Make WordPress Core

Changeset 59171


Ignore:
Timestamp:
10/04/2024 05:34:50 PM (2 months ago)
Author:
jorbin
Message:

Bootstrap/Load: Prevent loopback scraping errors when there is no key or nonce.

For error detection and rollback functions WordPress also starts a loopback request to the homepage. This loopback request is made with special parameters that when they don't match, generates an erorr. This hardens that flow by exiting out of the check if the nonce or key is missing or the nonce is not saved in the DB. It further hardens it by not caching the failures and asking search engines not to index the url with the failures.

Props georgwordpress, swissspidy, jorbin.
Fixes #62105.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/load.php

    r58683 r59171  
    18071807    $key   = substr( sanitize_key( wp_unslash( $_REQUEST['wp_scrape_key'] ) ), 0, 32 );
    18081808    $nonce = wp_unslash( $_REQUEST['wp_scrape_nonce'] );
    1809 
    1810     if ( get_transient( 'scrape_key_' . $key ) !== $nonce ) {
     1809    if ( empty( $key ) || empty( $nonce ) ) {
     1810        return;
     1811    }
     1812
     1813    $transient = get_transient( 'scrape_key_' . $key );
     1814    if ( false === $transient ) {
     1815        return;
     1816    }
     1817
     1818    if ( $transient !== $nonce ) {
     1819        if ( ! headers_sent() ) {
     1820            header( 'X-Robots-Tag: noindex' );
     1821            nocache_headers();
     1822        }
    18111823        echo "###### wp_scraping_result_start:$key ######";
    18121824        echo wp_json_encode(
Note: See TracChangeset for help on using the changeset viewer.