Changeset 14488

Timestamp:

07/24/2025 01:15:10 AM (11 months ago)

Author:

dd32

Message:

API: Serve Happy & Credits: Protect against invalid inputs causing fatal errors.

Location:

sites/trunk/api.wordpress.org/public_html/core

Files:

• credits/index.php (modified) (1 diff)
• serve-happy/1.0/include.php (modified) (1 diff)

sites/trunk/api.wordpress.org/public_html/core/credits/index.php

@@ -40 +40 @@
 }
 
-if ( version_compare( $version, '3.2', '<' ) ) {
+if (
+    ! is_string( $version ) ||
+    version_compare( $version, '3.2', '<' ) ||
+    ( isset( $_GET['locale'] ) && ! is_string( $_GET['locale'] ) )
+) {
     header( 'HTTP/1.0 400 Bad Request', true, 400 );
     die( 'Bad request.' );

sites/trunk/api.wordpress.org/public_html/core/serve-happy/1.0/include.php

@@ -11 +11 @@
     $php_version = false;
     // PHP versions on hosts vary and include extra data, we're only interested in the major core PHP version component:
-    if ( preg_match( '!^([0-9]+\.([0-9]+\.)?[0-9]+)!', $request['php_version'], $m ) ) {
+    if (
+        is_string( $request['php_version'] ) &&
+        preg_match( '!^([0-9]+\.([0-9]+\.)?[0-9]+)!', $request['php_version'], $m )
+    ) {
         $php_version = $m[1];
     }