Making WordPress.org

Changeset 10471


Ignore:
Timestamp:
11/26/2020 11:52:07 PM (4 years ago)
Author:
dd32
Message:

Bad Requests: Block requets from vuln scanners hitting Jetpack share by email forms.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/mu-plugins/pub/wporg-bad-request.php

    r10403 r10471  
    109109
    110110/**
     111 * Detect invalid requests from vulnerability scanners to Jetpack Share by Email forms.
     112 */
     113add_action( 'send_headers', function() {
     114    if ( ! isset( $_REQUEST['share'] ) ) {
     115        return;
     116    }
     117
     118    $share_by_email_fields = [
     119        'target_email',
     120        'source_email',
     121        'source_f_name',
     122        'source_name',
     123    ];
     124
     125    foreach ( $share_by_email_fields as $field ) {
     126        if ( isset( $_POST[ $field ] ) && ! is_scalar( $_REQUEST[ $field ] ) ) {
     127            die_bad_request( "non-scalar $field in Jetpack Share By Email" );
     128        }
     129    }
     130} );
     131
     132/**
    111133 * Die with a 400 Bad Request.
    112134 *
Note: See TracChangeset for help on using the changeset viewer.