WordPress.org

Make WordPress Core

Ticket #18637: admin-ajax.php.patch

File admin-ajax.php.patch, 1.4 KB (added by MarcusPope, 9 years ago)
  • wp-admin/admin-ajax.php

    diff -r 8652fb38bb30 wp-admin/admin-ajax.php
    a b  
    1313 */
    1414define('DOING_AJAX', true);
    1515define('WP_ADMIN', true);
     16define('WP_SAFE_PAGE_ID', '/^[0-9a-z_-]+$/');
    1617
    1718if ( ! isset( $_REQUEST['action'] ) )
    1819        die('-1');
     
    10261027
    10271028        $page = isset( $_POST['page'] ) ? $_POST['page'] : '';
    10281029
    1029         if ( !preg_match( '/^[a-z_-]+$/', $page ) )
     1030        if ( !preg_match(WP_SAFE_PAGE_ID, $page ) )
    10301031                die('-1');
    10311032
    10321033        if ( ! $user = wp_get_current_user() )
     
    10481049        $hidden = explode( ',', $_POST['hidden'] );
    10491050        $page = isset( $_POST['page'] ) ? $_POST['page'] : '';
    10501051
    1051         if ( !preg_match( '/^[a-z_-]+$/', $page ) )
     1052        if ( !preg_match(WP_SAFE_PAGE_ID, $page ) )
    10521053                die('-1');
    10531054
    10541055        if ( ! $user = wp_get_current_user() )
     
    11401141        break;
    11411142case 'meta-box-order':
    11421143        check_ajax_referer( 'meta-box-order' );
    1143         $order = isset( $_POST['order'] ) ? (array) $_POST['order'] : false;
     1144       
     1145    $order = isset( $_POST['order'] ) ? (array) $_POST['order'] : false;
    11441146        $page_columns = isset( $_POST['page_columns'] ) ? (int) $_POST['page_columns'] : 0;
    11451147        $page = isset( $_POST['page'] ) ? $_POST['page'] : '';
    11461148
    1147         if ( !preg_match( '/^[a-z_-]+$/', $page ) )
     1149        if ( !preg_match( WP_SAFE_PAGE_ID, $page ) )
    11481150                die('-1');
    11491151
    11501152        if ( ! $user = wp_get_current_user() )