Make WordPress Core


Ignore:
Timestamp:
03/02/2022 02:58:09 PM (3 years ago)
Author:
SergeyBiryukov
Message:

Administration: Require a valid action parameter to be set for admin-ajax.php requests.

This avoids Array to string conversion PHP notices when an array is passed as the action parameter.

Additionally, send an appropriate HTTP response status code when an invalid action is passed to admin-post.php.

Follow-up to [13175], [19738], [41120], [41926].

Props dd32.
Fixes #55212.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/admin-post.php

    r47198 r52813  
    3030do_action( 'admin_init' );
    3131
    32 $action = empty( $_REQUEST['action'] ) ? '' : $_REQUEST['action'];
     32$action = ! empty( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
     33
     34// Reject invalid parameters.
     35if ( ! is_scalar( $action ) ) {
     36    wp_die( '', 400 );
     37}
    3338
    3439if ( ! is_user_logged_in() ) {
     
    4146        do_action( 'admin_post_nopriv' );
    4247    } else {
     48        // If no action is registered, return a Bad Request response.
     49        if ( ! has_action( "admin_post_nopriv_{$action}" ) ) {
     50            wp_die( '', 400 );
     51        }
     52
    4353        /**
    4454         * Fires on a non-authenticated admin post request for the given action.
     
    6070        do_action( 'admin_post' );
    6171    } else {
     72        // If no action is registered, return a Bad Request response.
     73        if ( ! has_action( "admin_post_{$action}" ) ) {
     74            wp_die( '', 400 );
     75        }
     76
    6277        /**
    6378         * Fires on an authenticated admin post request for the given action.
Note: See TracChangeset for help on using the changeset viewer.