[wp-trac] [WordPress Trac] #20060: wp_redirect() doesn't exit
WordPress Trac
wp-trac at lists.automattic.com
Wed Feb 22 10:33:19 UTC 2012
#20060: wp_redirect() doesn't exit
--------------------------------------+------------------------------
Reporter: iandunn | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: needs-patch dev-feedback |
--------------------------------------+------------------------------
Comment (by hakre):
I must admit that I don't really understand the security issue.
What's wrong with writing:
{{{
wp_redirect( $location, $status );
exit;
}}}
(apart from the fact that you're using {{{exit;}}} which is a code-smell)?
There is no security issue I can see with it on such a generic level. The
[http://kristofmattei.be/2009/04/14/php-code-security-problem-with-
header%E2%80%9Clocation-%E2%80%A6%E2%80%9D/ blog post] you gave in #15518
is not specifically wordpress related but just highlights a problem what
could happen if you don't know what a HTTP response and specifically a
header is and your own programming logic does not take care.
My 2 cents, I just have a problem to see an actual issue here that could
be patched out globally. Probably a first step would be to leave a note in
codex that users who don't want the program to continue after they used
{{{wp_redirect}}} should call {{{exit}}} or {{{die}}}.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20060#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list