diff -r c7c34916027a -r 177826044cd9 wp/wp-admin/admin-ajax.php --- a/wp/wp-admin/admin-ajax.php Mon Oct 14 18:06:33 2019 +0200 +++ b/wp/wp-admin/admin-ajax.php Mon Oct 14 18:28:13 2019 +0200 @@ -25,8 +25,9 @@ send_origin_headers(); // Require an action parameter -if ( empty( $_REQUEST['action'] ) ) +if ( empty( $_REQUEST['action'] ) ) { wp_die( '0', 400 ); +} /** Load WordPress Administration APIs */ require_once( ABSPATH . 'wp-admin/includes/admin.php' ); @@ -44,75 +45,147 @@ do_action( 'admin_init' ); $core_actions_get = array( - 'fetch-list', 'ajax-tag-search', 'wp-compression-test', 'imgedit-preview', 'oembed-cache', - 'autocomplete-user', 'dashboard-widgets', 'logged-in', + 'fetch-list', + 'ajax-tag-search', + 'wp-compression-test', + 'imgedit-preview', + 'oembed-cache', + 'autocomplete-user', + 'dashboard-widgets', + 'logged-in', ); $core_actions_post = array( - 'oembed-cache', 'image-editor', 'delete-comment', 'delete-tag', 'delete-link', - 'delete-meta', 'delete-post', 'trash-post', 'untrash-post', 'delete-page', 'dim-comment', - 'add-link-category', 'add-tag', 'get-tagcloud', 'get-comments', 'replyto-comment', - 'edit-comment', 'add-menu-item', 'add-meta', 'add-user', 'closed-postboxes', - 'hidden-columns', 'update-welcome-panel', 'menu-get-metabox', 'wp-link-ajax', - 'menu-locations-save', 'menu-quick-search', 'meta-box-order', 'get-permalink', - 'sample-permalink', 'inline-save', 'inline-save-tax', 'find_posts', 'widgets-order', - 'save-widget', 'delete-inactive-widgets', 'set-post-thumbnail', 'date_format', 'time_format', - 'wp-remove-post-lock', 'dismiss-wp-pointer', 'upload-attachment', 'get-attachment', - 'query-attachments', 'save-attachment', 'save-attachment-compat', 'send-link-to-editor', - 'send-attachment-to-editor', 'save-attachment-order', 'heartbeat', 'get-revision-diffs', - 'save-user-color-scheme', 'update-widget', 'query-themes', 'parse-embed', 'set-attachment-thumbnail', - 'parse-media-shortcode', 'destroy-sessions', 'install-plugin', 'update-plugin', 'crop-image', - 'generate-password', 'save-wporg-username', 'delete-plugin', 'search-plugins', - 'search-install-plugins', 'activate-plugin', 'update-theme', 'delete-theme', 'install-theme', - 'get-post-thumbnail-html', 'get-community-events', 'edit-theme-plugin-file', + 'oembed-cache', + 'image-editor', + 'delete-comment', + 'delete-tag', + 'delete-link', + 'delete-meta', + 'delete-post', + 'trash-post', + 'untrash-post', + 'delete-page', + 'dim-comment', + 'add-link-category', + 'add-tag', + 'get-tagcloud', + 'get-comments', + 'replyto-comment', + 'edit-comment', + 'add-menu-item', + 'add-meta', + 'add-user', + 'closed-postboxes', + 'hidden-columns', + 'update-welcome-panel', + 'menu-get-metabox', + 'wp-link-ajax', + 'menu-locations-save', + 'menu-quick-search', + 'meta-box-order', + 'get-permalink', + 'sample-permalink', + 'inline-save', + 'inline-save-tax', + 'find_posts', + 'widgets-order', + 'save-widget', + 'delete-inactive-widgets', + 'set-post-thumbnail', + 'date_format', + 'time_format', + 'wp-remove-post-lock', + 'dismiss-wp-pointer', + 'upload-attachment', + 'get-attachment', + 'query-attachments', + 'save-attachment', + 'save-attachment-compat', + 'send-link-to-editor', + 'send-attachment-to-editor', + 'save-attachment-order', + 'heartbeat', + 'get-revision-diffs', + 'save-user-color-scheme', + 'update-widget', + 'query-themes', + 'parse-embed', + 'set-attachment-thumbnail', + 'parse-media-shortcode', + 'destroy-sessions', + 'install-plugin', + 'update-plugin', + 'crop-image', + 'generate-password', + 'save-wporg-username', + 'delete-plugin', + 'search-plugins', + 'search-install-plugins', + 'activate-plugin', + 'update-theme', + 'delete-theme', + 'install-theme', + 'get-post-thumbnail-html', + 'get-community-events', + 'edit-theme-plugin-file', 'wp-privacy-export-personal-data', 'wp-privacy-erase-personal-data', - 'update-try-gutenberg-panel', + 'health-check-site-status-result', + 'health-check-dotorg-communication', + 'health-check-is-in-debug-mode', + 'health-check-background-updates', + 'health-check-loopback-requests', + 'health-check-get-sizes', ); // Deprecated $core_actions_post_deprecated = array( 'wp-fullscreen-save-post', 'press-this-save-post', 'press-this-add-category' ); -$core_actions_post = array_merge( $core_actions_post, $core_actions_post_deprecated ); +$core_actions_post = array_merge( $core_actions_post, $core_actions_post_deprecated ); // Register core Ajax calls. -if ( ! empty( $_GET['action'] ) && in_array( $_GET['action'], $core_actions_get ) ) +if ( ! empty( $_GET['action'] ) && in_array( $_GET['action'], $core_actions_get ) ) { add_action( 'wp_ajax_' . $_GET['action'], 'wp_ajax_' . str_replace( '-', '_', $_GET['action'] ), 1 ); +} -if ( ! empty( $_POST['action'] ) && in_array( $_POST['action'], $core_actions_post ) ) +if ( ! empty( $_POST['action'] ) && in_array( $_POST['action'], $core_actions_post ) ) { add_action( 'wp_ajax_' . $_POST['action'], 'wp_ajax_' . str_replace( '-', '_', $_POST['action'] ), 1 ); +} add_action( 'wp_ajax_nopriv_heartbeat', 'wp_ajax_nopriv_heartbeat', 1 ); +$action = ( isset( $_REQUEST['action'] ) ) ? $_REQUEST['action'] : ''; + if ( is_user_logged_in() ) { // If no action is registered, return a Bad Request response. - if ( ! has_action( 'wp_ajax_' . $_REQUEST['action'] ) ) { + if ( ! has_action( "wp_ajax_{$action}" ) ) { wp_die( '0', 400 ); } /** * Fires authenticated Ajax actions for logged-in users. * - * The dynamic portion of the hook name, `$_REQUEST['action']`, - * refers to the name of the Ajax action callback being fired. + * The dynamic portion of the hook name, `$action`, refers + * to the name of the Ajax action callback being fired. * * @since 2.1.0 */ - do_action( 'wp_ajax_' . $_REQUEST['action'] ); + do_action( "wp_ajax_{$action}" ); } else { // If no action is registered, return a Bad Request response. - if ( ! has_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] ) ) { + if ( ! has_action( "wp_ajax_nopriv_{$action}" ) ) { wp_die( '0', 400 ); } /** * Fires non-authenticated Ajax actions for logged-out users. * - * The dynamic portion of the hook name, `$_REQUEST['action']`, - * refers to the name of the Ajax action callback being fired. + * The dynamic portion of the hook name, `$action`, refers + * to the name of the Ajax action callback being fired. * * @since 2.8.0 */ - do_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] ); + do_action( "wp_ajax_nopriv_{$action}" ); } // Default status wp_die( '0' );