Administration: Require a valid action parameter to be set for admin-ajax.php requests.

This avoids `Array to string conversion` PHP notices when an array is passed as the `action` parameter. Additionally, send an appropriate HTTP response status code when an invalid action is passed to `admin-post.php`. Follow-up to [13175], [19738], [41120], [41926]. Props dd32. Fixes #55212. git-svn-id: https://develop.svn.wordpress.org/trunk@52813 602fd350-edb4-49c9-b593-d223f7449a82
2026-06-28 22:30:04 +00:00 · 2022-03-02 14:58:09 +00:00
parent f0dfa682a5
commit 99fd93c7df
2 changed files with 20 additions and 4 deletions
--- a/src/wp-admin/admin-post.php
+++ b/src/wp-admin/admin-post.php
@@ -29,7 +29,12 @@ nocache_headers();
 /** This action is documented in wp-admin/admin.php */
 do_action( 'admin_init' );

-$action = empty( $_REQUEST['action'] ) ? '' : $_REQUEST['action'];
+$action = ! empty( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
+
+// Reject invalid parameters.
+if ( ! is_scalar( $action ) ) {
+	wp_die( '', 400 );
+}

 if ( ! is_user_logged_in() ) {
 	if ( empty( $action ) ) {
@@ -40,6 +45,11 @@ if ( ! is_user_logged_in() ) {
 		 */
 		do_action( 'admin_post_nopriv' );
 	} else {
+		// If no action is registered, return a Bad Request response.
+		if ( ! has_action( "admin_post_nopriv_{$action}" ) ) {
+			wp_die( '', 400 );
+		}
+
 		/**
 		 * Fires on a non-authenticated admin post request for the given action.
 		 *
@@ -59,6 +69,11 @@ if ( ! is_user_logged_in() ) {
 		 */
 		do_action( 'admin_post' );
 	} else {
+		// If no action is registered, return a Bad Request response.
+		if ( ! has_action( "admin_post_{$action}" ) ) {
+			wp_die( '', 400 );
+		}
+
 		/**
 		 * Fires on an authenticated admin post request for the given action.
 		 *