Explicitely exit after redirection where needed (#3257)

Fixes #3217 Would fix #2688 if it weren't already fixed
2022-03-20 20:54:03 +01:00 · 2022-03-20 20:54:03 +01:00 · 402dfd0f6a
commit 402dfd0f6a
parent 3828863675
5 changed files with 16 additions and 7 deletions
--- a/admin/plugins.php
+++ b/admin/plugins.php
@ -22,16 +22,18 @@ if( isset( $_GET['action'] ) ) {
 		switch( $_GET['action'] ) {
 			case 'activate':
 				$result = yourls_activate_plugin( $_GET['plugin'].'/plugin.php' );
-				if( $result === true )
-					yourls_redirect( yourls_admin_url( 'plugins.php?success=activated' ), 302 );
-
+				if( $result === true ) {
+                    yourls_redirect(yourls_admin_url('plugins.php?success=activated'), 302);
+                    exit();
+                }
 				break;

 			case 'deactivate':
 				$result = yourls_deactivate_plugin( $_GET['plugin'].'/plugin.php' );
-				if( $result === true )
-					yourls_redirect( yourls_admin_url( 'plugins.php?success=deactivated' ), 302 );
-
+				if( $result === true ) {
+                    yourls_redirect(yourls_admin_url('plugins.php?success=deactivated'), 302);
+                    exit();
+                }
 				break;

 			default:
--- a/includes/Config/Init.php
+++ b/includes/Config/Init.php
@ -87,6 +87,7 @@ class Init {
            if (!yourls_is_installed() && !yourls_is_installing()) {
                yourls_no_cache_headers();
                yourls_redirect( yourls_admin_url('install.php'), 307 );
+                exit();
            }
        }

@ -95,6 +96,7 @@ class Init {
            if (!yourls_is_upgrading() && !yourls_is_installing() && yourls_upgrade_is_needed()) {
                yourls_no_cache_headers();
                yourls_redirect( yourls_admin_url('upgrade.php'), 307 );
+                exit();
            }
        }

--- a/includes/functions-auth.php
+++ b/includes/functions-auth.php
@ -99,7 +99,7 @@ function yourls_is_valid_user() {
 			// Login form : redirect to requested URL to avoid re-submitting the login form on page reload
 			if( isset( $_REQUEST['username'] ) && isset( $_REQUEST['password'] ) && isset( $_SERVER['REQUEST_URI'] ) ) {
 			    // The return makes sure we exit this function before waiting for redirection.
-                // This fixes #3189 and honestly I'm not sure why.
+                // See #3189 and note in yourls_redirect()
 				return yourls_redirect( yourls_sanitize_url_safe($_SERVER['REQUEST_URI']) );
 			}
 		}
--- a/includes/functions.php
+++ b/includes/functions.php
@ -220,6 +220,9 @@ function yourls_get_referrer() {
 * is achieved with PHP's header(). If headers have been sent already and we're not in a command line
 * client, redirection occurs with Javascript.
 *
+ * Note: yourls_redirect() does not exit automatically, and should almost always be followed by a call to exit()
+ * to prevent the script from continuing.
+ *
 * @since 1.4
 * @param string $location      URL to redirect to
 * @param int    $code          HTTP status code to send
--- a/yourls-infos.php
+++ b/yourls-infos.php
@ -8,6 +8,7 @@ yourls_maybe_require_auth();
 if ( !isset( $keyword ) ) {
 	yourls_do_action( 'infos_no_keyword' );
 	yourls_redirect( YOURLS_SITE, 302 );
+	exit;
 }

 // Get basic infos for this shortened URL
@ -26,6 +27,7 @@ if( $title == '' ) {
 if ( $longurl === false ) {
 	yourls_do_action( 'infos_keyword_not_found' );
 	yourls_redirect( YOURLS_SITE, 302 );
+    exit;
 }

 yourls_do_action( 'pre_yourls_infos', $keyword );