Bootstrap/Load: Prevent loopback scraping errors when there is no key or nonce.

aaronjorbin · aaronjorbin · commit 647ee0575956 · 2024-10-04T17:34:50.000Z
For error detection and rollback functions WordPress also starts a loopback request to the homepage. This loopback request is made with special parameters that when they don't match, generates an erorr. This hardens that flow by exiting out of the check if the nonce or key is missing or the nonce is not saved in the DB. It further hardens it by not caching the failures and asking search engines not to index the url with the failures. Props georgwordpress, swissspidy, jorbin. Fixes #62105. git-svn-id: https://develop.svn.wordpress.org/trunk@59171 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/load.php b/src/wp-includes/load.php
@@ -1806,8 +1806,20 @@ function wp_start_scraping_edited_file_errors() {
 
 	$key   = substr( sanitize_key( wp_unslash( $_REQUEST['wp_scrape_key'] ) ), 0, 32 );
 	$nonce = wp_unslash( $_REQUEST['wp_scrape_nonce'] );
+	if ( empty( $key ) || empty( $nonce ) ) {
+		return;
+	}
+
+	$transient = get_transient( 'scrape_key_' . $key );
+	if ( false === $transient ) {
+		return;
+	}
 
-	if ( get_transient( 'scrape_key_' . $key ) !== $nonce ) {
+	if ( $transient !== $nonce ) {
+		if ( ! headers_sent() ) {
+			header( 'X-Robots-Tag: noindex' );
+			nocache_headers();
+		}
 		echo "###### wp_scraping_result_start:$key ######";
 		echo wp_json_encode(
 			array(
