Bootstrap/Load: Prevent loopback scraping errors when there is no key or nonce.

For error detection and rollback functions WordPress also starts a loopback request to the homepage. This loopback request is made with special parameters that when they don't match, generates an erorr. This hardens that flow by exiting out of the check if the nonce or key is missing or the nonce is not saved in the DB. It further hardens it by not caching the failures and asking search engines not to index the url with the failures.

Props georgwordpress, swissspidy, jorbin.
Fixes #62105.

Built from https://develop.svn.wordpress.org/trunk@59171


git-svn-id: http://core.svn.wordpress.org/trunk@58566 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/load.php

@@ -1806,8 +1806,20 @@ function wp_start_scraping_edited_file_errors() {
 
 	$key   = substr( sanitize_key( wp_unslash( $_REQUEST['wp_scrape_key'] ) ), 0, 32 );
 	$nonce = wp_unslash( $_REQUEST['wp_scrape_nonce'] );
+	if ( empty( $key ) || empty( $nonce ) ) {
+		return;
+	}
 
-	if ( get_transient( 'scrape_key_' . $key ) !== $nonce ) {
+	$transient = get_transient( 'scrape_key_' . $key );
+	if ( false === $transient ) {
+		return;
+	}
+
+	if ( $transient !== $nonce ) {
+		if ( ! headers_sent() ) {
+			header( 'X-Robots-Tag: noindex' );
+			nocache_headers();
+		}
 		echo "###### wp_scraping_result_start:$key ######";
 		echo wp_json_encode(
 			array(

wp-includes/version.php

@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.7-beta1-59170';
+$wp_version = '6.7-beta1-59171';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.