Changeset 44069 for branches/4.0/src/wp-includes/ms-deprecated.php

Timestamp:

12/13/2018 01:55:22 AM (6 years ago)

Author:

peterwilsoncc

Message:

Multisite: Validate activation links.

Merges [44048] to the 4.0 branch.

Location:

branches/4.0

Files:

• . (modified) (1 prop)
• src/wp-includes/ms-deprecated.php (modified) (2 diffs)

branches/4.0/src/wp-includes/ms-deprecated.php

@@ -241 +241 @@
 
     $ref = '';
-    if ( isset( $_GET['ref'] ) )
-        $ref = $_GET['ref'];
-    if ( isset( $_POST['ref'] ) )
-        $ref = $_POST['ref'];
+    if ( isset( $_GET['ref'] ) && isset( $_POST['ref'] ) && $_GET['ref'] !== $_POST['ref'] ) {
+        wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
+    } elseif ( isset( $_POST['ref'] ) ) {
+        $ref = $_POST[ 'ref' ];
+    } elseif ( isset( $_GET['ref'] ) ) {
+        $ref = $_GET[ 'ref' ];
+    }
 
     if ( $ref ) {
@@ -257 +260 @@
 
     $url = wpmu_admin_redirect_add_updated_param( $url );
-    if ( isset( $_GET['redirect'] ) ) {
+    if ( isset( $_GET['redirect'] ) && isset( $_POST['redirect'] ) && $_GET['redirect'] !== $_POST['redirect'] ) {
+        wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
+    } elseif ( isset( $_GET['redirect'] ) ) {
         if ( substr( $_GET['redirect'], 0, 2 ) == 's_' )
             $url .= '&action=blogs&s='. esc_html( substr( $_GET['redirect'], 2 ) );