Administration: After [41120], check for a registered action before sending a Bad Request HTTP response status code.

Props Clorith. Fixes #42240. Built from https://develop.svn.wordpress.org/trunk@41926 git-svn-id: http://core.svn.wordpress.org/trunk@41760 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-06-25 06:14:58 +02:00 · 2017-10-18 21:01:49 +00:00 · 2017-10-18 21:01:49 +00:00 · 50db4bceb0
commit 50db4bceb0
parent 469e37446e
2 changed files with 12 additions and 2 deletions
--- a/wp-admin/admin-ajax.php
+++ b/wp-admin/admin-ajax.php
@ -81,6 +81,11 @@ if ( ! empty( $_POST['action'] ) && in_array( $_POST['action'], $core_actions_po
 add_action( 'wp_ajax_nopriv_heartbeat', 'wp_ajax_nopriv_heartbeat', 1 );

 if ( is_user_logged_in() ) {
+	// If no action is registered, return a Bad Request response.
+	if ( ! has_action( 'wp_ajax_' . $_REQUEST['action'] ) ) {
+		wp_die( '0', 400 );
+	}
+
 	/**
 	 * Fires authenticated Ajax actions for logged-in users.
 	 *
@ -91,6 +96,11 @@ if ( is_user_logged_in() ) {
 	 */
 	do_action( 'wp_ajax_' . $_REQUEST['action'] );
 } else {
+	// If no action is registered, return a Bad Request response.
+	if ( ! has_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] ) ) {
+		wp_die( '0', 400 );
+	}
+
 	/**
 	 * Fires non-authenticated Ajax actions for logged-out users.
 	 *
@ -102,4 +112,4 @@ if ( is_user_logged_in() ) {
 	do_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] );
 }
 // Default status
-wp_die( '0', 400 );
+wp_die( '0' );
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -4,7 +4,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '4.9-beta2-41925';
+$wp_version = '4.9-beta2-41926';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.