Make WordPress Core


Ignore:
Timestamp:
03/02/2022 02:58:09 PM (3 years ago)
Author:
SergeyBiryukov
Message:

Administration: Require a valid action parameter to be set for admin-ajax.php requests.

This avoids Array to string conversion PHP notices when an array is passed as the action parameter.

Additionally, send an appropriate HTTP response status code when an invalid action is passed to admin-post.php.

Follow-up to [13175], [19738], [41120], [41926].

Props dd32.
Fixes #55212.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/admin-ajax.php

    r50153 r52813  
    2828header( 'X-Robots-Tag: noindex' );
    2929
    30 // Require an action parameter.
    31 if ( empty( $_REQUEST['action'] ) ) {
     30// Require a valid action parameter.
     31if ( empty( $_REQUEST['action'] ) || ! is_scalar( $_REQUEST['action'] ) ) {
    3232    wp_die( '0', 400 );
    3333}
     
    169169add_action( 'wp_ajax_nopriv_heartbeat', 'wp_ajax_nopriv_heartbeat', 1 );
    170170
    171 $action = ( isset( $_REQUEST['action'] ) ) ? $_REQUEST['action'] : '';
     171$action = $_REQUEST['action'];
    172172
    173173if ( is_user_logged_in() ) {
     
    202202    do_action( "wp_ajax_nopriv_{$action}" );
    203203}
     204
    204205// Default status.
    205206wp_die( '0' );
Note: See TracChangeset for help on using the changeset viewer.