WordPress.org

Make WordPress Core


Ignore:
Timestamp:
11/03/2019 10:08:56 PM (21 months ago)
Author:
jorbin
Message:

General: wp_safe_redirect() and wp_redirect() shouldn't allow non-3xx status codes

Redirects should use redirect status codes and if you attempt to call wp_safe_redirect or wp_redirect with a non redirect status it can lead to undesired behavior and head scratching.

Fixes #44317.
Props spenserhale, johnbillion, mjnewman for initial patch.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/pluggable.php

    r46598 r46641  
    12161216     * @since 1.5.1
    12171217     * @since 5.1.0 The `$x_redirect_by` parameter was added.
     1218     * @since 5.4.0 On invalid status codes, wp_die() is called.
    12181219     *
    12191220     * @global bool $is_IIS
     
    12491250        if ( ! $location ) {
    12501251            return false;
     1252        }
     1253
     1254        if ( 300 > $status || 399 < $status ) {
     1255            wp_die( __( 'HTTP redirect status code must be a redirection code, 3xx.' ) );
    12511256        }
    12521257
Note: See TracChangeset for help on using the changeset viewer.