Context Navigation

← Previous Ticket
Next Ticket →

#36362 closed defect (bug) (fixed)

check_ajax_referer() does not send a 403 response code upon failure

Reported by:	johnbillion	Owned by:	johnbillion
Milestone:	4.7	Priority:	normal
Severity:	normal	Version:	3.4
Component:	Security	Keywords:	has-patch
Focuses:		Cc:

Description

When check_ajax_referer() fails, a 200 HTTP response code is still sent back to the client, whereas check_admin_referer() correctly returns a 403.

The _ajax_wp_die_handler() function lacks the ability to provide an HTTP response code.

Attachments (1)

36362.patch (1.3 KB) - added by johnbillion 10 years ago.

Download all attachments as: .zip

Change History (4)

@johnbillion
10 years ago

Attachment 36362.patch added

#1 @johnbillion
10 years ago

Keywords has-patch added
Milestone changed from Awaiting Review to Future Release

#2 @johnbillion
9 years ago

Milestone changed from Future Release to 4.7

#3 @johnbillion
9 years ago

Owner set to johnbillion
Resolution set to fixed
Status changed from new to closed

In 38421:

Security: Return a 403 instead of a 200 HTTP status when check_ajax_referer() fails.

This is, unfortunately, untestable in the current test suite, even in the AJAX tests.

Fixes #36362

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats:

Make WordPress Core