eric/multi-domain-redux
1
0
Fork 0
Code Issues Pull requests Projects Releases 3 Packages Wiki Activity Actions

docs: warn that configured hosts are added to the redirect allowlist #5

Merged
eric merged 1 commit from docs/allowed-redirect-hosts-warning into main 2026-06-27 15:31:19 -07:00
Conversation 0 Commits 1 Files changed 3 +8 -1
eric commented 2026-06-27 15:29:26 -07:00
Owner
Copy link

Summary

  • README: adds a warning to the Hostname field description that only domains you own should be configured
  • Settings UI: adds a description note below the host table with the same guidance
  • .pot: adds the new translatable string

Motivation

Hardening note #4 from the 2026-06-27 security audit. RedirectGuard::filterAllowedHosts() correctly adds all configured hosts to allowed_redirect_hosts — that's required behaviour. The concern is operator misconfiguration (adding a domain they don't own). No code fix is possible since ownership can't be verified at runtime; documentation is the right mitigation.

Test plan

  • composer lint — clean
  • No logic changes; no unit tests required

🤖 Generated with Claude Code

## Summary - **README:** adds a warning to the Hostname field description that only domains you own should be configured - **Settings UI:** adds a description note below the host table with the same guidance - **.pot:** adds the new translatable string ## Motivation Hardening note #4 from the 2026-06-27 security audit. `RedirectGuard::filterAllowedHosts()` correctly adds all configured hosts to `allowed_redirect_hosts` — that's required behaviour. The concern is operator misconfiguration (adding a domain they don't own). No code fix is possible since ownership can't be verified at runtime; documentation is the right mitigation. ## Test plan - [x] `composer lint` — clean - [x] No logic changes; no unit tests required 🤖 Generated with [Claude Code](https://claude.com/claude-code)
docs: warn that configured hosts are added to the redirect allowlist
All checks were successful
CI / Lint + Static Analysis (pull_request) Successful in 1m54s
Details
CI / Unit Tests (PHP 8.2) (pull_request) Successful in 45s
Details
CI / Unit Tests (PHP 8.3) (pull_request) Successful in 1m13s
Details
CI / Unit Tests (PHP 8.4) (pull_request) Successful in 1m15s
Details
CI / Unit Tests (PHP 8.5) (pull_request) Successful in 1m10s
Details
a46af7fc35 
Every configured host is added to WordPress's allowed_redirect_hosts,
which permits wp_safe_redirect() to redirect there. Operators should
only add hostnames they own and control.

README: adds the warning to the Hostname field description in the
configuration table.
Settings UI: adds a description note below the host table.
.pot: adds the new translatable string.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
eric merged commit 44853b05c4 into main 2026-06-27 15:31:19 -07:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eric/multi-domain-redux!5
No description provided.