WordPress.org

Make WordPress Core

Ticket #33837: 33837.stringish.diff

File 33837.stringish.diff, 9.2 KB (added by kitchin, 4 years ago)

Stringy or null. Passes unit tests fwiw. Fixes bulk-delete bug in commit. Renames function, makes it more general.

  • src/wp-admin/admin-post.php

     
    2828/** This action is documented in wp-admin/admin.php */
    2929do_action( 'admin_init' );
    3030
    31 $action = wp_validate_action();
     31$action = wp_raw_request_value( 'action' );
    3232
    3333if ( ! wp_validate_auth_cookie() ) {
    3434        if ( empty( $action ) ) {
  • src/wp-admin/admin.php

     
    358358        }
    359359}
    360360
    361 $_action = wp_validate_action();
    362 if ( ! empty( $_action ) ) {
     361$_action = wp_raw_request_value( 'action' );
     362if ( $_action ) {
    363363        /**
    364364         * Fires when an 'action' request variable is sent.
    365365         *
  • src/wp-admin/async-upload.php

     
    66 * @subpackage Administration
    77 */
    88
    9 // `wp_validate_action()` isn't loaded yet
     9// `wp_raw_request_value()` isn't loaded yet
    1010if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) {
    1111        define( 'DOING_AJAX', true );
    1212}
     
    2020else
    2121        require_once( dirname( dirname( __FILE__ ) ) . '/wp-load.php' );
    2222
    23 if ( ! wp_validate_action( 'upload-attachment' ) ) {
     23if ( ! wp_raw_request_value( 'action', 'upload-attachment' ) ) {
    2424        // Flash often fails to send cookies with the POST or upload, so we need to pass it in GET or POST instead
    2525        if ( is_ssl() && empty($_COOKIE[SECURE_AUTH_COOKIE]) && !empty($_REQUEST['auth_cookie']) )
    2626                $_COOKIE[SECURE_AUTH_COOKIE] = $_REQUEST['auth_cookie'];
     
    3535
    3636header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
    3737
    38 if ( wp_validate_action( 'upload-attachment' ) ) {
     38if ( wp_raw_request_value( 'action', 'upload-attachment' ) ) {
    3939        include( ABSPATH . 'wp-admin/includes/ajax-actions.php' );
    4040
    4141        send_nosniff_header();
  • src/wp-admin/includes/class-wp-list-table.php

     
    427427                         */
    428428                        $this->_actions = apply_filters( "bulk_actions-{$this->screen->id}", $this->_actions );
    429429                        $this->_actions = array_intersect_assoc( $this->_actions, $no_new_actions );
    430                         $two = '';
     430                        $two = '';              // 'action', 'doaction'
    431431                } else {
    432                         $two = '2';
     432                        $two = '2';             // 'action2', 'doaction2'
    433433                }
    434434
    435435                if ( empty( $this->_actions ) )
  • src/wp-admin/includes/class-wp-terms-list-table.php

     
    153153         * @return string
    154154         */
    155155        public function current_action() {
    156                 $action = wp_validate_action();
    157                 if ( $action && isset( $_REQUEST['delete_tags'] ) && ( 'delete' == $action || 'delete' == $_REQUEST['action2'] ) )
     156                $action = wp_raw_request_value( 'action' );
     157                $action2 = wp_raw_request_value( 'action2' );
     158                if ( is_string( $action ) && isset( $_REQUEST['delete_tags'] ) && ( 'delete' == $action || 'delete' == $action2 ) ) {
    158159                        return 'bulk-delete';
    159 
     160                }
    160161                return parent::current_action();
    161162        }
    162163
  • src/wp-admin/network/site-info.php

     
    5353$parsed_scheme = parse_url( $details->siteurl, PHP_URL_SCHEME );
    5454$is_main_site = is_main_site( $id );
    5555
    56 if ( wp_validate_action( 'update-site' ) ) {
     56if ( wp_raw_request_value( 'action', 'update-site' ) ) {
    5757        check_admin_referer( 'edit-site' );
    5858
    5959        switch_to_blog( $id );
  • src/wp-admin/network/site-new.php

     
    3333        '<p>' . __('<a href="https://wordpress.org/support/forum/multisite/" target="_blank">Support Forums</a>') . '</p>'
    3434);
    3535
    36 if ( wp_validate_action( 'add-site' ) ) {
     36if ( wp_raw_request_value( 'action', 'add-site' ) ) {
    3737        check_admin_referer( 'add-blog', '_wpnonce_add-blog' );
    3838
    3939        if ( ! is_array( $_POST['blog'] ) )
  • src/wp-admin/network/site-settings.php

     
    4848
    4949$is_main_site = is_main_site( $id );
    5050
    51 if ( wp_validate_action( 'update-site' ) && is_array( $_POST['option'] ) ) {
     51if ( wp_raw_request_value( 'action', 'update-site' ) && is_array( $_POST['option'] ) ) {
    5252        check_admin_referer( 'edit-site' );
    5353
    5454        switch_to_blog( $id );
  • src/wp-admin/network/user-new.php

     
    3030        '<p>' . __('<a href="https://wordpress.org/support/forum/multisite/" target="_blank">Support Forums</a>') . '</p>'
    3131);
    3232
    33 if ( wp_validate_action( 'add-user' ) ) {
     33if ( wp_raw_request_value( 'action', 'add-user' ) ) {
    3434        check_admin_referer( 'add-user', '_wpnonce_add-user' );
    3535
    3636        if ( ! current_user_can( 'manage_network_users' ) )
  • src/wp-admin/network/users.php

     
    174174
    175175require_once( ABSPATH . 'wp-admin/admin-header.php' );
    176176
    177 $action = wp_validate_action();
    178 if ( isset( $_REQUEST['updated'] ) && $_REQUEST['updated'] == 'true' && ! empty( $action ) ) {
     177$_action = wp_raw_request_value( 'action' );
     178if ( wp_raw_request_value( 'updated', 'true' ) && $_action ) {
    179179        ?>
    180180        <div id="message" class="updated notice is-dismissible"><p>
    181181                <?php
    182                 switch ( $action ) {
     182                switch ( $_action ) {
    183183                        case 'delete':
    184184                                _e( 'User deleted.' );
    185185                        break;
     
    200200        </p></div>
    201201        <?php
    202202}
     203unset( $_action );
    203204        ?>
    204205<div class="wrap">
    205206        <h1><?php esc_html_e( 'Users' );
  • src/wp-admin/update.php

     
    1717if ( isset($_GET['action']) ) {
    1818        $plugin = isset($_REQUEST['plugin']) ? trim($_REQUEST['plugin']) : '';
    1919        $theme = isset($_REQUEST['theme']) ? urldecode($_REQUEST['theme']) : '';
    20         $action = wp_validate_action();
     20        $action = wp_raw_request_value( 'action' );
    2121
    2222        if ( 'update-selected' == $action ) {
    2323                if ( ! current_user_can( 'update_plugins' ) )
  • src/wp-admin/user-new.php

     
    2929        add_filter( 'wpmu_signup_user_notification_email', 'admin_created_user_email' );
    3030}
    3131
    32 if ( wp_validate_action( 'adduser' ) ) {
     32if ( wp_raw_request_value( 'action', 'adduser' ) ) {
    3333        check_admin_referer( 'add-user', '_wpnonce_add-user' );
    3434
    3535        $user_details = null;
     
    101101        }
    102102        wp_redirect( $redirect );
    103103        die();
    104 } elseif ( wp_validate_action( 'createuser' ) ) {
     104} elseif ( wp_raw_request_value( 'action', 'createuser' ) ) {
    105105        check_admin_referer( 'create-user', '_wpnonce_create-user' );
    106106
    107107        if ( ! current_user_can( 'create_users' ) ) {
  • src/wp-includes/functions.php

     
    49824982}
    49834983
    49844984/**
    4985  * Retrieve and, optionally, validate, an `action` query var
     4985 * Retrieve and, optionally, validate, a single $_REQUEST string value.
    49864986 *
    49874987 * @since 4.4.0
    49884988 *
    4989  * @param string $action Optional. Action to validate.
    4990  * @return string Empty string if there is no action in the request or it doesn't
    4991  *                match the passed `$action`. Returns the [passed `$action` or
    4992  *                request action on succcess.
     4989 * @param string $field
     4990 * @param string|null $value Value to validate. Default null for no validation.
     4991 * @return string|bool|null
     4992 *                              Null if request value not set or not a string.
     4993 *                              Bool if $value non-null.
     4994 *                              String raw value otherwise.
    49934995 */
    4994 function wp_validate_action( $action = '' ) {
    4995         $r = $_REQUEST;
    4996         if ( ! isset( $r['action'] ) ) {
    4997                 return '';
     4996function wp_raw_request_value( $field, $value = null ) {
     4997        if ( is_string( $field ) && isset( $_REQUEST[ $field ] ) ) {
     4998                $raw = $_REQUEST[ $field ];
     4999                if ( is_string( $raw ) ) {
     5000                        if ( $value !== null ) {
     5001                                return $value === $raw;
     5002                        }
     5003                        return $raw;
     5004                }
    49985005        }
    4999 
    5000         if ( ! empty( $action ) ) {
    5001                 return $action === $r['action'] ? $action : '';
    5002         }
    5003 
    5004         return $r['action'];
    5005 }
    5006  No newline at end of file
     5006}