Making WordPress.org

Changeset 9825


Ignore:
Timestamp:
05/05/2020 02:35:45 AM (4 years ago)
Author:
dd32
Message:

Bad Requests: Remove the blocking for arrays passed to the oembed API endpoint.

Fixed upstream in https://core.trac.wordpress.org/ticket/49991

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/mu-plugins/pub/wporg-bad-request.php

    r9800 r9825  
    5050
    5151/**
    52  * Detect invalid parameters being passed to REST API Endpoints.
    53  * Not all API endpoints sanitization callbacks check variable types.
    54  *
    55  * @see https://core.trac.wordpress.org/ticket/49991
    56  */
    57 add_action( 'rest_api_init', function( $wp_rest_server ) {
    58     global $wp;
    59 
    60     // oEmbed endpoint has some not-so-great sanitize callbacks specified
    61     if ( '/oembed/1.0/embed' === $wp->query_vars['rest_route'] ) {
    62         foreach ( [ 'url', 'maxwidth' ] as $field ) {
    63             if ( isset( $_REQUEST[ $field ] ) && ! is_scalar( $_REQUEST[ $field ] ) ) {
    64                 die_bad_request( "non-scalar $field in oEmbed call" );
    65             }
    66         }
    67     }
    68 
    69 } );
    70 
    71 /**
    7252 * Detect invalid parameters being passed to the Jetpack Subscription widget.
    7353 *
     
    8666
    8767/**
     68 * Detect badly formed XMLRPC requests.
     69 * pingback.ping is not a valid multicall target, blocking due to the excessive requests.
     70 */
     71add_action( 'xmlrpc_call', function() {
     72    global $HTTP_RAW_POST_DATA;
     73    if (
     74        false !== stripos( $HTTP_RAW_POST_DATA, '<methodName>system.multicall</methodName>' ) &&
     75        false !== stripos( $HTTP_RAW_POST_DATA, '<name>methodName</name><value>pingback.ping</value>' )
     76    ) {
     77        die_bad_request( 'pingback.ping inside a system.multicall' );
     78    }
     79}, 1 );
     80
     81/**
    8882 * Die with a 400 Bad Request.
    8983 *
    9084 * @param string $reference A unique identifying string to make it easier to read logs.
    9185 */
    92 function die_bad_request( $reference = '') {
    93     header( $_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request' );
     86function die_bad_request( $reference = '' ) {
     87    // Log it if possible, and not on a sandbox
     88    if ( ! defined( 'WPORG_SANDBOXED' ) || ! WPORG_SANDBOXED ) {
     89        if ( function_exists( 'wporg_error_reporter' ) && ! empty( $_COOKIE['wporg_logged_in'] ) ) {
     90            wporg_error_reporter( E_USER_NOTICE, "400 Bad Request: $reference", __FILE__, __LINE__ );
     91        }
     92    }
    9493
    9594    // Use a prettier error page on WordPress.org
    9695    if (
    9796        false !== stripos( $_SERVER['HTTP_HOST'], 'wordpress.org' ) &&
    98         defined( 'WPORGPATH' ) && file_exists( WPORGPATH . '/403.php' )
     97        defined( 'WPORGPATH' ) && file_exists( WPORGPATH . '/403.php' ) &&
     98        ! defined( 'XMLRPC_REQUEST' ) && ! defined( 'REST_REQUEST' )
    9999    ) {
     100        status_header( 400 );
    100101        $header_set_for_403 = true;
    101102        include WPORGPATH . '/403.php';
    102 
    103         // Log it if possible, and not on a sandbox
    104         if ( ! defined( 'WPORG_SANDBOXED' ) || ! WPORG_SANDBOXED ) {
    105             if ( function_exists( 'wporg_error_reporter' ) && ! empty( $_COOKIE ) ) {
    106                 wporg_error_reporter( E_USER_NOTICE, "400 Bad Request: $reference", __FILE__, __LINE__ );
    107             }
    108         }
    109         exit;
     103    } else {
     104        \wp_die( 'Bad Request', 'Bad Request', [ 'response' => 400 ] );
    110105    }
    111 
    112     \wp_die( 'Bad Request', 'Bad Request', [ 'code' => 400 ] );
     106    exit;
    113107}
Note: See TracChangeset for help on using the changeset viewer.