#44317 closed enhancement (fixed)
wp_safe_redirect() and wp_redirect() shouldn't allow non-3xx status codes
Reported by: | johnbillion | Owned by: | johnbillion |
---|---|---|---|
Milestone: | 5.4 | Priority: | normal |
Severity: | normal | Version: | |
Component: | General | Keywords: | good-first-bug has-patch needs-testing has-unit-tests |
Focuses: | Cc: |
Description
It might not be immediately obvious that the below code has a serious bug in it:
wp_safe_redirect( $url, 404 ); exit;
The wp_safe_redirect()
and wp_redirect()
functions should trigger an error if an HTTP status code is passed in that isn't in the 3xx
range. The code above can cause much head scratching when you're presented with a 404 with no output.
I think it would make sense to trigger a wp_die()
error message in this situation, to ensure maximum chance of visibility to the developer.
Attachments (3)
Change History (14)
#4
@
5 years ago
Hi @johnbillion wanted to check-in and see if my proposed patch was along the lines of what you were looking for. Happy to make any adjustments or updates as necessary. Thanks!
#5
@
5 years ago
Hello @mjnewman and @johnbillion,
I added a pull request for a simpler fix to the problem that doesn't change as much.
#6
@
5 years ago
- Milestone changed from Awaiting Review to 5.4
- Owner set to SergeyBiryukov
- Status changed from new to reviewing
Added check_http_status_code() function to check if an HTTP status code is within a specific range, such as 3XX, or a multiple ranges, such as 2XX and 3XX. Includes option to wp_die(). Returns the HTTP status code if it's within the specified range.
Added check_http_status_code() to wp_redirect() after the 'wp_redirect_status' filter is applied.