Security: Return a `403` instead of a `200` HTTP status when `check_ajax_referer()` fails.

This is, unfortunately, untestable in the current test suite, even in the AJAX tests.

Fixes #36362

Built from https://develop.svn.wordpress.org/trunk@38421


git-svn-id: http://core.svn.wordpress.org/trunk@38362 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/functions.php

@@ -2861,9 +2861,19 @@ function _xmlrpc_wp_die_handler( $message, $title = '', $args = array() ) {
  * @since 3.4.0
  * @access private
  *
- * @param string $message Optional. Response to print. Default empty.
- */
-function _ajax_wp_die_handler( $message = '' ) {
+ * @param string       $message Error message. 
+ * @param string       $title   Optional. Error title (unused). Default empty. 
+ * @param string|array $args    Optional. Arguments to control behavior. Default empty array. 
+ */ 
+function _ajax_wp_die_handler( $message, $title = '', $args = array() ) { 
+	$defaults = array( 
+		'response' => 200, 
+	); 
+	$r = wp_parse_args( $args, $defaults ); 
+
+	if ( ! headers_sent() ) { 
+		status_header( $r['response'] ); 
+	}
 	if ( is_scalar( $message ) )
 		die( (string) $message );
 	die( '0' );

wp-includes/pluggable.php

@@ -1108,7 +1108,7 @@ function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
 
 	if ( $die && false === $result ) {
 		if ( wp_doing_ajax() ) {
-			wp_die( -1 );
+			wp_die( -1, 403 );
 		} else {
 			die( '-1' );
 		}

wp-includes/version.php

@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.7-alpha-38420';
+$wp_version = '4.7-alpha-38421';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.