Make WordPress Core

Changeset 46641


Ignore:
Timestamp:
11/03/2019 10:08:56 PM (5 years ago)
Author:
jorbin
Message:

General: wp_safe_redirect() and wp_redirect() shouldn't allow non-3xx status codes

Redirects should use redirect status codes and if you attempt to call wp_safe_redirect or wp_redirect with a non redirect status it can lead to undesired behavior and head scratching.

Fixes #44317.
Props spenserhale, johnbillion, mjnewman for initial patch.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/pluggable.php

    r46598 r46641  
    12161216     * @since 1.5.1
    12171217     * @since 5.1.0 The `$x_redirect_by` parameter was added.
     1218     * @since 5.4.0 On invalid status codes, wp_die() is called.
    12181219     *
    12191220     * @global bool $is_IIS
     
    12491250        if ( ! $location ) {
    12501251            return false;
     1252        }
     1253
     1254        if ( 300 > $status || 399 < $status ) {
     1255            wp_die( __( 'HTTP redirect status code must be a redirection code, 3xx.' ) );
    12511256        }
    12521257
  • trunk/tests/phpunit/tests/pluggable.php

    r46586 r46641  
    55 */
    66class Tests_Pluggable extends WP_UnitTestCase {
     7
     8    /**
     9     * @dataProvider get_good_status_codes
     10     *
     11     * @ticket 44317
     12     * @param string $location The path or URL to redirect to.
     13     * @param int $status HTTP response status code to use.
     14     */
     15    public function test_wp_redirect_good_status_code( $location, $status ) {
     16        $this->assertTrue( wp_redirect( $location, $status ) );
     17    }
     18
     19    public function get_good_status_codes() {
     20        return [
     21            // Expected Statuses
     22            [ '/wp-admin', 301 ],
     23            [ '/wp-admin', 302 ],
     24            [ '/wp-admin', 307 ],
     25            // Outliers that are valid
     26            [ '/wp-admin', 300 ],
     27            [ '/wp-admin', 399 ],
     28        ];
     29    }
     30
     31    /**
     32     * @expectedException WPDieException
     33     * @dataProvider get_bad_status_codes
     34     *
     35     * @ticket 44317
     36     * @param string $location The path or URL to redirect to.
     37     * @param int $status HTTP response status code to use.
     38     */
     39    public function test_wp_redirect_bad_status_code( $location, $status ) {
     40        wp_redirect( $location, $status );
     41    }
     42
     43    public function get_bad_status_codes() {
     44        return [
     45            // Tests for bad arguments
     46            [ '/wp-admin', 404 ],
     47            [ '/wp-admin', 410 ],
     48            [ '/wp-admin', 500 ],
     49            // Tests for condition.
     50            [ '/wp-admin', 299 ],
     51            [ '/wp-admin', 400 ],
     52        ];
     53    }
    754
    855    /**
Note: See TracChangeset for help on using the changeset viewer.