Description: Use safe_redirect on login
 Login: Use wp_safe_redirect() when redirecting the login page if forced
 to use HTTPS.
 Fixes CVE-2018-10100
Author: ocean90
Origin: upstream, https://core.trac.wordpress.org/changeset/42897
Applied-Upstream: 4.9.5
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2018-04-15
--- a/wp-login.php
+++ b/wp-login.php
@@ -14,10 +14,10 @@
 // Redirect to https login if forced to use SSL
 if ( force_ssl_admin() && ! is_ssl() ) {
 	if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
-		wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
+		wp_safe_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
 		exit();
 	} else {
-		wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
+		wp_safe_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
 		exit();
 	}
 }
