Reject success URLs that contain a username credential. These are almost exclusively used for phishing and is deprecated in modern browsers.

johnbillion · johnbillion · commit 24737a674f3e · 2026-02-27T12:57:23.000Z
diff --git a/src/wp-admin/authorize-application.php b/src/wp-admin/authorize-application.php
@@ -51,7 +51,7 @@
 	}
 
 	if ( $redirect ) {
-		// Explicitly not using wp_safe_redirect b/c sends to arbitrary domain.
+		// Explicitly not using wp_safe_redirect b/c sends to arbitrary domain or custom scheme URL.
 		wp_redirect( $redirect );
 		exit;
 	}
diff --git a/src/wp-admin/includes/user.php b/src/wp-admin/includes/user.php
@@ -735,6 +735,13 @@ function wp_is_authorize_application_redirect_url_valid( $url ) {
 		);
 	}
 
+	if ( null !== wp_parse_url( $url, PHP_URL_USER ) ) {
+		return new WP_Error(
+			'invalid_redirect_url_format',
+			__( 'Credentials are not allowed in the URL.' )
+		);
+	}
+
 	if ( 'http' === $scheme && ! $is_local ) {
 		return new WP_Error(
 			'invalid_redirect_scheme',
diff --git a/tests/phpunit/tests/admin/Admin_Includes_User_WpIsAuthorizeApplicationPasswordRequestValid_Test.php b/tests/phpunit/tests/admin/Admin_Includes_User_WpIsAuthorizeApplicationPasswordRequestValid_Test.php
@@ -64,9 +64,15 @@ public function data_is_authorize_application_password_request_valid() {
 				'env'                 => $environment_type,
 			);
 
-			$datasets[ $environment_type . ' and a "http" scheme "reject_url"' ] = array(
-				'request'             => array( 'reject_url' => 'http://example.org' ),
-				'expected_error_code' => 'local' === $environment_type ? '' : 'invalid_redirect_scheme',
+			$datasets[ $environment_type . ' and a userinfo "success_url"' ] = array(
+				'request'             => array( 'success_url' => 'https://user:pass@evil.com/capture' ),
+				'expected_error_code' => 'invalid_redirect_url_format',
+				'env'                 => $environment_type,
+			);
+
+			$datasets[ $environment_type . ' and a userinfo-only "success_url"' ] = array(
+				'request'             => array( 'success_url' => 'https://google.com@evil.com/capture' ),
+				'expected_error_code' => 'invalid_redirect_url_format',
 				'env'                 => $environment_type,
 			);
 		}
diff --git a/tests/phpunit/tests/admin/Admin_Includes_User_WpIsAuthorizeApplicationRedirectUrlValid_Test.php b/tests/phpunit/tests/admin/Admin_Includes_User_WpIsAuthorizeApplicationRedirectUrlValid_Test.php
@@ -0,0 +1,125 @@
+<?php
+
+/**
+ * @group admin
+ * @group user
+ *
+ * @covers ::wp_is_authorize_application_redirect_url_valid
+ */
+class Admin_Includes_User_WpIsAuthorizeApplicationRedirectUrlValid_Test extends WP_UnitTestCase {
+
+	/**
+	 * Test redirect URL validation for application password authorization.
+	 *
+	 * @ticket nnnnn
+	 *
+	 * @dataProvider data_is_authorize_application_redirect_url_valid
+	 *
+	 * @param string $url                 The URL to validate.
+	 * @param string $expected_error_code The expected error code, empty if no error is expected.
+	 * @param string $expected_message    The expected error message, empty if no error is expected.
+	 * @param string $env                 The environment type. Defaults to 'production'.
+	 */
+	public function test_is_authorize_application_redirect_url_valid( $url, $expected_error_code, $expected_message = '', $env = 'production' ) {
+		putenv( "WP_ENVIRONMENT_TYPE=$env" );
+
+		$actual = wp_is_authorize_application_redirect_url_valid( $url );
+
+		putenv( 'WP_ENVIRONMENT_TYPE' );
+
+		if ( $expected_error_code ) {
+			$this->assertWPError( $actual, 'A WP_Error object is expected.' );
+			$this->assertSame( $expected_error_code, $actual->get_error_code(), 'Unexpected error code.' );
+			if ( $expected_message ) {
+				$this->assertSame( $expected_message, $actual->get_error_message(), 'Unexpected error message.' );
+			}
+		} else {
+			$this->assertNotWPError( $actual, 'A WP_Error object is not expected.' );
+		}
+	}
+
+	public function data_is_authorize_application_redirect_url_valid() {
+		return array(
+			// Empty URL is valid (no redirect).
+			'empty URL'                              => array(
+				'url'                 => '',
+				'expected_error_code' => '',
+			),
+
+			// Valid HTTPS URLs.
+			'https URL'                              => array(
+				'url'                 => 'https://example.org',
+				'expected_error_code' => '',
+			),
+			'https URL with path'                    => array(
+				'url'                 => 'https://example.org/callback',
+				'expected_error_code' => '',
+			),
+			'https URL with port'                    => array(
+				'url'                 => 'https://example.org:8443/callback',
+				'expected_error_code' => '',
+			),
+			'https URL with query params'            => array(
+				'url'                 => 'https://example.org/callback?existing=param',
+				'expected_error_code' => '',
+			),
+
+			// Valid app scheme URLs.
+			'app scheme URL'                         => array(
+				'url'                 => 'wordpress://example',
+				'expected_error_code' => '',
+			),
+			'custom app scheme URL'                  => array(
+				'url'                 => 'myapp://callback',
+				'expected_error_code' => '',
+			),
+
+			// Userinfo in URL (authority confusion attack).
+			'username and password in URL'           => array(
+				'url'                 => 'https://user:pass@evil.com/capture',
+				'expected_error_code' => 'invalid_redirect_url_format',
+				'expected_message'    => 'Credentials are not allowed in the URL.',
+			),
+			'username only in URL'                   => array(
+				'url'                 => 'https://google.com@evil.com/capture',
+				'expected_error_code' => 'invalid_redirect_url_format',
+				'expected_message'    => 'Credentials are not allowed in the URL.',
+			),
+			'username with empty password in URL'    => array(
+				'url'                 => 'https://user:@evil.com/capture',
+				'expected_error_code' => 'invalid_redirect_url_format',
+				'expected_message'    => 'Credentials are not allowed in the URL.',
+			),
+
+			// Invalid protocols.
+			'javascript protocol'                    => array(
+				'url'                 => 'javascript:alert(1)',
+				'expected_error_code' => 'invalid_redirect_url_format',
+			),
+			'data protocol'                          => array(
+				'url'                 => 'data:text/html,<script>alert(1)</script>',
+				'expected_error_code' => 'invalid_redirect_url_format',
+			),
+
+			// Invalid format.
+			'no scheme'                              => array(
+				'url'                 => 'example.org/callback',
+				'expected_error_code' => 'invalid_redirect_url_format',
+			),
+
+			// HTTP scheme depends on environment.
+			'http URL on production'                 => array(
+				'url'                 => 'http://example.org',
+				'expected_error_code' => 'invalid_redirect_scheme',
+				'expected_message'    => '',
+				'env'                 => 'production',
+			),
+			'http URL on local'                      => array(
+				'url'                 => 'http://example.org',
+				'expected_error_code' => '',
+				'expected_message'    => '',
+				'env'                 => 'local',
+			),
+		);
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`if ( $redirect ) {`
`54`		`- // Explicitly not using wp_safe_redirect b/c sends to arbitrary domain.`
	`54`	`+ // Explicitly not using wp_safe_redirect b/c sends to arbitrary domain or custom scheme URL.`
`55`	`55`	`wp_redirect( $redirect );`
`56`	`56`	`exit;`
`57`	`57`	`}`