Changeset 44048 for trunk/src/wp-includes/ms-deprecated.php

Timestamp:

12/13/2018 01:25:03 AM (6 years ago)

Author:

peterwilsoncc

Message:

Multisite: Validate activation links.

File:

• trunk/src/wp-includes/ms-deprecated.php (modified) (2 diffs)

trunk/src/wp-includes/ms-deprecated.php

@@ -272 +272 @@
 
     $ref = '';
-    if ( isset( $_GET['ref'] ) )
-        $ref = $_GET['ref'];
-    if ( isset( $_POST['ref'] ) )
-        $ref = $_POST['ref'];
+    if ( isset( $_GET['ref'] ) && isset( $_POST['ref'] ) && $_GET['ref'] !== $_POST['ref'] ) {
+        wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
+    } elseif ( isset( $_POST['ref'] ) ) {
+        $ref = $_POST[ 'ref' ];
+    } elseif ( isset( $_GET['ref'] ) ) {
+        $ref = $_GET[ 'ref' ];
+    }
 
     if ( $ref ) {
@@ -288 +291 @@
 
     $url = wpmu_admin_redirect_add_updated_param( $url );
-    if ( isset( $_GET['redirect'] ) ) {
+    if ( isset( $_GET['redirect'] ) && isset( $_POST['redirect'] ) && $_GET['redirect'] !== $_POST['redirect'] ) {
+        wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
+    } elseif ( isset( $_GET['redirect'] ) ) {
         if ( substr( $_GET['redirect'], 0, 2 ) == 's_' )
             $url .= '&action=blogs&s='. esc_html( substr( $_GET['redirect'], 2 ) );