WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#36362 closed defect (bug) (fixed)

check_ajax_referer() does not send a 403 response code upon failure

Reported by: johnbillion Owned by: johnbillion
Milestone: 4.7 Priority: normal
Severity: normal Version: 3.4
Component: Security Keywords: has-patch
Focuses: Cc:

Description

When check_ajax_referer() fails, a 200 HTTP response code is still sent back to the client, whereas check_admin_referer() correctly returns a 403.

The _ajax_wp_die_handler() function lacks the ability to provide an HTTP response code.

Attachments (1)

36362.patch (1.3 KB) - added by johnbillion 4 years ago.

Download all attachments as: .zip

Change History (4)

@johnbillion
4 years ago

#1 @johnbillion
4 years ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to Future Release

#2 @johnbillion
4 years ago

  • Milestone changed from Future Release to 4.7

#3 @johnbillion
4 years ago

  • Owner set to johnbillion
  • Resolution set to fixed
  • Status changed from new to closed

In 38421:

Security: Return a 403 instead of a 200 HTTP status when check_ajax_referer() fails.

This is, unfortunately, untestable in the current test suite, even in the AJAX tests.

Fixes #36362

Note: See TracTickets for help on using tickets.