[wp-trac] [WordPress Trac] #20060: wp_redirect() doesn't exit
WordPress Trac
wp-trac at lists.automattic.com
Fri Feb 17 15:35:12 UTC 2012
#20060: wp_redirect() doesn't exit
-------------------------+--------------------------------------
Reporter: iandunn | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords: needs-patch dev-feedback
-------------------------+--------------------------------------
As discussed in #15518, not exit()'ing after a redirect can be a security
vulnerability and also lead to unexpected behavior. I think that most
developers assume that the API would take care of that for them, since
that would be the best practice, so they don't do it in their own code.
There are some cases where features need to redirect without exiting,
though, so the API needs to support both cases. Ideally wp_redirect()
should exit() by default, but that would cause too many backwards-
compatibility issues. So, I'd propose making these changes:
* Add a new boolean parameter to wp_redirect() that determines if it
should exit() or not. It's false by default. If it's passed in as true,
then exit() is called at the end of the function. Having it set to false
by default avoids the backwards-compatibility issues.
* Add the new boolean parameter to wp_safe_redirect() also.
* Create new wp_redirect_exit() function that is a wrapper for a
wp_redirect() and passes in a true value for the new parameter. Then,
promote this new function on the Codex and other places to inform
developers that they should be using it unless they actually need to
execute code after the redirect.
* Also create wp_safe_redirect_exit() in the same way.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20060>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list