Changeset 34059
- Timestamp:
- 09/11/2015 09:07:45 PM (9 years ago)
- Location:
- trunk/src
- Files:
-
- 12 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-admin/admin-post.php
r30649 r34059 29 29 do_action( 'admin_init' ); 30 30 31 $action = empty( $_REQUEST['action'] ) ? '' : $_REQUEST['action'];31 $action = wp_validate_action(); 32 32 33 33 if ( ! wp_validate_auth_cookie() ) { -
trunk/src/wp-admin/admin.php
r32642 r34059 359 359 } 360 360 361 if ( ! empty( $_REQUEST['action'] ) ) { 361 $_action = wp_validate_action(); 362 if ( ! empty( $_action ) ) { 362 363 /** 363 364 * Fires when an 'action' request variable is sent. 364 365 * 365 * The dynamic portion of the hook name, `$_ REQUEST['action']`,366 * The dynamic portion of the hook name, `$_action`, 366 367 * refers to the action derived from the `GET` or `POST` request. 367 368 * 368 369 * @since 2.6.0 369 370 */ 370 do_action( 'admin_action_' . $_REQUEST['action'] ); 371 } 371 do_action( 'admin_action_' . $_action ); 372 } 373 unset( $_action ); -
trunk/src/wp-admin/async-upload.php
r33842 r34059 7 7 */ 8 8 9 // `wp_validate_action()` isn't loaded yet 9 10 if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) { 10 11 define( 'DOING_AJAX', true ); … … 20 21 require_once( dirname( dirname( __FILE__ ) ) . '/wp-load.php' ); 21 22 22 if ( ! ( isset( $_REQUEST['action'] ) && 'upload-attachment' == $_REQUEST['action']) ) {23 if ( ! wp_validate_action( 'upload-attachment' ) ) { 23 24 // Flash often fails to send cookies with the POST or upload, so we need to pass it in GET or POST instead 24 25 if ( is_ssl() && empty($_COOKIE[SECURE_AUTH_COOKIE]) && !empty($_REQUEST['auth_cookie']) ) … … 35 36 header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) ); 36 37 37 if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action']) {38 if ( wp_validate_action( 'upload-attachment' ) ) { 38 39 include( ABSPATH . 'wp-admin/includes/ajax-actions.php' ); 39 40 -
trunk/src/wp-admin/includes/class-wp-terms-list-table.php
r33270 r34059 154 154 */ 155 155 public function current_action() { 156 if ( isset( $_REQUEST['action'] ) && isset( $_REQUEST['delete_tags'] ) && ( 'delete' == $_REQUEST['action'] || 'delete' == $_REQUEST['action2'] ) ) 156 $action = wp_validate_action(); 157 if ( $action && isset( $_REQUEST['delete_tags'] ) && ( 'delete' == $action || 'delete' == $_REQUEST['action2'] ) ) 157 158 return 'bulk-delete'; 158 159 -
trunk/src/wp-admin/network/site-info.php
r33921 r34059 54 54 $is_main_site = is_main_site( $id ); 55 55 56 if ( isset( $_REQUEST['action'] ) && 'update-site' == $_REQUEST['action']) {56 if ( wp_validate_action( 'update-site' ) ) { 57 57 check_admin_referer( 'edit-site' ); 58 58 -
trunk/src/wp-admin/network/site-new.php
r33952 r34059 34 34 ); 35 35 36 if ( isset($_REQUEST['action']) && 'add-site' == $_REQUEST['action']) {36 if ( wp_validate_action( 'add-site' ) ) { 37 37 check_admin_referer( 'add-blog', '_wpnonce_add-blog' ); 38 38 -
trunk/src/wp-admin/network/site-settings.php
r33921 r34059 49 49 $is_main_site = is_main_site( $id ); 50 50 51 if ( isset($_REQUEST['action']) && 'update-site' == $_REQUEST['action']&& is_array( $_POST['option'] ) ) {51 if ( wp_validate_action( 'update-site' ) && is_array( $_POST['option'] ) ) { 52 52 check_admin_referer( 'edit-site' ); 53 53 -
trunk/src/wp-admin/network/user-new.php
r33620 r34059 31 31 ); 32 32 33 if ( isset($_REQUEST['action']) && 'add-user' == $_REQUEST['action']) {33 if ( wp_validate_action( 'add-user' ) ) { 34 34 check_admin_referer( 'add-user', '_wpnonce_add-user' ); 35 35 -
trunk/src/wp-admin/network/users.php
r34025 r34059 175 175 require_once( ABSPATH . 'wp-admin/admin-header.php' ); 176 176 177 if ( isset( $_REQUEST['updated'] ) && $_REQUEST['updated'] == 'true' && ! empty( $_REQUEST['action'] ) ) { 177 $action = wp_validate_action(); 178 if ( isset( $_REQUEST['updated'] ) && $_REQUEST['updated'] == 'true' && ! empty( $action ) ) { 178 179 ?> 179 180 <div id="message" class="updated notice is-dismissible"><p> 180 181 <?php 181 switch ( $ _REQUEST['action']) {182 switch ( $action ) { 182 183 case 'delete': 183 184 _e( 'User deleted.' ); -
trunk/src/wp-admin/update.php
r31994 r34059 18 18 $plugin = isset($_REQUEST['plugin']) ? trim($_REQUEST['plugin']) : ''; 19 19 $theme = isset($_REQUEST['theme']) ? urldecode($_REQUEST['theme']) : ''; 20 $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : '';20 $action = wp_validate_action(); 21 21 22 22 if ( 'update-selected' == $action ) { -
trunk/src/wp-admin/user-new.php
r34021 r34059 30 30 } 31 31 32 if ( isset($_REQUEST['action']) && 'adduser' == $_REQUEST['action']) {32 if ( wp_validate_action( 'adduser' ) ) { 33 33 check_admin_referer( 'add-user', '_wpnonce_add-user' ); 34 34 … … 102 102 wp_redirect( $redirect ); 103 103 die(); 104 } elseif ( isset($_REQUEST['action']) && 'createuser' == $_REQUEST['action']) {104 } elseif ( wp_validate_action( 'createuser' ) ) { 105 105 check_admin_referer( 'create-user', '_wpnonce_create-user' ); 106 106 -
trunk/src/wp-includes/functions.php
r33969 r34059 4981 4981 <?php 4982 4982 } 4983 4984 /** 4985 * Retrieve and, optionally, validate, an `action` query var 4986 * 4987 * @since 4.4.0 4988 * 4989 * @param string $action Optional. Action to validate. 4990 * @return string Empty string if there is no action in the request or it doesn't 4991 * match the passed `$action`. Returns the [passed `$action` or 4992 * request action on succcess. 4993 */ 4994 function wp_validate_action( $action = '' ) { 4995 $r = $_REQUEST; 4996 if ( ! isset( $r['action'] ) ) { 4997 return ''; 4998 } 4999 5000 if ( ! empty( $action ) ) { 5001 return $action === $r['action'] ? $action : ''; 5002 } 5003 5004 return $r['action']; 5005 }
Note: See TracChangeset
for help on using the changeset viewer.