Skip to content

Instantly share code, notes, and snippets.

JustThomas /
Created Feb 4, 2018
nginx: Remove double slashes from URLs

Put the following directives in your server block. nginx will then redirect URLs with double (or triple or multiple) slashes to the corresponding URL with a single slash.

merge_slashes off;
rewrite ^(.*?)//+(.*?)$ $1/$2 permanent;
JustThomas /
Last active May 22, 2021
SQL injection vulnerability in WordPress "User Control" plugin

SQL Injection vulnerability in WordPress "User Control" plugin

The User Control plugin gives administrators the possibility to disable user accounts in WordPress. Users whose accounts have been disabled cannot sign in to WordPress anymore. Unfortunately, the plugin has some serious vulnerabilites which anyone can use to perform SQL queries on the WordPress SQL database.

The plugin has been removed from the official WordPress plugin repository. If this plugin is installed on your WordPress installation, you should remove it ASAP.

Vulnerable code

The plugin contains the following code which is executed on every pageload:

JustThomas /
Last active Feb 25, 2017
Resolve all domains from a CSV export of the wp_domain_mapping database table
[ ! -f $INPUT ] && { echo "$INPUT file not found"; exit 99; }
while read domainid siteid domain active
domain=${domain//\"} # Remove quotes
domainid=${domainid//\"} # Remove quotes
ip=`dig +short $domain | tail -n 1` # Resolve domain name
JustThomas /
Last active Jun 24, 2022
WordPress Multisite: How to fix error "too many redirects"

WordPress Multisite: How to fix error "Request exceeded the limit of 10 internal redirects"

I am running a WordPress multisite network with sub-directory setup. When I check my error.log file, it is full of entries like this one:

Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'Limit InternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

The problem was, in my case, one specific rewrite rule in the .htaccess file.

Problem description


Keybase proof

I hereby claim:

  • I am justthomas on github.
  • I am justthomas ( on keybase.
  • I have a public key whose fingerprint is BD76 69E9 D631 C156 DDB3 832F D815 E4AD 5C9A E6D9

To claim this, I am signing this object:

JustThomas / wordpress_https_workaround.php
Last active Aug 29, 2015
Workaround for redirects with WordPress HTTPS and WordPress MU Domain Mapping
View wordpress_https_workaround.php
Plugin Name: Workaround for HTTPS with Domain Mapping
Description: Disables redirect from MU Domain Mapping Plugin on SSL-secured pages
Author: Thomas Ulrich
Author URI:
Version: 0.1
function tu_wordpress_https_workaround() {