Make WordPress Core


Ignore:
Timestamp:
10/18/2017 09:00:39 PM (6 years ago)
Author:
SergeyBiryukov
Message:

Administration: After [41120], check for a registered action before sending a Bad Request HTTP response status code.

Props Clorith.
Fixes #42240.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/admin-ajax.php

    r41895 r41926  
    8282
    8383if ( is_user_logged_in() ) {
     84    // If no action is registered, return a Bad Request response.
     85    if ( ! has_action( 'wp_ajax_' . $_REQUEST['action'] ) ) {
     86        wp_die( '0', 400 );
     87    }
     88
    8489    /**
    8590     * Fires authenticated Ajax actions for logged-in users.
     
    9297    do_action( 'wp_ajax_' . $_REQUEST['action'] );
    9398} else {
     99    // If no action is registered, return a Bad Request response.
     100    if ( ! has_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] ) ) {
     101        wp_die( '0', 400 );
     102    }
     103
    94104    /**
    95105     * Fires non-authenticated Ajax actions for logged-out users.
     
    103113}
    104114// Default status
    105 wp_die( '0', 400 );
     115wp_die( '0' );
Note: See TracChangeset for help on using the changeset viewer.