Changeset 59753

Timestamp:

02/03/2025 04:53:16 PM (5 weeks ago)

Author:

johnbillion

Message:

Posts, Post Types: Explicitly pass a redirect URL for the post permalink when submitting the post password form.

This allows the subsequent redirect to behave as expected if a site is using a strict referrer policy on the front end which prevents the full referrer from being sent.

Props zodiac1978, yogeshbhutkar, hbhalodia, mukesh27.

Fixes #62881

Location:

trunk/src

Files:

• wp-includes/post-template.php (modified) (2 diffs)
• wp-login.php (modified) (3 diffs)

trunk/src/wp-includes/post-template.php

@@ -1781 +1781 @@
     $aria                  = '';
     $class                 = '';
+    $redirect_field        = '';
 
     // If the referrer is the same as the current request, the user has entered an invalid password.
@@ -1799 +1800 @@
     }
 
-    $output = '<form action="' . esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) ) . '" class="post-password-form' . $class . '" method="post">' . $invalid_password_html . '
+    if ( ! empty( $post->ID ) ) {
+        $redirect_field = sprintf(
+            '<input type="hidden" name="redirect_to" value="%s" />',
+            esc_attr( get_permalink( $post->ID ) )
+        );
+    }
+
+    $output = '<form action="' . esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) ) . '" class="post-password-form' . $class . '" method="post">' . $redirect_field . $invalid_password_html . '
     <p>' . __( 'This content is password protected. To view it please enter your password below:' ) . '</p>
     <p><label for="' . $field_id . '">' . __( 'Password:' ) . ' <input name="post_password" id="' . $field_id . '" type="password" spellcheck="false" required size="20"' . $aria . ' /></label> <input type="submit" name="Submit" value="' . esc_attr_x( 'Enter', 'post password form' ) . '" /></p></form>

trunk/src/wp-login.php

@@ -765 +765 @@
 
     case 'postpass':
+        $redirect_to = $_POST['redirect_to'] ?? wp_get_referer();
+
         if ( ! isset( $_POST['post_password'] ) || ! is_string( $_POST['post_password'] ) ) {
-            wp_safe_redirect( wp_get_referer() );
+            wp_safe_redirect( $redirect_to );
             exit;
         }
@@ -783 +785 @@
          * @param int $expires The expiry time, as passed to setcookie().
          */
-        $expire  = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
-        $referer = wp_get_referer();
-
-        if ( $referer ) {
-            $secure = ( 'https' === parse_url( $referer, PHP_URL_SCHEME ) );
+        $expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
+
+        if ( $redirect_to ) {
+            $secure = ( 'https' === parse_url( $redirect_to, PHP_URL_SCHEME ) );
         } else {
             $secure = false;
@@ -794 +795 @@
         setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );
 
-        wp_safe_redirect( wp_get_referer() );
+        wp_safe_redirect( $redirect_to );
         exit;