Make WordPress Core

Changeset 52813


Ignore:
Timestamp:
03/02/2022 02:58:09 PM (2 years ago)
Author:
SergeyBiryukov
Message:

Administration: Require a valid action parameter to be set for admin-ajax.php requests.

This avoids Array to string conversion PHP notices when an array is passed as the action parameter.

Additionally, send an appropriate HTTP response status code when an invalid action is passed to admin-post.php.

Follow-up to [13175], [19738], [41120], [41926].

Props dd32.
Fixes #55212.

Location:
trunk/src/wp-admin
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/admin-ajax.php

    r50153 r52813  
    2828header( 'X-Robots-Tag: noindex' );
    2929
    30 // Require an action parameter.
    31 if ( empty( $_REQUEST['action'] ) ) {
     30// Require a valid action parameter.
     31if ( empty( $_REQUEST['action'] ) || ! is_scalar( $_REQUEST['action'] ) ) {
    3232    wp_die( '0', 400 );
    3333}
     
    169169add_action( 'wp_ajax_nopriv_heartbeat', 'wp_ajax_nopriv_heartbeat', 1 );
    170170
    171 $action = ( isset( $_REQUEST['action'] ) ) ? $_REQUEST['action'] : '';
     171$action = $_REQUEST['action'];
    172172
    173173if ( is_user_logged_in() ) {
     
    202202    do_action( "wp_ajax_nopriv_{$action}" );
    203203}
     204
    204205// Default status.
    205206wp_die( '0' );
  • trunk/src/wp-admin/admin-post.php

    r47198 r52813  
    3030do_action( 'admin_init' );
    3131
    32 $action = empty( $_REQUEST['action'] ) ? '' : $_REQUEST['action'];
     32$action = ! empty( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
     33
     34// Reject invalid parameters.
     35if ( ! is_scalar( $action ) ) {
     36    wp_die( '', 400 );
     37}
    3338
    3439if ( ! is_user_logged_in() ) {
     
    4146        do_action( 'admin_post_nopriv' );
    4247    } else {
     48        // If no action is registered, return a Bad Request response.
     49        if ( ! has_action( "admin_post_nopriv_{$action}" ) ) {
     50            wp_die( '', 400 );
     51        }
     52
    4353        /**
    4454         * Fires on a non-authenticated admin post request for the given action.
     
    6070        do_action( 'admin_post' );
    6171    } else {
     72        // If no action is registered, return a Bad Request response.
     73        if ( ! has_action( "admin_post_{$action}" ) ) {
     74            wp_die( '', 400 );
     75        }
     76
    6277        /**
    6378         * Fires on an authenticated admin post request for the given action.
Note: See TracChangeset for help on using the changeset viewer.