Administration: Require a valid action parameter to be set for admin-ajax.php requests.

This avoids `Array to string conversion` PHP notices when an array is passed as the `action` parameter. Additionally, send an appropriate HTTP response status code when an invalid action is passed to `admin-post.php`. Follow-up to [13175], [19738], [41120], [41926]. Props dd32. Fixes #55212. Built from https://develop.svn.wordpress.org/trunk@52813 git-svn-id: http://core.svn.wordpress.org/trunk@52402 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-09-26 06:13:07 +02:00 · 2022-03-02 15:00:11 +00:00 · 2022-03-02 15:00:11 +00:00 · f891f6f0c6
commit f891f6f0c6
parent 257b634b92
3 changed files with 21 additions and 5 deletions
--- a/wp-admin/admin-ajax.php
+++ b/wp-admin/admin-ajax.php
@ -27,8 +27,8 @@ send_origin_headers();
 header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
 header( 'X-Robots-Tag: noindex' );

-// Require an action parameter.
-if ( empty( $_REQUEST['action'] ) ) {
+// Require a valid action parameter.
+if ( empty( $_REQUEST['action'] ) || ! is_scalar( $_REQUEST['action'] ) ) {
 	wp_die( '0', 400 );
 }

@ -168,7 +168,7 @@ add_action( 'wp_ajax_nopriv_generate-password', 'wp_ajax_nopriv_generate_passwor

 add_action( 'wp_ajax_nopriv_heartbeat', 'wp_ajax_nopriv_heartbeat', 1 );

-$action = ( isset( $_REQUEST['action'] ) ) ? $_REQUEST['action'] : '';
+$action = $_REQUEST['action'];

 if ( is_user_logged_in() ) {
 	// If no action is registered, return a Bad Request response.
@ -201,5 +201,6 @@ if ( is_user_logged_in() ) {
 	 */
 	do_action( "wp_ajax_nopriv_{$action}" );
 }
+
 // Default status.
 wp_die( '0' );
--- a/wp-admin/admin-post.php
+++ b/wp-admin/admin-post.php
@ -29,7 +29,12 @@ nocache_headers();
 /** This action is documented in wp-admin/admin.php */
 do_action( 'admin_init' );

-$action = empty( $_REQUEST['action'] ) ? '' : $_REQUEST['action'];
+$action = ! empty( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
+
+// Reject invalid parameters.
+if ( ! is_scalar( $action ) ) {
+	wp_die( '', 400 );
+}

 if ( ! is_user_logged_in() ) {
 	if ( empty( $action ) ) {
@ -40,6 +45,11 @@ if ( ! is_user_logged_in() ) {
 		 */
 		do_action( 'admin_post_nopriv' );
 	} else {
+		// If no action is registered, return a Bad Request response.
+		if ( ! has_action( "admin_post_nopriv_{$action}" ) ) {
+			wp_die( '', 400 );
+		}
+
 		/**
 		 * Fires on a non-authenticated admin post request for the given action.
 		 *
@ -59,6 +69,11 @@ if ( ! is_user_logged_in() ) {
 		 */
 		do_action( 'admin_post' );
 	} else {
+		// If no action is registered, return a Bad Request response.
+		if ( ! has_action( "admin_post_{$action}" ) ) {
+			wp_die( '', 400 );
+		}
+
 		/**
 		 * Fires on an authenticated admin post request for the given action.
 		 *
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -16,7 +16,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '6.0-alpha-52812';
+$wp_version = '6.0-alpha-52813';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.