Posts, Post Types: Explicitly pass a redirect URL for the post permal…

…ink when submitting the post password form. This allows the subsequent redirect to behave as expected if a site is using a strict referrer policy on the front end which prevents the full referrer from being sent. Props zodiac1978, yogeshbhutkar, hbhalodia, mukesh27. Fixes #62881 git-svn-id: https://develop.svn.wordpress.org/trunk@59753 602fd350-edb4-49c9-b593-d223f7449a82
WordPress · Feb 3, 2025 · 8711aa5 · 8711aa5
1 parent 3ff586a
commit 8711aa5
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 7 deletions.
diff --git a/src/wp-includes/post-template.php b/src/wp-includes/post-template.php
@@ -1780,6 +1780,7 @@ function get_the_password_form( $post = 0 ) {
 	$invalid_password_html = '';
 	$aria                  = '';
 	$class                 = '';
+	$redirect_field        = '';
 
 	// If the referrer is the same as the current request, the user has entered an invalid password.
 	if ( ! empty( $post->ID ) && wp_get_raw_referer() === get_permalink( $post->ID ) && isset( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] ) ) {
@@ -1798,7 +1799,14 @@ function get_the_password_form( $post = 0 ) {
 		$class                 = ' password-form-error';
 	}
 
-	$output = '<form action="' . esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) ) . '" class="post-password-form' . $class . '" method="post">' . $invalid_password_html . '
+	if ( ! empty( $post->ID ) ) {
+		$redirect_field = sprintf(
+			'<input type="hidden" name="redirect_to" value="%s" />',
+			esc_attr( get_permalink( $post->ID ) )
+		);
+	}
+
+	$output = '<form action="' . esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) ) . '" class="post-password-form' . $class . '" method="post">' . $redirect_field . $invalid_password_html . '
 	<p>' . __( 'This content is password protected. To view it please enter your password below:' ) . '</p>
 	<p><label for="' . $field_id . '">' . __( 'Password:' ) . ' <input name="post_password" id="' . $field_id . '" type="password" spellcheck="false" required size="20"' . $aria . ' /></label> <input type="submit" name="Submit" value="' . esc_attr_x( 'Enter', 'post password form' ) . '" /></p></form>
 	';

diff --git a/src/wp-login.php b/src/wp-login.php
@@ -764,8 +764,10 @@ function wp_login_viewport_meta() {
 		break;
 
 	case 'postpass':
+		$redirect_to = $_POST['redirect_to'] ?? wp_get_referer();
+
 		if ( ! isset( $_POST['post_password'] ) || ! is_string( $_POST['post_password'] ) ) {
-			wp_safe_redirect( wp_get_referer() );
+			wp_safe_redirect( $redirect_to );
 			exit;
 		}
 
@@ -782,18 +784,17 @@ function wp_login_viewport_meta() {
 		 *
 		 * @param int $expires The expiry time, as passed to setcookie().
 		 */
-		$expire  = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
-		$referer = wp_get_referer();
+		$expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
 
-		if ( $referer ) {
-			$secure = ( 'https' === parse_url( $referer, PHP_URL_SCHEME ) );
+		if ( $redirect_to ) {
+			$secure = ( 'https' === parse_url( $redirect_to, PHP_URL_SCHEME ) );
 		} else {
 			$secure = false;
 		}
 
 		setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );
 
-		wp_safe_redirect( wp_get_referer() );
+		wp_safe_redirect( $redirect_to );
 		exit;
 
 	case 'logout':