Changeset 9825
- Timestamp:
- 05/05/2020 02:35:45 AM (4 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
sites/trunk/wordpress.org/public_html/wp-content/mu-plugins/pub/wporg-bad-request.php
r9800 r9825 50 50 51 51 /** 52 * Detect invalid parameters being passed to REST API Endpoints.53 * Not all API endpoints sanitization callbacks check variable types.54 *55 * @see https://core.trac.wordpress.org/ticket/4999156 */57 add_action( 'rest_api_init', function( $wp_rest_server ) {58 global $wp;59 60 // oEmbed endpoint has some not-so-great sanitize callbacks specified61 if ( '/oembed/1.0/embed' === $wp->query_vars['rest_route'] ) {62 foreach ( [ 'url', 'maxwidth' ] as $field ) {63 if ( isset( $_REQUEST[ $field ] ) && ! is_scalar( $_REQUEST[ $field ] ) ) {64 die_bad_request( "non-scalar $field in oEmbed call" );65 }66 }67 }68 69 } );70 71 /**72 52 * Detect invalid parameters being passed to the Jetpack Subscription widget. 73 53 * … … 86 66 87 67 /** 68 * Detect badly formed XMLRPC requests. 69 * pingback.ping is not a valid multicall target, blocking due to the excessive requests. 70 */ 71 add_action( 'xmlrpc_call', function() { 72 global $HTTP_RAW_POST_DATA; 73 if ( 74 false !== stripos( $HTTP_RAW_POST_DATA, '<methodName>system.multicall</methodName>' ) && 75 false !== stripos( $HTTP_RAW_POST_DATA, '<name>methodName</name><value>pingback.ping</value>' ) 76 ) { 77 die_bad_request( 'pingback.ping inside a system.multicall' ); 78 } 79 }, 1 ); 80 81 /** 88 82 * Die with a 400 Bad Request. 89 83 * 90 84 * @param string $reference A unique identifying string to make it easier to read logs. 91 85 */ 92 function die_bad_request( $reference = '') { 93 header( $_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request' ); 86 function die_bad_request( $reference = '' ) { 87 // Log it if possible, and not on a sandbox 88 if ( ! defined( 'WPORG_SANDBOXED' ) || ! WPORG_SANDBOXED ) { 89 if ( function_exists( 'wporg_error_reporter' ) && ! empty( $_COOKIE['wporg_logged_in'] ) ) { 90 wporg_error_reporter( E_USER_NOTICE, "400 Bad Request: $reference", __FILE__, __LINE__ ); 91 } 92 } 94 93 95 94 // Use a prettier error page on WordPress.org 96 95 if ( 97 96 false !== stripos( $_SERVER['HTTP_HOST'], 'wordpress.org' ) && 98 defined( 'WPORGPATH' ) && file_exists( WPORGPATH . '/403.php' ) 97 defined( 'WPORGPATH' ) && file_exists( WPORGPATH . '/403.php' ) && 98 ! defined( 'XMLRPC_REQUEST' ) && ! defined( 'REST_REQUEST' ) 99 99 ) { 100 status_header( 400 ); 100 101 $header_set_for_403 = true; 101 102 include WPORGPATH . '/403.php'; 102 103 // Log it if possible, and not on a sandbox 104 if ( ! defined( 'WPORG_SANDBOXED' ) || ! WPORG_SANDBOXED ) { 105 if ( function_exists( 'wporg_error_reporter' ) && ! empty( $_COOKIE ) ) { 106 wporg_error_reporter( E_USER_NOTICE, "400 Bad Request: $reference", __FILE__, __LINE__ ); 107 } 108 } 109 exit; 103 } else { 104 \wp_die( 'Bad Request', 'Bad Request', [ 'response' => 400 ] ); 110 105 } 111 112 \wp_die( 'Bad Request', 'Bad Request', [ 'code' => 400 ] ); 106 exit; 113 107 }
Note: See TracChangeset
for help on using the changeset viewer.