From f891f6f0c65d71885649c43607708f765b653eab Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov.ru@gmail.com>
Date: Wed, 2 Mar 2022 15:00:11 +0000
Subject: [PATCH] Administration: Require a valid action parameter to be set
 for `admin-ajax.php` requests.

This avoids `Array to string conversion` PHP notices when an array is passed as the `action` parameter.

Additionally, send an appropriate HTTP response status code when an invalid action is passed to `admin-post.php`.

Follow-up to [13175], [19738], [41120], [41926].

Props dd32.
Fixes #55212.
Built from https://develop.svn.wordpress.org/trunk@52813


git-svn-id: http://core.svn.wordpress.org/trunk@52402 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/admin-ajax.php |  7 ++++---
 wp-admin/admin-post.php | 17 ++++++++++++++++-
 wp-includes/version.php |  2 +-
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/wp-admin/admin-ajax.php b/wp-admin/admin-ajax.php
index 087a11993d..638fc39cef 100644
--- a/wp-admin/admin-ajax.php
+++ b/wp-admin/admin-ajax.php
@@ -27,8 +27,8 @@ send_origin_headers();
 header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
 header( 'X-Robots-Tag: noindex' );
 
-// Require an action parameter.
-if ( empty( $_REQUEST['action'] ) ) {
+// Require a valid action parameter.
+if ( empty( $_REQUEST['action'] ) || ! is_scalar( $_REQUEST['action'] ) ) {
 	wp_die( '0', 400 );
 }
 
@@ -168,7 +168,7 @@ add_action( 'wp_ajax_nopriv_generate-password', 'wp_ajax_nopriv_generate_passwor
 
 add_action( 'wp_ajax_nopriv_heartbeat', 'wp_ajax_nopriv_heartbeat', 1 );
 
-$action = ( isset( $_REQUEST['action'] ) ) ? $_REQUEST['action'] : '';
+$action = $_REQUEST['action'];
 
 if ( is_user_logged_in() ) {
 	// If no action is registered, return a Bad Request response.
@@ -201,5 +201,6 @@ if ( is_user_logged_in() ) {
 	 */
 	do_action( "wp_ajax_nopriv_{$action}" );
 }
+
 // Default status.
 wp_die( '0' );
diff --git a/wp-admin/admin-post.php b/wp-admin/admin-post.php
index 803a00652c..e71f5cd1e7 100644
--- a/wp-admin/admin-post.php
+++ b/wp-admin/admin-post.php
@@ -29,7 +29,12 @@ nocache_headers();
 /** This action is documented in wp-admin/admin.php */
 do_action( 'admin_init' );
 
-$action = empty( $_REQUEST['action'] ) ? '' : $_REQUEST['action'];
+$action = ! empty( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
+
+// Reject invalid parameters.
+if ( ! is_scalar( $action ) ) {
+	wp_die( '', 400 );
+}
 
 if ( ! is_user_logged_in() ) {
 	if ( empty( $action ) ) {
@@ -40,6 +45,11 @@ if ( ! is_user_logged_in() ) {
 		 */
 		do_action( 'admin_post_nopriv' );
 	} else {
+		// If no action is registered, return a Bad Request response.
+		if ( ! has_action( "admin_post_nopriv_{$action}" ) ) {
+			wp_die( '', 400 );
+		}
+
 		/**
 		 * Fires on a non-authenticated admin post request for the given action.
 		 *
@@ -59,6 +69,11 @@ if ( ! is_user_logged_in() ) {
 		 */
 		do_action( 'admin_post' );
 	} else {
+		// If no action is registered, return a Bad Request response.
+		if ( ! has_action( "admin_post_{$action}" ) ) {
+			wp_die( '', 400 );
+		}
+
 		/**
 		 * Fires on an authenticated admin post request for the given action.
 		 *
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 049a9e116d..4f17941fa6 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.0-alpha-52812';
+$wp_version = '6.0-alpha-52813';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.