WordPress.org

Make WordPress Core

Opened 6 months ago

Last modified 5 months ago

#51463 new enhancement

Fire an action prior to AJAX action handling (allows diagnostics)

Reported by: DavidAnderson Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: General Keywords: has-patch
Focuses: Cc:

Description

Currently, admin-ajax.php has no action that it will fire if there is no action hooked.

This means that you can't (without using hacks) track calls to "unhooked" actions. To be able to track those calls is useful for various diagnostic purposes. For example, logging bots which speculatively call a list of various actions belonging to vulnerable plugins. Or, detecting and logging coding errors.

The attached patch adds a "pre_wp_ajax" action call to allow plugins to monitor calls to unhooked AJAX actions.

Attachments (1)

pre-ajax-action.patch (684 bytes) - added by DavidAnderson 6 months ago.
Add "pre_wp_ajax" action call

Download all attachments as: .zip

Change History (4)

@DavidAnderson
6 months ago

Add "pre_wp_ajax" action call

#1 @johnbillion
6 months ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to Future Release

This is a good idea. It could instead fire a little further down and receive a parameter with the result of the has_action check? Maybe one for the wp_ajax_ action and one for the wp_ajax_nopriv action before they call wp_die().

#2 @DavidAnderson
6 months ago

I tend to think that the parameters passed to an action shouldn't include ones it can directly derive from what it has already got. So, here, the called function can already call is_user_logged_in() and has_action() itself.

I didn't clarify in the original post that the placement of the action was chosen so that it can also be used for diagnostics when the action *is* hooked.

Last edited 6 months ago by DavidAnderson (previous) (diff)

#3 @DavidAnderson
5 months ago

@johnbillion Any chance this can go in before WP 5.6? I'm eager to ban the bad guys without needing to code ugly hacks.

Note: See TracTickets for help on using tickets.