Making WordPress.org

Changeset 10529


Ignore:
Timestamp:
12/17/2020 01:33:02 AM (4 years ago)
Author:
dd32
Message:

Bad Requests: Block scanners injecting invalid inputs into the o2 queryVars fields.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/mu-plugins/pub/wporg-bad-request.php

    r10472 r10529  
    3838 */
    3939add_action( 'send_headers', function( $wp ) {
     40    check_for_invalid_query_vars( $wp->query_vars, '$public_query_vars' );
     41} );
     42
     43/**
     44 * Check a set of internal query variables against the WordPress WP_Query values to detect invalid input.
     45 */
     46function check_for_invalid_query_vars( $vars, $ref = '$public_query_vars' ) {
    4047    // Assumption: WP::$public_query_vars will only ever contain non-array query vars.
    4148    // Assumption invalid. Some fields are valid.
     
    6168
    6269    foreach ( (new \WP)->public_query_vars as $field ) {
    63         if ( isset( $wp->query_vars[ $field ] ) ) {
    64             if ( ! is_scalar( $wp->query_vars[ $field ] ) && ! isset( $array_fields[ $field ] ) ) {
    65                 die_bad_request( "non-scalar $field in \$public_query_vars" );
     70        if ( isset( $vars[ $field ] ) ) {
     71            if ( ! is_scalar( $vars[ $field ] ) && ! isset( $array_fields[ $field ] ) ) {
     72                die_bad_request( "non-scalar $field in $ref" );
    6673            }
    6774
    68             if ( isset( $must_be_num[ $field ] ) && ! empty( $wp->query_vars[ $field ] ) && ! is_numeric( $wp->query_vars[ $field ] ) ) {
    69                 die_bad_request( "non-numeric $field in \$public_query_vars" );
     75            if ( isset( $must_be_num[ $field ] ) && ! empty( $vars[ $field ] ) && ! is_numeric( $vars[ $field ] ) ) {
     76                die_bad_request( "non-numeric $field in $ref" );
    7077            }
    7178        }
    7279    }
    73 
    74 } );
     80}
    7581
    7682/**
     
    8288            die_bad_request( "non-scalar input to o2" );
    8389        }
     90    }
     91    if ( isset( $_REQUEST['queryVars'] ) ) {
     92        check_for_invalid_query_vars( $_REQUEST['queryVars'], 'o2 queryVars' );
    8493    }
    8594}, 9 );
Note: See TracChangeset for help on using the changeset viewer.