From 4beda865665cb3679aa25d8714adf368cd63b9ca Mon Sep 17 00:00:00 2001 From: Himanshu Pathak Date: Tue, 5 May 2026 14:49:43 +0530 Subject: [PATCH 1/6] simplify current URL generation --- src/wp-admin/includes/class-wp-list-table.php | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/wp-admin/includes/class-wp-list-table.php b/src/wp-admin/includes/class-wp-list-table.php index 0795da27535c6..f81a93083590d 100644 --- a/src/wp-admin/includes/class-wp-list-table.php +++ b/src/wp-admin/includes/class-wp-list-table.php @@ -1040,9 +1040,7 @@ protected function pagination( $which ) { $current = $this->get_pagenum(); $removable_query_args = wp_removable_query_args(); - $current_url = set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ); - - $current_url = remove_query_arg( $removable_query_args, $current_url ); + $current_url = remove_query_arg( $removable_query_args ); $page_links = array(); From cb31d73c5a6803462c577622305fa0ed2d05e167 Mon Sep 17 00:00:00 2001 From: Himanshu Pathak Date: Tue, 5 May 2026 14:50:40 +0530 Subject: [PATCH 2/6] Remove URL to default to REQ_URI --- src/wp-admin/includes/class-wp-list-table.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/wp-admin/includes/class-wp-list-table.php b/src/wp-admin/includes/class-wp-list-table.php index f81a93083590d..58a4dd47adec4 100644 --- a/src/wp-admin/includes/class-wp-list-table.php +++ b/src/wp-admin/includes/class-wp-list-table.php @@ -1392,8 +1392,7 @@ public function get_column_count() { public function print_column_headers( $with_id = true ) { list( $columns, $hidden, $sortable, $primary ) = $this->get_column_info(); - $current_url = set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ); - $current_url = remove_query_arg( 'paged', $current_url ); + $current_url = remove_query_arg( 'paged' ); // When users click on a column header to sort by other columns. if ( isset( $_GET['orderby'] ) ) { From 8bea2e8574d9a3035e96a920eea9e0a1243213cb Mon Sep 17 00:00:00 2001 From: Himanshu Pathak Date: Tue, 5 May 2026 14:52:58 +0530 Subject: [PATCH 3/6] build canonical abs URL from admin URL --- src/wp-admin/includes/misc.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/wp-admin/includes/misc.php b/src/wp-admin/includes/misc.php index 3724684ffd428..8ae70daef9b66 100644 --- a/src/wp-admin/includes/misc.php +++ b/src/wp-admin/includes/misc.php @@ -1406,7 +1406,11 @@ function wp_admin_canonical_url() { } // Ensure we're using an absolute URL. - $current_url = set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ); + // Build the canonical URL using the configured admin URL to avoid issues + // with reverse proxies that expose a different host via HTTP_HOST. + $path = parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH ); + $query = parse_url( $_SERVER['REQUEST_URI'], PHP_URL_QUERY ); + $current_url = admin_url( ltrim( $path, '/' ) . ( $query ? '?' . $query : '' ) ); $filtered_url = remove_query_arg( $removable_query_args, $current_url ); /** From d6578b86cd1a72693d06bb978c92670036e1e8b4 Mon Sep 17 00:00:00 2001 From: Himanshu Pathak Date: Wed, 6 May 2026 12:17:44 +0530 Subject: [PATCH 4/6] add test to ensure pagination does not use HTTP_HOST for URLs --- tests/phpunit/tests/admin/wpListTable.php | 31 +++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/tests/phpunit/tests/admin/wpListTable.php b/tests/phpunit/tests/admin/wpListTable.php index b3de66659b308..7ac450aff63a1 100644 --- a/tests/phpunit/tests/admin/wpListTable.php +++ b/tests/phpunit/tests/admin/wpListTable.php @@ -592,4 +592,35 @@ public function test_search_box_works_with_orderby_string() { $this->assertStringContainsString( $expected_html, $actual ); } + + public function test_pagination_should_not_use_http_host_for_urls() { + $fake_host = 'internal.proxy.example.local'; + $original_host = $_SERVER['HTTP_HOST'] ?? ''; + + $_SERVER['HTTP_HOST'] = $fake_host; + $_SERVER['REQUEST_URI'] = '/wp-admin/edit.php?post_type=post'; + + $pagination_args = new ReflectionProperty( $this->list_table, '_pagination_args' ); + if ( PHP_VERSION_ID < 80100 ) { + $pagination_args->setAccessible( true ); + } + $pagination_args->setValue( + $this->list_table, + array( + 'total_items' => 100, + 'total_pages' => 5, + 'per_page' => 20, + ) + ); + + $actual = get_echo( array( $this->list_table, 'pagination' ), array( 'top' ) ); + + $_SERVER['HTTP_HOST'] = $original_host; + + $this->assertStringNotContainsString( + $fake_host, + $actual, + 'Pagination links should not contain the raw HTTP_HOST value.' + ); + } } From 7f14e5ff6ae48e39c587f0182026641ce9f609b0 Mon Sep 17 00:00:00 2001 From: Himanshu Pathak Date: Wed, 6 May 2026 12:18:49 +0530 Subject: [PATCH 5/6] add test to ensure column headers do not use HTTP_HOST for URLs --- tests/phpunit/tests/admin/wpListTable.php | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tests/phpunit/tests/admin/wpListTable.php b/tests/phpunit/tests/admin/wpListTable.php index 7ac450aff63a1..1494616846017 100644 --- a/tests/phpunit/tests/admin/wpListTable.php +++ b/tests/phpunit/tests/admin/wpListTable.php @@ -623,4 +623,22 @@ public function test_pagination_should_not_use_http_host_for_urls() { 'Pagination links should not contain the raw HTTP_HOST value.' ); } + + public function test_print_column_headers_should_not_use_http_host_for_urls() { + $fake_host = 'internal.proxy.example.local'; + $original_host = $_SERVER['HTTP_HOST'] ?? ''; + + $_SERVER['HTTP_HOST'] = $fake_host; + $_SERVER['REQUEST_URI'] = '/wp-admin/edit.php?post_type=post'; + + $actual = get_echo( array( $this->list_table, 'print_column_headers' ) ); + + $_SERVER['HTTP_HOST'] = $original_host; + + $this->assertStringNotContainsString( + $fake_host, + $actual, + 'Column header links should not contain the raw HTTP_HOST value.' + ); + } } From 2dcb0aa8d8813c8768ecc85ee1c6b5c548ee3e13 Mon Sep 17 00:00:00 2001 From: Himanshu Pathak Date: Wed, 6 May 2026 12:19:29 +0530 Subject: [PATCH 6/6] add tests doc block --- tests/phpunit/tests/admin/wpListTable.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/phpunit/tests/admin/wpListTable.php b/tests/phpunit/tests/admin/wpListTable.php index 1494616846017..a6d9aaeedda1d 100644 --- a/tests/phpunit/tests/admin/wpListTable.php +++ b/tests/phpunit/tests/admin/wpListTable.php @@ -593,6 +593,9 @@ public function test_search_box_works_with_orderby_string() { $this->assertStringContainsString( $expected_html, $actual ); } + /** + * @ticket 16858 + */ public function test_pagination_should_not_use_http_host_for_urls() { $fake_host = 'internal.proxy.example.local'; $original_host = $_SERVER['HTTP_HOST'] ?? ''; @@ -624,6 +627,10 @@ public function test_pagination_should_not_use_http_host_for_urls() { ); } + + /** + * @ticket 16858 + */ public function test_print_column_headers_should_not_use_http_host_for_urls() { $fake_host = 'internal.proxy.example.local'; $original_host = $_SERVER['HTTP_HOST'] ?? '';