WordPress.org

Make WordPress Core

Changeset 38421


Ignore:
Timestamp:
08/28/2016 05:30:29 PM (21 months ago)
Author:
johnbillion
Message:

Security: Return a 403 instead of a 200 HTTP status when check_ajax_referer() fails.

This is, unfortunately, untestable in the current test suite, even in the AJAX tests.

Fixes #36362

Location:
trunk/src/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/functions.php

    r38411 r38421  
    28622862 * @access private
    28632863 *
    2864  * @param string $message Optional. Response to print. Default empty.
    2865  */
    2866 function _ajax_wp_die_handler( $message = '' ) {
     2864 * @param string       $message Error message.
     2865 * @param string       $title   Optional. Error title (unused). Default empty.
     2866 * @param string|array $args    Optional. Arguments to control behavior. Default empty array.
     2867 */
     2868function _ajax_wp_die_handler( $message, $title = '', $args = array() ) {
     2869    $defaults = array(
     2870        'response' => 200,
     2871    );
     2872    $r = wp_parse_args( $args, $defaults );
     2873
     2874    if ( ! headers_sent() ) {
     2875        status_header( $r['response'] );
     2876    }
    28672877    if ( is_scalar( $message ) )
    28682878        die( (string) $message );
  • trunk/src/wp-includes/pluggable.php

    r38420 r38421  
    11091109    if ( $die && false === $result ) {
    11101110        if ( wp_doing_ajax() ) {
    1111             wp_die( -1 );
     1111            wp_die( -1, 403 );
    11121112        } else {
    11131113            die( '-1' );
Note: See TracChangeset for help on using the changeset viewer.