variable value breaks user session’ is closed to new replies.