From 40e1b42dcbb3bbc427389e936720ae3176fd5931 Mon Sep 17 00:00:00 2001
From: Timo Tijhof <krinkle@fastmail.com>
Date: Sat, 16 Sep 2023 16:43:01 -0700
Subject: [PATCH] Login and Registration: Check redirect_to type before calling
 `str_contains()`

This prevents URLs like `/wp-login.php?redirect_to[x]=y` from
triggering a HTTP 500 response as result of

> PHP Fatal error: Uncaught TypeError: str_contains():
> Argument #1 ($haystack) must be of type string, array given

See https://core.trac.wordpress.org/ticket/59373

I considered changing the case for "authorize-application.php" to
re-use the `$requested_redirect_to` variable but left it as-is because
this case reads from _GET whereas the variable also considers POST
parameters (via _REQUEST), which might be intentional. This case
was introduced in [49109] for #42790.

* change 49109: https://github.com/WordPress/wordpress-develop/commit/1856d0fe2ad01b53daaf8338a4250088367ac948
* issue 42790: https://core.trac.wordpress.org/ticket/42790
---
 src/wp-login.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/wp-login.php b/src/wp-login.php
index 3dbfacfd2bb25..602920771fdd6 100644
--- a/src/wp-login.php
+++ b/src/wp-login.php
@@ -759,7 +759,7 @@ function wp_login_viewport_meta() {
 
 		wp_logout();
 
-		if ( ! empty( $_REQUEST['redirect_to'] ) ) {
+		if ( ! empty( $_REQUEST['redirect_to'] ) && is_string( $_REQUEST['redirect_to'] ) ) {
 			$redirect_to           = $_REQUEST['redirect_to'];
 			$requested_redirect_to = $redirect_to;
 		} else {
@@ -1264,7 +1264,7 @@ function wp_login_viewport_meta() {
 			}
 		}
 
-		$requested_redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
+		$requested_redirect_to = ! empty( $_REQUEST['redirect_to'] ) && is_string( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
 		/**
 		 * Filters the login redirect URL.
 		 *
@@ -1366,7 +1366,7 @@ function wp_login_viewport_meta() {
 				$errors->add( 'updated', __( '<strong>You have successfully updated WordPress!</strong> Please log back in to see what&#8217;s new.' ), 'message' );
 			} elseif ( WP_Recovery_Mode_Link_Service::LOGIN_ACTION_ENTERED === $action ) {
 				$errors->add( 'enter_recovery_mode', __( 'Recovery Mode Initialized. Please log in to continue.' ), 'message' );
-			} elseif ( isset( $_GET['redirect_to'] ) && str_contains( $_GET['redirect_to'], 'wp-admin/authorize-application.php' ) ) {
+			} elseif ( isset( $_GET['redirect_to'] ) && is_string( $_GET['redirect_to'] ) && str_contains( $_GET['redirect_to'], 'wp-admin/authorize-application.php' ) ) {
 				$query_component = wp_parse_url( $_GET['redirect_to'], PHP_URL_QUERY );
 				$query           = array();
 				if ( $query_component ) {