General: Ignore invalid types for the '_wp_http_referer' URL query variable.

It's expected that this query variable contains a string when it's set, but it's possible for its type to be something else such as an array. Ignoring non-string values prevents cascading errors when its value is passed through functions that expect a string.

Props xknown, costdev, jrf, azaozz

Fixes #57670


git-svn-id: https://develop.svn.wordpress.org/trunk@56115 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/functions.php

@@ -1976,7 +1976,9 @@ function wp_get_referer() {
 }
 
 /**
- * Retrieves unvalidated referer from '_wp_http_referer' or HTTP referer.
+ * Retrieves unvalidated referer from the '_wp_http_referer' URL query variable or the HTTP referer.
+ *
+ * If the value of the '_wp_http_referer' URL query variable is not a string then it will be ignored.
  *
  * Do not use for redirects, use wp_get_referer() instead.
  *
@@ -1985,7 +1987,7 @@ function wp_get_referer() {
  * @return string|false Referer URL on success, false on failure.
  */
 function wp_get_raw_referer() {
-	if ( ! empty( $_REQUEST['_wp_http_referer'] ) ) {
+	if ( ! empty( $_REQUEST['_wp_http_referer'] ) && is_string( $_REQUEST['_wp_http_referer'] ) ) {
 		return wp_unslash( $_REQUEST['_wp_http_referer'] );
 	} elseif ( ! empty( $_SERVER['HTTP_REFERER'] ) ) {
 		return wp_unslash( $_SERVER['HTTP_REFERER'] );

tests/phpunit/tests/functions/referer.php

@@ -156,4 +156,12 @@ class Tests_Functions_Referer extends WP_UnitTestCase {
 		$_REQUEST['_wp_http_referer'] = addslashes( 'http://foo.bar/baz' );
 		$this->assertSame( 'http://foo.bar/baz', wp_get_raw_referer() );
 	}
+
+	/**
+	 * @ticket 57670
+	 */
+	public function test_raw_referer_is_false_on_invalid_request_parameter() {
+		$_REQUEST['_wp_http_referer'] = array( 'demo' );
+		$this->assertFalse( wp_get_raw_referer() );
+	}
 }