Administration: Require a valid action parameter to be set for `admin-ajax.php` requests.
This avoids `Array to string conversion` PHP notices when an array is passed as the `action` parameter. Additionally, send an appropriate HTTP response status code when an invalid action is passed to `admin-post.php`. Follow-up to [13175], [19738], [41120], [41926]. Props dd32. Fixes #55212. Built from https://develop.svn.wordpress.org/trunk@52813 git-svn-id: http://core.svn.wordpress.org/trunk@52402 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
257b634b92
commit
f891f6f0c6
|
@ -27,8 +27,8 @@ send_origin_headers();
|
|||
header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
|
||||
header( 'X-Robots-Tag: noindex' );
|
||||
|
||||
// Require an action parameter.
|
||||
if ( empty( $_REQUEST['action'] ) ) {
|
||||
// Require a valid action parameter.
|
||||
if ( empty( $_REQUEST['action'] ) || ! is_scalar( $_REQUEST['action'] ) ) {
|
||||
wp_die( '0', 400 );
|
||||
}
|
||||
|
||||
|
@ -168,7 +168,7 @@ add_action( 'wp_ajax_nopriv_generate-password', 'wp_ajax_nopriv_generate_passwor
|
|||
|
||||
add_action( 'wp_ajax_nopriv_heartbeat', 'wp_ajax_nopriv_heartbeat', 1 );
|
||||
|
||||
$action = ( isset( $_REQUEST['action'] ) ) ? $_REQUEST['action'] : '';
|
||||
$action = $_REQUEST['action'];
|
||||
|
||||
if ( is_user_logged_in() ) {
|
||||
// If no action is registered, return a Bad Request response.
|
||||
|
@ -201,5 +201,6 @@ if ( is_user_logged_in() ) {
|
|||
*/
|
||||
do_action( "wp_ajax_nopriv_{$action}" );
|
||||
}
|
||||
|
||||
// Default status.
|
||||
wp_die( '0' );
|
||||
|
|
|
@ -29,7 +29,12 @@ nocache_headers();
|
|||
/** This action is documented in wp-admin/admin.php */
|
||||
do_action( 'admin_init' );
|
||||
|
||||
$action = empty( $_REQUEST['action'] ) ? '' : $_REQUEST['action'];
|
||||
$action = ! empty( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
|
||||
|
||||
// Reject invalid parameters.
|
||||
if ( ! is_scalar( $action ) ) {
|
||||
wp_die( '', 400 );
|
||||
}
|
||||
|
||||
if ( ! is_user_logged_in() ) {
|
||||
if ( empty( $action ) ) {
|
||||
|
@ -40,6 +45,11 @@ if ( ! is_user_logged_in() ) {
|
|||
*/
|
||||
do_action( 'admin_post_nopriv' );
|
||||
} else {
|
||||
// If no action is registered, return a Bad Request response.
|
||||
if ( ! has_action( "admin_post_nopriv_{$action}" ) ) {
|
||||
wp_die( '', 400 );
|
||||
}
|
||||
|
||||
/**
|
||||
* Fires on a non-authenticated admin post request for the given action.
|
||||
*
|
||||
|
@ -59,6 +69,11 @@ if ( ! is_user_logged_in() ) {
|
|||
*/
|
||||
do_action( 'admin_post' );
|
||||
} else {
|
||||
// If no action is registered, return a Bad Request response.
|
||||
if ( ! has_action( "admin_post_{$action}" ) ) {
|
||||
wp_die( '', 400 );
|
||||
}
|
||||
|
||||
/**
|
||||
* Fires on an authenticated admin post request for the given action.
|
||||
*
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
*
|
||||
* @global string $wp_version
|
||||
*/
|
||||
$wp_version = '6.0-alpha-52812';
|
||||
$wp_version = '6.0-alpha-52813';
|
||||
|
||||
/**
|
||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||
|
|
Loading…
Reference in New Issue