Ticket #33837: 33837.stringish.diff

src/wp-admin/admin-post.php

@@ -28 +28 @@
 /** This action is documented in wp-admin/admin.php */
 do_action( 'admin_init' );
 
-$action = wp_validate_action();
+$action = wp_raw_request_value( 'action' );
 
 if ( ! wp_validate_auth_cookie() ) {
         if ( empty( $action ) ) {

src/wp-admin/admin.php

@@ -358 +358 @@
         }
 }
 
-$_action = wp_validate_action();
-if ( ! empty( $_action ) ) {
+$_action = wp_raw_request_value( 'action' );
+if ( $_action ) {
         /**
          * Fires when an 'action' request variable is sent.
          *

src/wp-admin/async-upload.php

@@ -6 +6 @@
  * @subpackage Administration
  */
 
-// `wp_validate_action()` isn't loaded yet
+// `wp_raw_request_value()` isn't loaded yet
 if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) {
         define( 'DOING_AJAX', true );
 }
@@ -20 +20 @@
 else
         require_once( dirname( dirname( __FILE__ ) ) . '/wp-load.php' );
 
-if ( ! wp_validate_action( 'upload-attachment' ) ) {
+if ( ! wp_raw_request_value( 'action', 'upload-attachment' ) ) {
         // Flash often fails to send cookies with the POST or upload, so we need to pass it in GET or POST instead
         if ( is_ssl() && empty($_COOKIE[SECURE_AUTH_COOKIE]) && !empty($_REQUEST['auth_cookie']) )
                 $_COOKIE[SECURE_AUTH_COOKIE] = $_REQUEST['auth_cookie'];
@@ -35 +35 @@
 
 header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
 
-if ( wp_validate_action( 'upload-attachment' ) ) {
+if ( wp_raw_request_value( 'action', 'upload-attachment' ) ) {
         include( ABSPATH . 'wp-admin/includes/ajax-actions.php' );
 
         send_nosniff_header();

src/wp-admin/includes/class-wp-list-table.php

@@ -427 +427 @@
                          */
                         $this->_actions = apply_filters( "bulk_actions-{$this->screen->id}", $this->_actions );
                         $this->_actions = array_intersect_assoc( $this->_actions, $no_new_actions );
-                        $two = '';
+                        $two = '';              // 'action', 'doaction'
                 } else {
-                        $two = '2';
+                        $two = '2';             // 'action2', 'doaction2'
                 }
 
                 if ( empty( $this->_actions ) )

src/wp-admin/includes/class-wp-terms-list-table.php

@@ -153 +153 @@
          * @return string
          */
         public function current_action() {
-                $action = wp_validate_action();
-                if ( $action && isset( $_REQUEST['delete_tags'] ) && ( 'delete' == $action || 'delete' == $_REQUEST['action2'] ) )
+                $action = wp_raw_request_value( 'action' );
+                $action2 = wp_raw_request_value( 'action2' );
+                if ( is_string( $action ) && isset( $_REQUEST['delete_tags'] ) && ( 'delete' == $action || 'delete' == $action2 ) ) {
                         return 'bulk-delete';
-
+                }
                 return parent::current_action();
         }
 

src/wp-admin/network/site-info.php

@@ -53 +53 @@
 $parsed_scheme = parse_url( $details->siteurl, PHP_URL_SCHEME );
 $is_main_site = is_main_site( $id );
 
-if ( wp_validate_action( 'update-site' ) ) {
+if ( wp_raw_request_value( 'action', 'update-site' ) ) {
         check_admin_referer( 'edit-site' );
 
         switch_to_blog( $id );

src/wp-admin/network/site-new.php

@@ -33 +33 @@
         '<p>' . __('<a href="https://wordpress.org/support/forum/multisite/" target="_blank">Support Forums</a>') . '</p>'
 );
 
-if ( wp_validate_action( 'add-site' ) ) {
+if ( wp_raw_request_value( 'action', 'add-site' ) ) {
         check_admin_referer( 'add-blog', '_wpnonce_add-blog' );
 
         if ( ! is_array( $_POST['blog'] ) )

src/wp-admin/network/site-settings.php

@@ -48 +48 @@
 
 $is_main_site = is_main_site( $id );
 
-if ( wp_validate_action( 'update-site' ) && is_array( $_POST['option'] ) ) {
+if ( wp_raw_request_value( 'action', 'update-site' ) && is_array( $_POST['option'] ) ) {
         check_admin_referer( 'edit-site' );
 
         switch_to_blog( $id );

src/wp-admin/network/user-new.php

@@ -30 +30 @@
         '<p>' . __('<a href="https://wordpress.org/support/forum/multisite/" target="_blank">Support Forums</a>') . '</p>'
 );
 
-if ( wp_validate_action( 'add-user' ) ) {
+if ( wp_raw_request_value( 'action', 'add-user' ) ) {
         check_admin_referer( 'add-user', '_wpnonce_add-user' );
 
         if ( ! current_user_can( 'manage_network_users' ) )

src/wp-admin/network/users.php

@@ -174 +174 @@
 
 require_once( ABSPATH . 'wp-admin/admin-header.php' );
 
-$action = wp_validate_action();
-if ( isset( $_REQUEST['updated'] ) && $_REQUEST['updated'] == 'true' && ! empty( $action ) ) {
+$_action = wp_raw_request_value( 'action' );
+if ( wp_raw_request_value( 'updated', 'true' ) && $_action ) {
         ?>
         <div id="message" class="updated notice is-dismissible"><p>
                 <?php
-                switch ( $action ) {
+                switch ( $_action ) {
                         case 'delete':
                                 _e( 'User deleted.' );
                         break;
@@ -200 +200 @@
         </p></div>
         <?php
 }
+unset( $_action );
         ?>
 <div class="wrap">
         <h1><?php esc_html_e( 'Users' );

src/wp-admin/update.php

@@ -17 +17 @@
 if ( isset($_GET['action']) ) {
         $plugin = isset($_REQUEST['plugin']) ? trim($_REQUEST['plugin']) : '';
         $theme = isset($_REQUEST['theme']) ? urldecode($_REQUEST['theme']) : '';
-        $action = wp_validate_action();
+        $action = wp_raw_request_value( 'action' );
 
         if ( 'update-selected' == $action ) {
                 if ( ! current_user_can( 'update_plugins' ) )

src/wp-admin/user-new.php

@@ -29 +29 @@
         add_filter( 'wpmu_signup_user_notification_email', 'admin_created_user_email' );
 }
 
-if ( wp_validate_action( 'adduser' ) ) {
+if ( wp_raw_request_value( 'action', 'adduser' ) ) {
         check_admin_referer( 'add-user', '_wpnonce_add-user' );
 
         $user_details = null;
@@ -101 +101 @@
         }
         wp_redirect( $redirect );
         die();
-} elseif ( wp_validate_action( 'createuser' ) ) {
+} elseif ( wp_raw_request_value( 'action', 'createuser' ) ) {
         check_admin_referer( 'create-user', '_wpnonce_create-user' );
 
         if ( ! current_user_can( 'create_users' ) ) {

src/wp-includes/functions.php

@@ -4982 +4982 @@
 }
 
 /**
- * Retrieve and, optionally, validate, an `action` query var
+ * Retrieve and, optionally, validate, a single $_REQUEST string value.
  *
  * @since 4.4.0
  *
- * @param string $action Optional. Action to validate.
- * @return string Empty string if there is no action in the request or it doesn't
- *                match the passed `$action`. Returns the [passed `$action` or
- *                request action on succcess.
+ * @param string $field
+ * @param string|null $value Value to validate. Default null for no validation.
+ * @return string|bool|null
+ *                              Null if request value not set or not a string.
+ *                              Bool if $value non-null.
+ *                              String raw value otherwise.
  */
-function wp_validate_action( $action = '' ) {
-        $r = $_REQUEST;
-        if ( ! isset( $r['action'] ) ) {
-                return '';
+function wp_raw_request_value( $field, $value = null ) {
+        if ( is_string( $field ) && isset( $_REQUEST[ $field ] ) ) {
+                $raw = $_REQUEST[ $field ];
+                if ( is_string( $raw ) ) {
+                        if ( $value !== null ) {
+                                return $value === $raw;
+                        }
+                        return $raw;
+                }
         }
-
-        if ( ! empty( $action ) ) {
-                return $action === $r['action'] ? $action : '';
-        }
-
-        return $r['action'];
-}
- No newline at end of file
+}