wp_get_referer() not working on password protected pages

  • Hello,

    Recently it seems like when users are putting in passwords in a password protected page, it just redirects them to /wp-login.php?action=postpass and shows a white screen. I debugged with different plugins/themes and the issue still is there. There are no debug messages/logs that show up either.

    I did some debugging and in the wp-login.php file, the wp_get_referer() function does not return the last pages url. This seems to only be the case on some sites/servers as well. When I tried to echo out wp_get_referer() from the wp-login.php file, there was nothing showing up.

    I ended up editing the file to use ‘$_SERVER[‘HTTP_REFERER’];’ instead. I know once WordPress updates, this file will be reset back to use wp_get_referer(). Does anyone else have this issue? Anything we can do to make sure the wp_get_referer() works? I have my quick solution for this problem below:

    wp-login.php file

    case 'postpass':
	    
	        $referer = $_SERVER['HTTP_REFERER'];
	  
	    
		if ( ! array_key_exists( 'post_password', $_POST ) ) {
			wp_safe_redirect( $referer );
			exit;
		}

		require_once ABSPATH . WPINC . '/class-phpass.php';
		$hasher = new PasswordHash( 8, true );

		/**
		 * Filters the life span of the post password cookie.
		 *
		 * By default, the cookie expires 10 days from creation. To turn this
		 * into a session cookie, return 0.
		 *
		 * @since 3.7.0
		 *
		 * @param int $expires The expiry time, as passed to setcookie().
		 */
		$expire  = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );

		if ( $referer ) {
			$secure = ( 'https' === parse_url( $referer, PHP_URL_SCHEME ) );
		} else {
			$secure = false;
		}

		setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );

		wp_safe_redirect( $referer );
		exit;

	case 'logout':

    – Thanks

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator bcworkz

    (@bcworkz)

    This seems to only be the case on some sites/servers as well

    That strongly indicates a server mis-configuration. There’s a security risk in not validating $_SERVER[‘HTTP_REFERER’] before using it in a redirect. You could use wp_validate_redirect() for that. But it’s likely why wp_get_referer() isn’t working as expected.

    wp_validate_redirect() is a pluggable function. You could plug in your own version that returns a good URL and wp_get_referer() will likely work. Replacing it from your own plugin would make the modification update safe.

    I suggest plugging in the same version and using it to identify exactly why it’s failing and addressing that one point instead of blindly accepting $_SERVER[‘HTTP_REFERER’].

    Thread Starter tintedshadows

    (@tintedshadows)

    Hello,

    Thank you for your reply. I disabled all the plugins/themes and it seems to still be a issue with the redirect. It still sets the cookie though.

    I changed the code to use $referer = wp_get_referer($_SERVER[‘HTTP_REFERER’]); instead and it seems to work.

    Do you know the hook or code I would use to plugin into this function so I can make sure it works?

    I did go through all the settings on the install and all look correct.

    – Thanks

    Moderator bcworkz

    (@bcworkz)

    Custom pluggable functions are plugged in by themes and plugins. Creating a basic custom plugin is fairly straight forward. Or add to an existing custom theme/plugin you’ve already created. Just don’t add to code subject to periodic updates.

    On the plugin’s main page (sometimes the only page, or on a custom theme’s functions.php) place a copy of the function’s source code from wp_includes/pluggable.php (starting at line 1452 in v5.8). Be sure to include the 

    if ( ! function_exists( 'wp_validate_redirect' ) ) :
   //function declaration here
endif;

    conditional wrapper. Because of the order that code is loaded in, your version will take precedence over the one in pluggable.php. You only need the conditional wrapper so you can activate the theme/plugin. Edit this version as you wish, but keep security in mind. The less changed the better.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘wp_get_referer() not working on password protected pages’ is closed to new replies.