WordPress.org

Make WordPress Core

Changeset 38421


Ignore:
Timestamp:
08/28/16 17:30:29 (10 months ago)
Author:
johnbillion
Message:

Security: Return a 403 instead of a 200 HTTP status when check_ajax_referer() fails.

This is, unfortunately, untestable in the current test suite, even in the AJAX tests.

Fixes #36362

Location:
trunk/src/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/functions.php

    r38411 r38421  
    28622862 * @access private 
    28632863 * 
    2864  * @param string $message Optional. Response to print. Default empty. 
    2865  */ 
    2866 function _ajax_wp_die_handler( $message = '' ) { 
     2864 * @param string       $message Error message.  
     2865 * @param string       $title   Optional. Error title (unused). Default empty.  
     2866 * @param string|array $args    Optional. Arguments to control behavior. Default empty array.  
     2867 */  
     2868function _ajax_wp_die_handler( $message, $title = '', $args = array() ) {  
     2869    $defaults = array(  
     2870        'response' => 200,  
     2871    );  
     2872    $r = wp_parse_args( $args, $defaults );  
     2873 
     2874    if ( ! headers_sent() ) {  
     2875        status_header( $r['response'] );  
     2876    } 
    28672877    if ( is_scalar( $message ) ) 
    28682878        die( (string) $message ); 
  • trunk/src/wp-includes/pluggable.php

    r38420 r38421  
    11091109    if ( $die && false === $result ) { 
    11101110        if ( wp_doing_ajax() ) { 
    1111             wp_die( -1 ); 
     1111            wp_die( -1, 403 ); 
    11121112        } else { 
    11131113            die( '-1' ); 
Note: See TracChangeset for help on using the changeset viewer.