From a1d61a95e16ec96c6fd353e8035542c63dd6a392 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sun, 28 Aug 2016 17:31:30 +0000 Subject: [PATCH] Security: Return a `403` instead of a `200` HTTP status when `check_ajax_referer()` fails. This is, unfortunately, untestable in the current test suite, even in the AJAX tests. Fixes #36362 Built from https://develop.svn.wordpress.org/trunk@38421 git-svn-id: http://core.svn.wordpress.org/trunk@38362 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/functions.php | 16 +++++++++++++--- wp-includes/pluggable.php | 2 +- wp-includes/version.php | 2 +- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/wp-includes/functions.php b/wp-includes/functions.php index 23fc15cd1b..d3a8bcd2d7 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -2861,9 +2861,19 @@ function _xmlrpc_wp_die_handler( $message, $title = '', $args = array() ) { * @since 3.4.0 * @access private * - * @param string $message Optional. Response to print. Default empty. - */ -function _ajax_wp_die_handler( $message = '' ) { + * @param string $message Error message. + * @param string $title Optional. Error title (unused). Default empty. + * @param string|array $args Optional. Arguments to control behavior. Default empty array. + */ +function _ajax_wp_die_handler( $message, $title = '', $args = array() ) { + $defaults = array( + 'response' => 200, + ); + $r = wp_parse_args( $args, $defaults ); + + if ( ! headers_sent() ) { + status_header( $r['response'] ); + } if ( is_scalar( $message ) ) die( (string) $message ); die( '0' ); diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index dc10c7f393..fe4c0a9933 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -1108,7 +1108,7 @@ function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) { if ( $die && false === $result ) { if ( wp_doing_ajax() ) { - wp_die( -1 ); + wp_die( -1, 403 ); } else { die( '-1' ); } diff --git a/wp-includes/version.php b/wp-includes/version.php index 009ab2d9a7..07027bf891 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7-alpha-38420'; +$wp_version = '4.7-alpha-38421'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.