[wp-trac] [WordPress Trac] #20060: wp_redirect() doesn't exit

WordPress Trac wp-trac at lists.automattic.com
Fri Feb 17 15:35:12 UTC 2012


#20060: wp_redirect() doesn't exit
-------------------------+--------------------------------------
 Reporter:  iandunn      |      Owner:
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  Security     |    Version:
 Severity:  normal       |   Keywords:  needs-patch dev-feedback
-------------------------+--------------------------------------
 As discussed in #15518, not exit()'ing after a redirect can be a security
 vulnerability and also lead to unexpected behavior. I think that most
 developers assume that the API would take care of that for them, since
 that would be the best practice, so they don't do it in their own code.

 There are some cases where features need to redirect without exiting,
 though, so the API needs to support both cases. Ideally wp_redirect()
 should exit() by default, but that would cause too many backwards-
 compatibility issues. So, I'd propose making these changes:

 * Add a new boolean parameter to wp_redirect() that determines if it
 should exit() or not. It's false by default. If it's passed in as true,
 then exit() is called at the end of the function. Having it set to false
 by default avoids the backwards-compatibility issues.
 * Add the new boolean parameter to wp_safe_redirect() also.
 * Create new wp_redirect_exit() function that is a wrapper for a
 wp_redirect() and passes in a true value for the new parameter. Then,
 promote this new function on the Codex and other places to inform
 developers that they should be using it unless they actually need to
 execute code after the redirect.
 * Also create wp_safe_redirect_exit() in the same way.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/20060>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list