Hacker News new | past | comments | ask | show | jobs | submit login

Here is a patch I just did:

DISCLAMER: Works only if you set WP_HOME explicitely. if you define it dynamically based on $SERVER['HTTP_HOST'] this won't fix it. (using a switch with $SERVER['HTTP_HOST'] is fine, except if you set a default)

  ------[ wp-includes/pluggable.php before ]------

  ...

  if ( !isset( $from_email ) ) {
          // Get the site domain and get rid of www.
          $sitename = strtolower( $_SERVER['SERVER_NAME'] );
          if ( substr( $sitename, 0, 4 ) == 'www.' ) {
                 $sitename = substr( $sitename, 4 );
          }

          $from_email = 'wordpress@' . $sitename;
  }

  ...
  
  -----------------------------------------
  
  ------[ wp-includes/pluggable.php after ]------
  
  ...
  
  if ( !isset( $from_email ) ) {
          // Get the site domain and get rid of www.
          $sitename = strtolower( WP_HOME );
          if ( substr( $sitename, 0, 7 ) == 'http://' ) {
                  $sitename = substr( $sitename, 7 );
          }
          if ( substr( $sitename, 0, 8 ) == 'https://' ) {
                  $sitename = substr( $sitename, 8 );
          }
          if ( substr( $sitename, 0, 4 ) == 'www.' ) {
                 $sitename = substr( $sitename, 4 );
          }
  
          $from_email = 'wordpress@' . $sitename;
  }
  
  ...
  
  -----------------------------------------
edit: please test this on your setup before deploying it. edit2: fixed with the help of apstls.



Isn't there a good (possible) URL parser out there so substr can be avoided? Manual string editing of data in a known format seems dirty and a source of possible bugs to me.



You could do this a lot easier:

  if ( !isset( $from_email ) ) {
    $sitename = parse_url( strtolower( WP_HOME ) )['host'];

    if ( substr( $sitename, 0, 4 ) == 'www.' ) {
      $sitename = substr( $sitename, 4 );
    }

    $from_email = 'wordpress@' . $sitename;
  }
Edit: you still need to strip out www. if it exits. Also not compatible with < PHP 5.4


They might have avoided this code for compatibility.


Shouldn't it also be removing "http(s)://" regardless of whether or not the domain is prefixed with "www."?


You are right, I fixed it. Thank you !


This doesn't really seem right, does it handle wp_home being web.example.org ? Or any other subdomain other than www.

Perhaps http://stackoverflow.com/a/37987242/383694 would help.

One could [also] verify the domain resolves to the same IP as the server, it seems


Handles it the same way it did before. I'm just fixing the exploit, I don't have the patience to fix all of WordPress ;)




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: