Changeset 14784

Timestamp:

03/31/2026 08:11:10 PM (6 hours ago)

Author:

obenland

Message:

Block non-scalar query parameters in Pattern Directory requests

Vulnerability scanners pass nested arrays for parameters like curation and pattern-categories, which cause PHP warnings.
Reject these requests early with a 400 response.

File:

• sites/trunk/wordpress.org/public_html/wp-content/mu-plugins/pub/wporg-bad-request.php (modified) (1 diff)

sites/trunk/wordpress.org/public_html/wp-content/mu-plugins/pub/wporg-bad-request.php

@@ -204 +204 @@
 
 /**
+ * Detect non-scalar values in Pattern Directory query parameters.
+ *
+ * Scanners pass nested arrays like `curation[$in][]=all` which cause PHP
+ * warnings downstream when the value is used in esc_attr().
+ */
+add_action( 'send_headers', function() {
+    if ( ! str_contains( $_SERVER['REQUEST_URI'], 'wordpress.org/patterns/' ) ) {
+        return;
+    }
+
+    $scalar_only = [ 'curation', 'pattern-categories' ];
+
+    foreach ( $scalar_only as $field ) {
+        if ( isset( $_REQUEST[ $field ] ) && ! is_scalar( $_REQUEST[ $field ] ) ) {
+            die_bad_request( "non-scalar $field in \$_REQUEST" );
+        }
+    }
+} );
+
+/**
  * Detect invalid requests from vulnerability scanners to Jetpack Share by Email forms.
  */