WordPress.org
Get WordPress

Making WordPress.org


Ignore:
Timestamp:
06/27/2024 07:34:58 AM (20 months ago)
Author:
dd32
Message:

Bad requests: Ensure that tag_slugand is only a flat array. This quietens down the pentester noise on the theme directory.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • sites/trunk/wordpress.org/public_html/wp-content/mu-plugins/pub/wporg-bad-request.php

    r13731 r13865  
    5252    $query_vars[] = 'url';
    5353    $query_vars[] = 'replytocom';
     54    $query_vars[] = 'tag_slug__and'; // Theme Directory has added this as a public query var.
    5455
    5556    // Assumption: WP::$public_query_vars will only ever contain non-array query vars.
    56     // Assumption invalid. Some fields are valid.
    57     $array_fields = [
    58         'post_type' => true,
    59         'cat' => true,
    60         'tag' => true,
     57    // Assumption invalid. Some fields are valid as arrays.
     58    // We'll limit these to a flat array, not nested.
     59    $maybe_array_fields = [
     60        'post_type'     => true,
     61        'cat'           => true,
     62        'tag'           => true,
     63        'tag_slug__and' => true,
    6164    ];
    6265
     
    8184
    8285    foreach ( $query_vars as $field ) {
    83         if ( isset( $vars[ $field ] ) ) {
    84             if ( ! is_scalar( $vars[ $field ] ) && ! isset( $array_fields[ $field ] ) ) {
    85                 die_bad_request( "non-scalar $field in $ref" );
     86        if ( ! isset( $vars[ $field ] ) ) {
     87            continue;
     88        }
     89
     90        if ( isset( $maybe_array_fields[ $field ] ) && ! is_scalar( $vars[ $field ] ) ) {
     91            if ( array_filter( $vars[ $field ], function( $item ) { return ! is_scalar( $item ); } ) ) {
     92                die_bad_request( "non-scalar value in {$field}[] in $ref" );
    8693            }
    87 
    88             if ( isset( $must_be_num[ $field ] ) && ! empty( $vars[ $field ] ) && ! is_numeric( $vars[ $field ] ) ) {
    89 
    90                 // Allow the `p` variable to contain `p=12345/`: https://bbpress.trac.wordpress.org/ticket/3424
    91                 if ( 'p' === $field && ( intval( $vars[ $field ] ) . '/' === $vars[ $field ] ) ) {
    92                     continue;
    93                 }
    94 
    95                 die_bad_request( "non-numeric $field in $ref" );
     94        } else if ( ! is_scalar( $vars[ $field ] ) ) {
     95            die_bad_request( "non-scalar $field in $ref" );
     96        }
     97
     98        if ( isset( $must_be_num[ $field ] ) && ! empty( $vars[ $field ] ) && ! is_numeric( $vars[ $field ] ) ) {
     99
     100            // Allow the `p` variable to contain `p=12345/`: https://bbpress.trac.wordpress.org/ticket/3424
     101            if ( 'p' === $field && ( intval( $vars[ $field ] ) . '/' === $vars[ $field ] ) ) {
     102                continue;
    96103            }
     104
     105            die_bad_request( "non-numeric $field in $ref" );
    97106        }
    98107    }
Note: See TracChangeset for help on using the changeset viewer.