Make WordPress Core

Opened 12 years ago

Closed 9 years ago

#22612 closed enhancement (fixed)

Filterable default for wp_safe_redirect/wp_validate_redirect

Reported by: batmoo's profile batmoo Owned by: dd32's profile dd32
Milestone: 4.3 Priority: normal
Severity: normal Version:
Component: HTTP API Keywords: has-patch commit
Focuses: Cc:

Description

The default/fallback for wp_safe_redirect is admin_url(). It would be nice to have a filter to be able to modify this (e.g. redirect to home_url() instead, which is probably a better default anyway).

Attachments (3)

22612.diff (557 bytes) - added by anubisthejackle 10 years ago.
22612.2.diff (1.3 KB) - added by anubisthejackle 10 years ago.
22612.3.diff (708 bytes) - added by anubisthejackle 10 years ago.

Download all attachments as: .zip

Change History (15)

#1 @jkudish
12 years ago

  • Cc jkudish added

#2 @ethitter
12 years ago

  • Cc erick@… added

#3 @nacin
11 years ago

  • Component changed from General to HTTP
  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release

No objection here.

#4 @anubisthejackle
10 years ago

  • Keywords has-patch needs-testing added; needs-patch removed

Submitted a patch for this. Worked for my testing.

#5 @anubisthejackle
10 years ago

After further testing, I realized that the initial patch allowed you to hijack the website with some simple malicious code in a plugin. Edge case, sure, but it's now fixed in the new patch. In this patch I expanded on to also run wp_validate_redirect on the default value passed to wp_validate_redirect from the filter. If this is invalid, it again defaults to admin_url().

I also ran into issues with infinite loops due to this, so I expanded wp_redirect so that it checks for the current web page, and if $location is the same, it doesn't run the redirect.

#6 @dd32
10 years ago

  • Keywords commit added; needs-testing removed

No objections to 22612.diff, 22612.2.diff appears to take it a step too far IMHO, Plugins already have complete control over a website, we shouldn't have to protect ourselves from something a plugin does.

#7 @anubisthejackle
10 years ago

I could agree with that, 22612.diff is more in tune with the letter of the ticket.

#8 @kpdesign
10 years ago

  • Keywords needs-docs added

The new filter will also need hook documentation added to the patch.

#9 @anubisthejackle
10 years ago

  • Keywords needs-docs removed

Patch now includes PHPDoc block.

#10 @anubisthejackle
9 years ago

Any news on this?

#11 @dd32
9 years ago

  • Milestone changed from Future Release to 4.3

#12 @dd32
9 years ago

  • Owner set to dd32
  • Resolution set to fixed
  • Status changed from new to closed

In 32793:

Add a filter to wp_safe_redirect() for the fallback URL.
Props anubisthejackle. Fixes #22612

Note: See TracTickets for help on using tickets.