From 946217dccab3008d5514c3948437ee887211fcc9 Mon Sep 17 00:00:00 2001
From: Aaron Jorbin <aaron@jorb.in>
Date: Sun, 3 Nov 2019 22:10:02 +0000
Subject: [PATCH] General: wp_safe_redirect() and wp_redirect() shouldn't allow
 non-3xx status codes

Redirects should use redirect status codes and if you attempt to call wp_safe_redirect or wp_redirect with a non redirect status it can lead to undesired behavior and head scratching.

Fixes #44317.
Props spenserhale, johnbillion, mjnewman for initial patch.


Built from https://develop.svn.wordpress.org/trunk@46641


git-svn-id: http://core.svn.wordpress.org/trunk@46441 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/pluggable.php | 5 +++++
 wp-includes/version.php   | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php
index 47bdafd395..fb44dc35d5 100644
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -1215,6 +1215,7 @@ if ( ! function_exists( 'wp_redirect' ) ) :
 	 *
 	 * @since 1.5.1
 	 * @since 5.1.0 The `$x_redirect_by` parameter was added.
+	 * @since 5.4.0 On invalid status codes, wp_die() is called.
 	 *
 	 * @global bool $is_IIS
 	 *
@@ -1250,6 +1251,10 @@ if ( ! function_exists( 'wp_redirect' ) ) :
 			return false;
 		}
 
+		if ( 300 > $status || 399 < $status ) {
+			wp_die( __( 'HTTP redirect status code must be a redirection code, 3xx.' ) );
+		}
+
 		$location = wp_sanitize_redirect( $location );
 
 		if ( ! $is_IIS && PHP_SAPI != 'cgi-fcgi' ) {
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 5b0d0db53a..9ae1be41fc 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.4-alpha-46640';
+$wp_version = '5.4-alpha-46641';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.