Broken after-search redirect after 3.7.3 on servers with missing $_REQUEST['_wp_http_referer']

[seredniy]

Hey there!

After the 3.7.3 release on some servers without $_REQUEST['_wp_http_referer'] this redirect is broken:

if ( ! empty( $_REQUEST['_wp_http_referer'] && ! empty( $_SERVER['REQUEST_URI'] ) ) ) { //phpcs:ignore WordPress.Security.NonceVerification.Recommended
	// _wp_http_referer is used only on bulk actions, we remove it to keep the $_GET shorter
	wp_safe_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
	exit;
}

For example, WPForms users now have this issue:

After searching I got this URL:

https://site.com/wp-admin/admin.php?page=wpforms-tools&s=asdas&_wpnonce=986a40ee25&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwpforms-tools%26view%3Daction-scheduler%26s%3Dwpforms&action=-1&paged=1&action2=-1

And the view changed to the default tab.

It's reproducible for some servers without the $_REQUEST['_wp_http_referer'] parameter. For example Local by Flywheel. No $_REQUEST['_wp_http_referer'] parameter exists, but HTTP_REFERER is set.

[barryhughes]

Thanks for the report, @seredniy!

• Can you confirm if $_GET['_wp_http_referer'] is still set in these cases?
• If you are able to determine this (either by calls to ini_get() or just by inspecting the output of phpinfo()), can you tell me the values of PHP's request_order and variables_order settings?

Just confirming we're addressing the correct thing.

[dimitris-am]

Hey @barryhughes!
I can also reproduce this locally with Local by Flywheel.

• $_GET['_wp_http_referer'] is indeed set and it's pointing to the page before this redirection happens
  • /wp-admin/admin.php?page=wpforms-tools&view=action-scheduler&s=wpforms
• request_order is GP and variables_order is GPCS