WordPress 2.9 – exec-php and header injection December 27, 2009
Posted by evilzenscientist in : evilzenscientist , trackbackUpgrades to WordPress 2.9 on several of the production blogs – and it’s the same old issue with php header injection.
I’ve blogged about this before – and raised a trac ticket. I’m probably going to write a plugin to solve this one for good.
Here’s the change – around line 863 of wp-includes/pluggable.php
/* ** Remove header injection piece - fix for exec-php ** evilzenscientist - 27 Dec 09 ** originally from 28 May 08 ** ref http://trac.wordpress.org/ticket/2860
       if ( $is_IIS ) {
               header("Refresh: 0;url=$location");
       } else {
               if ( php_sapi_name() != 'cgi-fcgi' )
                       status_header($status); // This causes problems on I
               header("Location: $location", true, $status);
       }
}
endif;
** */
/** added new header injection and refresh ** http://trac.wordpress.org/ticket/2860 ** evilzenscientist - 28 May 2008 */ if( !headers_sent() ) { if ($is_IIS) header("Refresh: 0;url=$location"); else header("Location: $location"); } else echo "<meta http-equiv='refresh' content='0;url=$location' />"; } endif; /** end of change */
Comments»
You are my hero! I am a self-taught beginner with all this codey-code nonsense and you fixed my site! I use Coda for all this type of stuff, and it worked like a charm. Thanks again!
you’re great. this fix worked like a charm.
Thanks man, it worked.