Changeset 9559

Timestamp:

02/25/2015 02:56:18 PM (10 years ago)

Author:

boonebgorges

Message:

Improve AJAX referer determination during URI parsing.

When parsing referer URLs during bp_core_set_uri_globals(), BP has
historically used bp_core_referrer() to generate a "current URL" relative to
the current web root. This path is then passed to the 'bp_uri' filter before
being parsed. However, bp_core_referrer() incorrectly returns a URL without
a leading slash, making it a relative path rather than a webroot-absolute path.
The parsing logic later in bp_core_set_uri_globals() makes it so that the
error does not matter from the point of BP core, but plugins filtering 'bp_uri'
will receive a potentially incorrect URL path.

This changeset deprecates the unreliable bp_core_referrer() in favor of
bp_get_referer_path(). The latter function correctly returns URL paths with a
leading slash. bp_get_referer_path() is then used instead of
bp_core_referrer() in bp_core_set_uri_globals().

Props mechter for an initial patch.
Fixes #6252.

Location:

trunk

Files:

• src/bp-core/bp-core-catchuri.php (modified) (1 diff)
• src/bp-core/bp-core-functions.php (modified) (1 diff)
• src/bp-core/deprecated/2.3.php (added)
• src/bp-loader.php (modified) (1 diff)
• tests/phpunit/testcases/core/functions (added)
• tests/phpunit/testcases/core/functions/bpGetRefererPath.php (added)

trunk/src/bp-core/bp-core-catchuri.php

@@ -52 +52 @@
     // Ajax or not?
     if ( defined( 'DOING_AJAX' ) && DOING_AJAX || strpos( $_SERVER['REQUEST_URI'], 'wp-load.php' ) )
-        $path = bp_core_referrer();
+        $path = bp_get_referer_path();
     else
         $path = esc_url( $_SERVER['REQUEST_URI'] );

trunk/src/bp-core/bp-core-functions.php

@@ -836 +836 @@
 
 /**
- * Return the referrer URL without the http(s)://
- *
- * @return string The referrer URL.
- */
-function bp_core_referrer() {
-    $referer = explode( '/', wp_get_referer() );
-    unset( $referer[0], $referer[1], $referer[2] );
-    return implode( '/', $referer );
+ * Return the URL path of the referring page.
+ *
+ * This is a wrapper for `wp_get_referer()` that sanitizes the referer URL to
+ * a webroot-relative path. For example, 'http://example.com/foo/' will be
+ * reduced to '/foo/'.
+ *
+ * @since BuddyPress (2.3.0)
+ *
+ * @return bool|string Returns false on error, a URL path on success.
+ */
+function bp_get_referer_path() {
+    $referer = wp_get_referer();
+
+    if ( false === $referer ) {
+        return false;
+    }
+
+    // Turn into an absolute path.
+    $referer = preg_replace( '|https?\://[^/]+/|', '/', $referer );
+
+    return $referer;
 }
 

trunk/src/bp-loader.php

@@ -462 +462 @@
             require( $this->plugin_dir . 'bp-core/deprecated/2.1.php' );
             require( $this->plugin_dir . 'bp-core/deprecated/2.2.php' );
+            require( $this->plugin_dir . 'bp-core/deprecated/2.3.php' );
         }
     }