Make WordPress Core

Changeset 58069


Ignore:
Timestamp:
05/01/2024 05:59:05 PM (5 months ago)
Author:
swissspidy
Message:

General: Remove any usage of wp_reset_vars().

The way wp_reset_vars() sets global variables based on $_POST and $_GET values makes code hard to understand and maintain. It also makes it easy to forget to sanitize input.

This change removes the few places where wp_reset_vars() is used in the admin to explicitly use $_REQUEST and sanitize any input.

Props swissspidy, audrasjb, davideferre, killua99, weijland, voldemortensen.
Fixes #38073.

Location:
trunk/src/wp-admin
Files:
22 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/admin-post.php

    r52813 r58069  
    3030do_action( 'admin_init' );
    3131
    32 $action = ! empty( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
     32$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
    3333
    3434// Reject invalid parameters.
  • trunk/src/wp-admin/comment.php

    r56570 r58069  
    1717 */
    1818global $action;
    19 wp_reset_vars( array( 'action' ) );
     19
     20$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
    2021
    2122if ( isset( $_POST['deletecomment'] ) ) {
  • trunk/src/wp-admin/customize.php

    r55917 r58069  
    8585}
    8686
    87 
    88 wp_reset_vars( array( 'url', 'return', 'autofocus' ) );
     87$url       = ! empty( $_REQUEST['url'] ) ? sanitize_text_field( $_REQUEST['url'] ) : '';
     88$return    = ! empty( $_REQUEST['return'] ) ? sanitize_text_field( $_REQUEST['return'] ) : '';
     89$autofocus = ! empty( $_REQUEST['autofocus'] ) ? sanitize_text_field( $_REQUEST['autofocus'] ) : '';
     90
    8991if ( ! empty( $url ) ) {
    9092    $wp_customize->set_preview_url( wp_unslash( $url ) );
  • trunk/src/wp-admin/edit-tag-form.php

    r56570 r58069  
    4545}
    4646
    47 /**
    48  * Use with caution, see https://developer.wordpress.org/reference/functions/wp_reset_vars/
    49  */
    50 wp_reset_vars( array( 'wp_http_referer' ) );
    51 
     47$wp_http_referer = ! empty( $_REQUEST['wp_http_referer'] ) ? sanitize_text_field( $_REQUEST['wp_http_referer'] ) : '';
    5248$wp_http_referer = remove_query_arg( array( 'action', 'message', 'tag_ID' ), $wp_http_referer );
    5349
  • trunk/src/wp-admin/includes/class-wp-links-list-table.php

    r56665 r58069  
    5151        global $cat_id, $s, $orderby, $order;
    5252
    53         wp_reset_vars( array( 'action', 'cat_id', 'link_id', 'orderby', 'order', 's' ) );
     53        $cat_id  = ! empty( $_REQUEST['cat_id'] ) ? absint( $_REQUEST['cat_id'] ) : 0;
     54        $orderby = ! empty( $_REQUEST['orderby'] ) ? sanitize_text_field( $_REQUEST['orderby'] ) : '';
     55        $order   = ! empty( $_REQUEST['order'] ) ? sanitize_text_field( $_REQUEST['order'] ) : '';
     56        $s       = ! empty( $_REQUEST['s'] ) ? sanitize_text_field( $_REQUEST['s'] ) : '';
    5457
    5558        $args = array(
  • trunk/src/wp-admin/includes/class-wp-ms-themes-list-table.php

    r56665 r58069  
    100100        global $status, $totals, $page, $orderby, $order, $s;
    101101
    102         wp_reset_vars( array( 'orderby', 'order', 's' ) );
     102        $orderby = ! empty( $_REQUEST['orderby'] ) ? sanitize_text_field( $_REQUEST['orderby'] ) : '';
     103        $order   = ! empty( $_REQUEST['order'] ) ? sanitize_text_field( $_REQUEST['order'] ) : '';
     104        $s       = ! empty( $_REQUEST['s'] ) ? sanitize_text_field( $_REQUEST['s'] ) : '';
    103105
    104106        $themes = array(
  • trunk/src/wp-admin/includes/class-wp-plugin-install-list-table.php

    r57776 r58069  
    9393        global $tabs, $tab, $paged, $type, $term;
    9494
    95         wp_reset_vars( array( 'tab' ) );
     95        $tab = ! empty( $_REQUEST['tab'] ) ? sanitize_text_field( $_REQUEST['tab'] ) : '';
    9696
    9797        $paged = $this->get_pagenum();
  • trunk/src/wp-admin/includes/class-wp-plugins-list-table.php

    r57769 r58069  
    9191        global $status, $plugins, $totals, $page, $orderby, $order, $s;
    9292
    93         wp_reset_vars( array( 'orderby', 'order' ) );
     93        $orderby = ! empty( $_REQUEST['orderby'] ) ? sanitize_text_field( $_REQUEST['orderby'] ) : '';
     94        $order   = ! empty( $_REQUEST['order'] ) ? sanitize_text_field( $_REQUEST['order'] ) : '';
    9495
    9596        /**
  • trunk/src/wp-admin/includes/class-wp-theme-install-list-table.php

    r57714 r58069  
    3737
    3838        global $tabs, $tab, $paged, $type, $theme_field_defaults;
    39         wp_reset_vars( array( 'tab' ) );
     39
     40        $tab = ! empty( $_REQUEST['tab'] ) ? sanitize_text_field( $_REQUEST['tab'] ) : '';
    4041
    4142        $search_terms  = array();
  • trunk/src/wp-admin/includes/misc.php

    r57985 r58069  
    576576}
    577577
    578 
    579578/**
    580579 * Resets global variables based on $_GET and $_POST.
  • trunk/src/wp-admin/link-add.php

    r51475 r58069  
    1818$parent_file = 'link-manager.php';
    1919
    20 wp_reset_vars( array( 'action', 'cat_id', 'link_id' ) );
     20$action  = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
     21$cat_id  = ! empty( $_REQUEST['cat_id'] ) ? absint( $_REQUEST['cat_id'] ) : 0;
     22$link_id = ! empty( $_REQUEST['link_id'] ) ? absint( $_REQUEST['link_id'] ) : 0;
    2123
    2224wp_enqueue_script( 'link' );
  • trunk/src/wp-admin/link.php

    r56549 r58069  
    1313require_once __DIR__ . '/admin.php';
    1414
    15 wp_reset_vars( array( 'action', 'cat_id', 'link_id' ) );
     15$action  = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
     16$cat_id  = ! empty( $_REQUEST['cat_id'] ) ? absint( $_REQUEST['cat_id'] ) : 0;
     17$link_id = ! empty( $_REQUEST['link_id'] ) ? absint( $_REQUEST['link_id'] ) : 0;
    1618
    1719if ( ! current_user_can( 'manage_links' ) ) {
  • trunk/src/wp-admin/media.php

    r55943 r58069  
    1616$submenu_file = 'upload.php';
    1717
    18 wp_reset_vars( array( 'action' ) );
     18$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
    1919
    2020switch ( $action ) {
  • trunk/src/wp-admin/options-head.php

    r45818 r58069  
    99 */
    1010
    11 wp_reset_vars( array( 'action' ) );
     11$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
    1212
    1313if ( isset( $_GET['updated'] ) && isset( $_GET['page'] ) ) {
  • trunk/src/wp-admin/options.php

    r57602 r58069  
    2424$parent_file = 'options-general.php';
    2525
    26 wp_reset_vars( array( 'action', 'option_page' ) );
     26$action      = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
     27$option_page = ! empty( $_REQUEST['option_page'] ) ? sanitize_text_field( $_REQUEST['option_page'] ) : '';
    2728
    2829$capability = 'manage_options';
  • trunk/src/wp-admin/post.php

    r55988 r58069  
    1515$submenu_file = 'edit.php';
    1616
    17 wp_reset_vars( array( 'action' ) );
     17$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
    1818
    1919if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] ) {
  • trunk/src/wp-admin/revision.php

    r56437 r58069  
    2222 * @global int    $to       Optional, required if revision missing. The revision to compare to.
    2323 */
    24 wp_reset_vars( array( 'revision', 'action', 'from', 'to' ) );
    2524
    26 $revision_id = absint( $revision );
     25$revision_id = ! empty( $_REQUEST['revision'] ) ? absint( $_REQUEST['revision'] ) : 0;
     26$action      = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
     27$from        = ! empty( $_REQUEST['from'] ) && is_numeric( $_REQUEST['from'] ) ? absint( $_REQUEST['from'] ) : null;
     28$to          = ! empty( $_REQUEST['to'] ) && is_numeric( $_REQUEST['to'] ) ? absint( $_REQUEST['to'] ) : null;
    2729
    28 $from = is_numeric( $from ) ? absint( $from ) : null;
    2930if ( ! $revision_id ) {
    30     $revision_id = absint( $to );
     31    $revision_id = $to;
    3132}
     33
    3234$redirect = 'edit.php';
    3335
  • trunk/src/wp-admin/site-health.php

    r56570 r58069  
    1010require_once __DIR__ . '/admin.php';
    1111
    12 wp_reset_vars( array( 'action' ) );
     12$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
    1313
    1414$tabs = array(
  • trunk/src/wp-admin/theme-editor.php

    r57793 r58069  
    5757);
    5858
    59 wp_reset_vars( array( 'action', 'error', 'file', 'theme' ) );
     59$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
     60$theme  = ! empty( $_REQUEST['theme'] ) ? sanitize_text_field( $_REQUEST['theme'] ) : '';
     61$file   = ! empty( $_REQUEST['file'] ) ? sanitize_text_field( $_REQUEST['file'] ) : '';
     62$error  = ! empty( $_REQUEST['error'] );
    6063
    6164if ( $theme ) {
  • trunk/src/wp-admin/theme-install.php

    r56600 r58069  
    1111require ABSPATH . 'wp-admin/includes/theme-install.php';
    1212
    13 wp_reset_vars( array( 'tab' ) );
     13$tab = ! empty( $_REQUEST['tab'] ) ? sanitize_text_field( $_REQUEST['tab'] ) : '';
    1414
    1515if ( ! current_user_can( 'install_themes' ) ) {
  • trunk/src/wp-admin/themes.php

    r56800 r58069  
    216216    $themes = wp_prepare_themes_for_js( array( wp_get_theme() ) );
    217217}
    218 wp_reset_vars( array( 'theme', 'search' ) );
     218
     219$theme  = ! empty( $_REQUEST['theme'] ) ? sanitize_text_field( $_REQUEST['theme'] ) : '';
     220$search = ! empty( $_REQUEST['search'] ) ? sanitize_text_field( $_REQUEST['search'] ) : '';
    219221
    220222wp_localize_script(
  • trunk/src/wp-admin/user-edit.php

    r56798 r58069  
    1313require_once ABSPATH . 'wp-admin/includes/translation-install.php';
    1414
    15 wp_reset_vars( array( 'action', 'user_id', 'wp_http_referer' ) );
    16 
    17 $user_id      = (int) $user_id;
     15$action          = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
     16$user_id         = ! empty( $_REQUEST['user_id'] ) ? absint( $_REQUEST['user_id'] ) : 0;
     17$wp_http_referer = ! empty( $_REQUEST['wp_http_referer'] ) ? sanitize_text_field( $_REQUEST['wp_http_referer'] ) : '';
     18
    1819$current_user = wp_get_current_user();
    1920
Note: See TracChangeset for help on using the changeset viewer.