From 7dbc4d28e55c0d66edb78d9adc6dd21fe8da6190 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov.ru@gmail.com>
Date: Sat, 3 Aug 2019 22:17:57 +0000
Subject: [PATCH] Script Loader: Send a 400 Bad Request status code in
 `load-scripts.php` and `load-styles.php` if the required `load[]` parameter
 is not set.

Props compilenix.
Fixes #44108.
Built from https://develop.svn.wordpress.org/trunk@45731


git-svn-id: http://core.svn.wordpress.org/trunk@45542 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/load-scripts.php | 10 ++++++----
 wp-admin/load-styles.php  | 10 ++++++----
 wp-includes/version.php   |  2 +-
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/wp-admin/load-scripts.php b/wp-admin/load-scripts.php
index f0a7efe76d..bdb5fa5cec 100644
--- a/wp-admin/load-scripts.php
+++ b/wp-admin/load-scripts.php
@@ -14,6 +14,11 @@ if ( ! defined( 'ABSPATH' ) ) {
 
 define( 'WPINC', 'wp-includes' );
 
+$protocol = $_SERVER['SERVER_PROTOCOL'];
+if ( ! in_array( $protocol, array( 'HTTP/1.1', 'HTTP/2', 'HTTP/2.0' ) ) ) {
+	$protocol = 'HTTP/1.0';
+}
+
 $load = $_GET['load'];
 if ( is_array( $load ) ) {
 	ksort( $load );
@@ -24,6 +29,7 @@ $load = preg_replace( '/[^a-z0-9,_-]+/i', '', $load );
 $load = array_unique( explode( ',', $load ) );
 
 if ( empty( $load ) ) {
+	header( "$protocol 400 Bad Request" );
 	exit;
 }
 
@@ -40,10 +46,6 @@ wp_default_packages_vendor( $wp_scripts );
 wp_default_packages_scripts( $wp_scripts );
 
 if ( isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) && stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) === $wp_version ) {
-	$protocol = $_SERVER['SERVER_PROTOCOL'];
-	if ( ! in_array( $protocol, array( 'HTTP/1.1', 'HTTP/2', 'HTTP/2.0' ) ) ) {
-		$protocol = 'HTTP/1.0';
-	}
 	header( "$protocol 304 Not Modified" );
 	exit();
 }
diff --git a/wp-admin/load-styles.php b/wp-admin/load-styles.php
index 7ba0ce3247..8b3cc0d75f 100644
--- a/wp-admin/load-styles.php
+++ b/wp-admin/load-styles.php
@@ -18,6 +18,11 @@ require( ABSPATH . 'wp-admin/includes/noop.php' );
 require( ABSPATH . WPINC . '/script-loader.php' );
 require( ABSPATH . WPINC . '/version.php' );
 
+$protocol = $_SERVER['SERVER_PROTOCOL'];
+if ( ! in_array( $protocol, array( 'HTTP/1.1', 'HTTP/2', 'HTTP/2.0' ) ) ) {
+	$protocol = 'HTTP/1.0';
+}
+
 $load = $_GET['load'];
 if ( is_array( $load ) ) {
 	ksort( $load );
@@ -28,6 +33,7 @@ $load = preg_replace( '/[^a-z0-9,_-]+/i', '', $load );
 $load = array_unique( explode( ',', $load ) );
 
 if ( empty( $load ) ) {
+	header( "$protocol 400 Bad Request" );
 	exit;
 }
 
@@ -39,10 +45,6 @@ $wp_styles = new WP_Styles();
 wp_default_styles( $wp_styles );
 
 if ( isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) && stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) === $wp_version ) {
-	$protocol = $_SERVER['SERVER_PROTOCOL'];
-	if ( ! in_array( $protocol, array( 'HTTP/1.1', 'HTTP/2', 'HTTP/2.0' ) ) ) {
-		$protocol = 'HTTP/1.0';
-	}
 	header( "$protocol 304 Not Modified" );
 	exit();
 }
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 5609cfe2d6..7da7ee30a4 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.3-alpha-45730';
+$wp_version = '5.3-alpha-45731';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.