Script Loader: Send a 400 Bad Request status code in load-scripts.php and load-styles.php if the required load[] parameter is not set.

Props compilenix.
Fixes #44108.

git-svn-id: https://develop.svn.wordpress.org/trunk@45731 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Sergey Biryukov 2019-08-03 22:16:23 +00:00
parent 5ed5587545
commit f0f94aef7e
2 changed files with 12 additions and 8 deletions

View File

@ -14,6 +14,11 @@ if ( ! defined( 'ABSPATH' ) ) {
define( 'WPINC', 'wp-includes' ); define( 'WPINC', 'wp-includes' );
$protocol = $_SERVER['SERVER_PROTOCOL'];
if ( ! in_array( $protocol, array( 'HTTP/1.1', 'HTTP/2', 'HTTP/2.0' ) ) ) {
$protocol = 'HTTP/1.0';
}
$load = $_GET['load']; $load = $_GET['load'];
if ( is_array( $load ) ) { if ( is_array( $load ) ) {
ksort( $load ); ksort( $load );
@ -24,6 +29,7 @@ $load = preg_replace( '/[^a-z0-9,_-]+/i', '', $load );
$load = array_unique( explode( ',', $load ) ); $load = array_unique( explode( ',', $load ) );
if ( empty( $load ) ) { if ( empty( $load ) ) {
header( "$protocol 400 Bad Request" );
exit; exit;
} }
@ -40,10 +46,6 @@ wp_default_packages_vendor( $wp_scripts );
wp_default_packages_scripts( $wp_scripts ); wp_default_packages_scripts( $wp_scripts );
if ( isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) && stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) === $wp_version ) { if ( isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) && stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) === $wp_version ) {
$protocol = $_SERVER['SERVER_PROTOCOL'];
if ( ! in_array( $protocol, array( 'HTTP/1.1', 'HTTP/2', 'HTTP/2.0' ) ) ) {
$protocol = 'HTTP/1.0';
}
header( "$protocol 304 Not Modified" ); header( "$protocol 304 Not Modified" );
exit(); exit();
} }

View File

@ -18,6 +18,11 @@ require( ABSPATH . 'wp-admin/includes/noop.php' );
require( ABSPATH . WPINC . '/script-loader.php' ); require( ABSPATH . WPINC . '/script-loader.php' );
require( ABSPATH . WPINC . '/version.php' ); require( ABSPATH . WPINC . '/version.php' );
$protocol = $_SERVER['SERVER_PROTOCOL'];
if ( ! in_array( $protocol, array( 'HTTP/1.1', 'HTTP/2', 'HTTP/2.0' ) ) ) {
$protocol = 'HTTP/1.0';
}
$load = $_GET['load']; $load = $_GET['load'];
if ( is_array( $load ) ) { if ( is_array( $load ) ) {
ksort( $load ); ksort( $load );
@ -28,6 +33,7 @@ $load = preg_replace( '/[^a-z0-9,_-]+/i', '', $load );
$load = array_unique( explode( ',', $load ) ); $load = array_unique( explode( ',', $load ) );
if ( empty( $load ) ) { if ( empty( $load ) ) {
header( "$protocol 400 Bad Request" );
exit; exit;
} }
@ -39,10 +45,6 @@ $wp_styles = new WP_Styles();
wp_default_styles( $wp_styles ); wp_default_styles( $wp_styles );
if ( isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) && stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) === $wp_version ) { if ( isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) && stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) === $wp_version ) {
$protocol = $_SERVER['SERVER_PROTOCOL'];
if ( ! in_array( $protocol, array( 'HTTP/1.1', 'HTTP/2', 'HTTP/2.0' ) ) ) {
$protocol = 'HTTP/1.0';
}
header( "$protocol 304 Not Modified" ); header( "$protocol 304 Not Modified" );
exit(); exit();
} }