WordPress.org

Make WordPress Core


Ignore:
Timestamp:
12/13/2018 01:25:03 AM (11 months ago)
Author:
peterwilsoncc
Message:

Multisite: Validate activation links.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/ms-deprecated.php

    r43654 r44048  
    272272
    273273    $ref = '';
    274     if ( isset( $_GET['ref'] ) )
    275         $ref = $_GET['ref'];
    276     if ( isset( $_POST['ref'] ) )
    277         $ref = $_POST['ref'];
     274    if ( isset( $_GET['ref'] ) && isset( $_POST['ref'] ) && $_GET['ref'] !== $_POST['ref'] ) {
     275        wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
     276    } elseif ( isset( $_POST['ref'] ) ) {
     277        $ref = $_POST[ 'ref' ];
     278    } elseif ( isset( $_GET['ref'] ) ) {
     279        $ref = $_GET[ 'ref' ];
     280    }
    278281
    279282    if ( $ref ) {
     
    288291
    289292    $url = wpmu_admin_redirect_add_updated_param( $url );
    290     if ( isset( $_GET['redirect'] ) ) {
     293    if ( isset( $_GET['redirect'] ) && isset( $_POST['redirect'] ) && $_GET['redirect'] !== $_POST['redirect'] ) {
     294        wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
     295    } elseif ( isset( $_GET['redirect'] ) ) {
    291296        if ( substr( $_GET['redirect'], 0, 2 ) == 's_' )
    292297            $url .= '&action=blogs&s='. esc_html( substr( $_GET['redirect'], 2 ) );
Note: See TracChangeset for help on using the changeset viewer.