From 50db4bceb0d6f48a27c6854a7683e83a39228622 Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Wed, 18 Oct 2017 21:01:49 +0000 Subject: [PATCH] Administration: After [41120], check for a registered action before sending a Bad Request HTTP response status code. Props Clorith. Fixes #42240. Built from https://develop.svn.wordpress.org/trunk@41926 git-svn-id: http://core.svn.wordpress.org/trunk@41760 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/admin-ajax.php | 12 +++++++++++- wp-includes/version.php | 2 +- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/wp-admin/admin-ajax.php b/wp-admin/admin-ajax.php index c3fc51499f..579f985c4a 100644 --- a/wp-admin/admin-ajax.php +++ b/wp-admin/admin-ajax.php @@ -81,6 +81,11 @@ if ( ! empty( $_POST['action'] ) && in_array( $_POST['action'], $core_actions_po add_action( 'wp_ajax_nopriv_heartbeat', 'wp_ajax_nopriv_heartbeat', 1 ); if ( is_user_logged_in() ) { + // If no action is registered, return a Bad Request response. + if ( ! has_action( 'wp_ajax_' . $_REQUEST['action'] ) ) { + wp_die( '0', 400 ); + } + /** * Fires authenticated Ajax actions for logged-in users. * @@ -91,6 +96,11 @@ if ( is_user_logged_in() ) { */ do_action( 'wp_ajax_' . $_REQUEST['action'] ); } else { + // If no action is registered, return a Bad Request response. + if ( ! has_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] ) ) { + wp_die( '0', 400 ); + } + /** * Fires non-authenticated Ajax actions for logged-out users. * @@ -102,4 +112,4 @@ if ( is_user_logged_in() ) { do_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] ); } // Default status -wp_die( '0', 400 ); +wp_die( '0' ); diff --git a/wp-includes/version.php b/wp-includes/version.php index a00ac32576..18f099b465 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.9-beta2-41925'; +$wp_version = '4.9-beta2-41926'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.