Changeset 52813
- Timestamp:
- 03/02/2022 02:58:09 PM (3 years ago)
- Location:
- trunk/src/wp-admin
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-admin/admin-ajax.php
r50153 r52813 28 28 header( 'X-Robots-Tag: noindex' ); 29 29 30 // Require a naction parameter.31 if ( empty( $_REQUEST['action'] ) ) {30 // Require a valid action parameter. 31 if ( empty( $_REQUEST['action'] ) || ! is_scalar( $_REQUEST['action'] ) ) { 32 32 wp_die( '0', 400 ); 33 33 } … … 169 169 add_action( 'wp_ajax_nopriv_heartbeat', 'wp_ajax_nopriv_heartbeat', 1 ); 170 170 171 $action = ( isset( $_REQUEST['action'] ) ) ? $_REQUEST['action'] : '';171 $action = $_REQUEST['action']; 172 172 173 173 if ( is_user_logged_in() ) { … … 202 202 do_action( "wp_ajax_nopriv_{$action}" ); 203 203 } 204 204 205 // Default status. 205 206 wp_die( '0' ); -
trunk/src/wp-admin/admin-post.php
r47198 r52813 30 30 do_action( 'admin_init' ); 31 31 32 $action = empty( $_REQUEST['action'] ) ? '' : $_REQUEST['action']; 32 $action = ! empty( $_REQUEST['action'] ) ? $_REQUEST['action'] : ''; 33 34 // Reject invalid parameters. 35 if ( ! is_scalar( $action ) ) { 36 wp_die( '', 400 ); 37 } 33 38 34 39 if ( ! is_user_logged_in() ) { … … 41 46 do_action( 'admin_post_nopriv' ); 42 47 } else { 48 // If no action is registered, return a Bad Request response. 49 if ( ! has_action( "admin_post_nopriv_{$action}" ) ) { 50 wp_die( '', 400 ); 51 } 52 43 53 /** 44 54 * Fires on a non-authenticated admin post request for the given action. … … 60 70 do_action( 'admin_post' ); 61 71 } else { 72 // If no action is registered, return a Bad Request response. 73 if ( ! has_action( "admin_post_{$action}" ) ) { 74 wp_die( '', 400 ); 75 } 76 62 77 /** 63 78 * Fires on an authenticated admin post request for the given action.
Note: See TracChangeset
for help on using the changeset viewer.