WordPress.org

Make WordPress Core

Changeset 34059


Ignore:
Timestamp:
09/11/2015 09:07:45 PM (4 years ago)
Author:
wonderboymusic
Message:

Introduce wp_validate_action( $action = '' ), a helper function that checks $_REQUEST for action and returns it, or empty string if not present. If $action is passed, it checks to make sure they match before returning it, or an empty string. Strings are always returned to avoid returning multiple types.

Implementing this removes 27 uses of direct superglobal access in the admin.

For more reading:
https://codeclimate.com/github/WordPress/WordPress/wp-admin/edit-comments.php

See #33837.

Location:
trunk/src
Files:
12 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/admin-post.php

    r30649 r34059  
    2929do_action( 'admin_init' );
    3030
    31 $action = empty( $_REQUEST['action'] ) ? '' : $_REQUEST['action'];
     31$action = wp_validate_action();
    3232
    3333if ( ! wp_validate_auth_cookie() ) {
  • trunk/src/wp-admin/admin.php

    r32642 r34059  
    359359}
    360360
    361 if ( ! empty( $_REQUEST['action'] ) ) {
     361$_action = wp_validate_action();
     362if ( ! empty( $_action ) ) {
    362363    /**
    363364     * Fires when an 'action' request variable is sent.
    364365     *
    365      * The dynamic portion of the hook name, `$_REQUEST['action']`,
     366     * The dynamic portion of the hook name, `$_action`,
    366367     * refers to the action derived from the `GET` or `POST` request.
    367368     *
    368369     * @since 2.6.0
    369370     */
    370     do_action( 'admin_action_' . $_REQUEST['action'] );
    371 }
     371    do_action( 'admin_action_' . $_action );
     372}
     373unset( $_action );
  • trunk/src/wp-admin/async-upload.php

    r33842 r34059  
    77 */
    88
     9// `wp_validate_action()` isn't loaded yet
    910if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) {
    1011    define( 'DOING_AJAX', true );
     
    2021    require_once( dirname( dirname( __FILE__ ) ) . '/wp-load.php' );
    2122
    22 if ( ! ( isset( $_REQUEST['action'] ) && 'upload-attachment' == $_REQUEST['action'] ) ) {
     23if ( ! wp_validate_action( 'upload-attachment' ) ) {
    2324    // Flash often fails to send cookies with the POST or upload, so we need to pass it in GET or POST instead
    2425    if ( is_ssl() && empty($_COOKIE[SECURE_AUTH_COOKIE]) && !empty($_REQUEST['auth_cookie']) )
     
    3536header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
    3637
    37 if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) {
     38if ( wp_validate_action( 'upload-attachment' ) ) {
    3839    include( ABSPATH . 'wp-admin/includes/ajax-actions.php' );
    3940
  • trunk/src/wp-admin/includes/class-wp-terms-list-table.php

    r33270 r34059  
    154154     */
    155155    public function current_action() {
    156         if ( isset( $_REQUEST['action'] ) && isset( $_REQUEST['delete_tags'] ) && ( 'delete' == $_REQUEST['action'] || 'delete' == $_REQUEST['action2'] ) )
     156        $action = wp_validate_action();
     157        if ( $action && isset( $_REQUEST['delete_tags'] ) && ( 'delete' == $action || 'delete' == $_REQUEST['action2'] ) )
    157158            return 'bulk-delete';
    158159
  • trunk/src/wp-admin/network/site-info.php

    r33921 r34059  
    5454$is_main_site = is_main_site( $id );
    5555
    56 if ( isset( $_REQUEST['action'] ) && 'update-site' == $_REQUEST['action'] ) {
     56if ( wp_validate_action( 'update-site' ) ) {
    5757    check_admin_referer( 'edit-site' );
    5858
  • trunk/src/wp-admin/network/site-new.php

    r33952 r34059  
    3434);
    3535
    36 if ( isset($_REQUEST['action']) && 'add-site' == $_REQUEST['action'] ) {
     36if ( wp_validate_action( 'add-site' ) ) {
    3737    check_admin_referer( 'add-blog', '_wpnonce_add-blog' );
    3838
  • trunk/src/wp-admin/network/site-settings.php

    r33921 r34059  
    4949$is_main_site = is_main_site( $id );
    5050
    51 if ( isset($_REQUEST['action']) && 'update-site' == $_REQUEST['action'] && is_array( $_POST['option'] ) ) {
     51if ( wp_validate_action( 'update-site' ) && is_array( $_POST['option'] ) ) {
    5252    check_admin_referer( 'edit-site' );
    5353
  • trunk/src/wp-admin/network/user-new.php

    r33620 r34059  
    3131);
    3232
    33 if ( isset($_REQUEST['action']) && 'add-user' == $_REQUEST['action'] ) {
     33if ( wp_validate_action( 'add-user' ) ) {
    3434    check_admin_referer( 'add-user', '_wpnonce_add-user' );
    3535
  • trunk/src/wp-admin/network/users.php

    r34025 r34059  
    175175require_once( ABSPATH . 'wp-admin/admin-header.php' );
    176176
    177 if ( isset( $_REQUEST['updated'] ) && $_REQUEST['updated'] == 'true' && ! empty( $_REQUEST['action'] ) ) {
     177$action = wp_validate_action();
     178if ( isset( $_REQUEST['updated'] ) && $_REQUEST['updated'] == 'true' && ! empty( $action ) ) {
    178179    ?>
    179180    <div id="message" class="updated notice is-dismissible"><p>
    180181        <?php
    181         switch ( $_REQUEST['action'] ) {
     182        switch ( $action ) {
    182183            case 'delete':
    183184                _e( 'User deleted.' );
  • trunk/src/wp-admin/update.php

    r31994 r34059  
    1818    $plugin = isset($_REQUEST['plugin']) ? trim($_REQUEST['plugin']) : '';
    1919    $theme = isset($_REQUEST['theme']) ? urldecode($_REQUEST['theme']) : '';
    20     $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : '';
     20    $action = wp_validate_action();
    2121
    2222    if ( 'update-selected' == $action ) {
  • trunk/src/wp-admin/user-new.php

    r34021 r34059  
    3030}
    3131
    32 if ( isset($_REQUEST['action']) && 'adduser' == $_REQUEST['action'] ) {
     32if ( wp_validate_action( 'adduser' ) ) {
    3333    check_admin_referer( 'add-user', '_wpnonce_add-user' );
    3434
     
    102102    wp_redirect( $redirect );
    103103    die();
    104 } elseif ( isset($_REQUEST['action']) && 'createuser' == $_REQUEST['action'] ) {
     104} elseif ( wp_validate_action( 'createuser' ) ) {
    105105    check_admin_referer( 'create-user', '_wpnonce_create-user' );
    106106
  • trunk/src/wp-includes/functions.php

    r33969 r34059  
    49814981    <?php
    49824982}
     4983
     4984/**
     4985 * Retrieve and, optionally, validate, an `action` query var
     4986 *
     4987 * @since 4.4.0
     4988 *
     4989 * @param string $action Optional. Action to validate.
     4990 * @return string Empty string if there is no action in the request or it doesn't
     4991 *                match the passed `$action`. Returns the [passed `$action` or
     4992 *                request action on succcess.
     4993 */
     4994function wp_validate_action( $action = '' ) {
     4995    $r = $_REQUEST;
     4996    if ( ! isset( $r['action'] ) ) {
     4997        return '';
     4998    }
     4999
     5000    if ( ! empty( $action ) ) {
     5001        return $action === $r['action'] ? $action : '';
     5002    }
     5003
     5004    return $r['action'];
     5005}
Note: See TracChangeset for help on using the changeset viewer.