Upstream/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2025-01-03 06:57:35 +01:00
Code Issues Projects Releases Wiki Activity

Administration: Require a valid action parameter to be set for admin-ajax.php requests.

Browse Source 
This avoids `Array to string conversion` PHP notices when an array is passed as the `action` parameter.

Additionally, send an appropriate HTTP response status code when an invalid action is passed to `admin-post.php`.

Follow-up to [13175], [19738], [41120], [41926].

Props dd32.
Fixes #55212.
Built from https://develop.svn.wordpress.org/trunk@52813


git-svn-id: http://core.svn.wordpress.org/trunk@52402 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Sergey Biryukov 2022-03-02 15:00:11 +00:00
parent 257b634b92
commit f891f6f0c6
3 changed files with 21 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
wp-admin/admin-ajax.php
View File

@ -27,8 +27,8 @@ send_origin_headers();
header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) ); header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
header( 'X-Robots-Tag: noindex' ); header( 'X-Robots-Tag: noindex' );
// Require an action parameter. // Require a valid action parameter.
if ( empty( $_REQUEST['action'] ) ) { if ( empty( $_REQUEST['action'] ) || ! is_scalar( $_REQUEST['action'] ) ) {
wp_die( '0', 400 ); wp_die( '0', 400 );
} }
@ -168,7 +168,7 @@ add_action( 'wp_ajax_nopriv_generate-password', 'wp_ajax_nopriv_generate_passwor
add_action( 'wp_ajax_nopriv_heartbeat', 'wp_ajax_nopriv_heartbeat', 1 ); add_action( 'wp_ajax_nopriv_heartbeat', 'wp_ajax_nopriv_heartbeat', 1 );
$action = ( isset( $_REQUEST['action'] ) ) ? $_REQUEST['action'] : ''; $action = $_REQUEST['action'];
if ( is_user_logged_in() ) { if ( is_user_logged_in() ) {
// If no action is registered, return a Bad Request response. // If no action is registered, return a Bad Request response.
@ -201,5 +201,6 @@ if ( is_user_logged_in() ) {
*/ */
do_action( "wp_ajax_nopriv_{$action}" ); do_action( "wp_ajax_nopriv_{$action}" );
} }
// Default status. // Default status.
wp_die( '0' ); wp_die( '0' );

17
wp-admin/admin-post.php
View File

@ -29,7 +29,12 @@ nocache_headers();
/** This action is documented in wp-admin/admin.php */ /** This action is documented in wp-admin/admin.php */
do_action( 'admin_init' ); do_action( 'admin_init' );
$action = empty( $_REQUEST['action'] ) ? '' : $_REQUEST['action']; $action = ! empty( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
// Reject invalid parameters.
if ( ! is_scalar( $action ) ) {
wp_die( '', 400 );
}
if ( ! is_user_logged_in() ) { if ( ! is_user_logged_in() ) {
if ( empty( $action ) ) { if ( empty( $action ) ) {
@ -40,6 +45,11 @@ if ( ! is_user_logged_in() ) {
*/ */
do_action( 'admin_post_nopriv' ); do_action( 'admin_post_nopriv' );
} else { } else {
// If no action is registered, return a Bad Request response.
if ( ! has_action( "admin_post_nopriv_{$action}" ) ) {
wp_die( '', 400 );
}
/** /**
* Fires on a non-authenticated admin post request for the given action. * Fires on a non-authenticated admin post request for the given action.
* *
@ -59,6 +69,11 @@ if ( ! is_user_logged_in() ) {
*/ */
do_action( 'admin_post' ); do_action( 'admin_post' );
} else { } else {
// If no action is registered, return a Bad Request response.
if ( ! has_action( "admin_post_{$action}" ) ) {
wp_die( '', 400 );
}
/** /**
* Fires on an authenticated admin post request for the given action. * Fires on an authenticated admin post request for the given action.
* *

2
wp-includes/version.php
View File

@ -16,7 +16,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '6.0-alpha-52812'; $wp_version = '6.0-alpha-52813';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.