Changeset 3457468
- Timestamp:
- 02/09/2026 09:20:15 PM (5 weeks ago)
- File:
-
- 1 edited
-
vectoron/trunk/includes/ajax-proxy.php (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
vectoron/trunk/includes/ajax-proxy.php
r3457457 r3457468 82 82 } 83 83 84 // Validate route is within allowed namespaces (prevent access to sensitive endpoints) 85 $allowed_prefixes = array( '/wp/v2/', '/vectoron/v1/' ); 86 $route_allowed = false; 87 foreach ( $allowed_prefixes as $prefix ) { 88 if ( strpos( $rest_route, $prefix ) === 0 ) { 89 $route_allowed = true; 90 break; 91 } 92 } 93 if ( ! $route_allowed ) { 94 wp_send_json_error( array( 'message' => 'Access to this REST route is not allowed via AJAX proxy' ), 403 ); 95 } 96 84 97 // Validate HTTP method 85 98 $allowed_methods = array( 'GET', 'POST', 'PUT', 'DELETE', 'PATCH' ); … … 94 107 if ( in_array( $rest_method, array( 'POST', 'PUT', 'PATCH' ), true ) && ! empty( $rest_body ) ) { 95 108 $body_data = json_decode( $rest_body, true ); 109 if ( json_last_error() !== JSON_ERROR_NONE && ! empty( $rest_body ) ) { 110 wp_send_json_error( array( 'message' => 'Invalid JSON in rest_body parameter' ), 400 ); 111 } 96 112 if ( is_array( $body_data ) ) { 97 113 foreach ( $body_data as $key => $value ) { … … 117 133 118 134 /** 119 * AJAX status endpoint ( no auth required).120 * 121 * Used by the connection test to detect if the AJAX proxy is available 122 * without needing credentials.135 * AJAX status endpoint (minimal — no sensitive info). 136 * 137 * Used by the connection test to detect if the AJAX proxy is available. 138 * Deliberately minimal to avoid fingerprinting. 123 139 */ 124 140 function vectoron_ajax_status() { 125 141 wp_send_json( array( 126 'plugin' => 'Vectoron',127 142 'ajax_proxy' => true, 128 143 'status' => 'active', 129 'timestamp' => current_time( 'mysql' ),130 144 ) ); 131 145 }
Note: See TracChangeset
for help on using the changeset viewer.