WordPress.org
Get WordPress

Make WordPress Core

Changeset 62096


Ignore:
Timestamp:
03/24/2026 02:18:45 AM (6 days ago)
Author:
pento
Message:

Application Passwords: Allow HTTP loopback redirect URLs

This change allows HTTP redirect URLs for loopback addresses (127.0.0.1, [::1]) in wp_is_authorize_application_redirect_url_valid(), regardless of environment type. This aligns the application password implementation with RFC 8252 7.3.

It's worth noting that section 8.3 of the RFC recommends against allowing localhost as a loopback redirect, since it may be susceptible to firewall interception and DNS resolution poisoning.

Props aquarius, pento.
Fixes #57809.

Location:
trunk
Files:
1 added
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-admin/includes/user.php

    r61644 r62096  
    701701
    702702/**
    703  * Validates the redirect URL protocol scheme. The protocol can be anything except `http` and `javascript`.
     703 * Validates the redirect URL protocol scheme.
     704 *
     705 * The `http` scheme is allowed for loopback IP addresses (127.0.0.1, [::1])
     706 * and local environments. The `javascript` and `data` protocols are always rejected.
    704707 *
    705708 * @since 6.3.2
     
    746749    }
    747750
    748     if ( 'http' === $scheme && ! $is_local ) {
     751    // Allow insecure HTTP connections to locally hosted applications.
     752    $is_loopback = in_array(
     753        strtolower( $host ),
     754        array( '127.0.0.1', '[::1]' ),
     755        true
     756    );
     757
     758    if ( 'http' === $scheme && ! $is_local && ! $is_loopback ) {
    749759        return new WP_Error(
    750760            'invalid_redirect_scheme',

  • trunk/tests/phpunit/tests/admin/Admin_Includes_User_WpIsAuthorizeApplicationPasswordRequestValid_Test.php

    r61407 r62096  
    8282                'env'                 => $environment_type,
    8383            );
     84
     85            $datasets[ $environment_type . ' and a "http" loopback "success_url"' ] = array(
     86                'request'             => array( 'success_url' => 'http://127.0.0.1:8080/callback' ),
     87                'expected_error_code' => '',
     88                'env'                 => $environment_type,
     89            );
     90
     91            $datasets[ $environment_type . ' and a "http" loopback "reject_url"' ] = array(
     92                'request'             => array( 'reject_url' => 'http://127.0.0.1/callback' ),
     93                'expected_error_code' => '',
     94                'env'                 => $environment_type,
     95            );
    8496        }
    8597
Note: See TracChangeset for help on using the changeset viewer.