From 140b29db8741e06af58895c5db7b84d749d9ca01 Mon Sep 17 00:00:00 2001
From: Helen Hou-Sandi <helen@git.wordpress.org>
Date: Mon, 2 Nov 2020 18:40:06 +0000
Subject: [PATCH] Privacy: More precise checking of user request action names.

Props garrett-eclipse.
Fixes #46536.


git-svn-id: https://develop.svn.wordpress.org/trunk@49475 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/user.php                      |  2 +-
 .../tests/privacy/wpCreateUserRequest.php     | 19 ++++++++++++++---
 .../phpunit/tests/user/wpSendUserRequest.php  |  4 ++--
 tests/qunit/fixtures/wp-api-generated.js      | 21 +++++++++++++++++++
 4 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index 0c207116e4..4418381185 100644
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@@ -3773,7 +3773,7 @@ function wp_create_user_request( $email_address = '', $action_name = '', $reques
 		return new WP_Error( 'invalid_email', __( 'Invalid email address.' ) );
 	}
 
-	if ( ! $action_name ) {
+	if ( ! in_array( $action_name, _wp_privacy_action_request_types(), true ) ) {
 		return new WP_Error( 'invalid_action', __( 'Invalid action name.' ) );
 	}
 
diff --git a/tests/phpunit/tests/privacy/wpCreateUserRequest.php b/tests/phpunit/tests/privacy/wpCreateUserRequest.php
index 17a20a587e..3df2e35156 100644
--- a/tests/phpunit/tests/privacy/wpCreateUserRequest.php
+++ b/tests/phpunit/tests/privacy/wpCreateUserRequest.php
@@ -92,13 +92,26 @@ class Tests_WpCreateUserRequest extends WP_UnitTestCase {
 		$this->assertSame( 'invalid_email', $actual->get_error_code() );
 	}
 
+	/**
+	 * Ensure a WP_Error is returned when no action is passed.
+	 *
+	 * @ticket 46536
+	 */
+	public function test_missing_action() {
+		$actual = wp_create_user_request( self::$registered_user_email, false );
+
+		$this->assertWPError( $actual );
+		$this->assertSame( 'invalid_action', $actual->get_error_code() );
+	}
+
 	/**
 	 * Ensure a WP_Error is returned when an invalid action is passed.
 	 *
 	 * @ticket 44707
+	 * @ticket 46536
 	 */
 	public function test_invalid_action() {
-		$actual = wp_create_user_request( self::$registered_user_email, false );
+		$actual = wp_create_user_request( self::$registered_user_email, 'invalid_action_name' );
 
 		$this->assertWPError( $actual );
 		$this->assertSame( 'invalid_action', $actual->get_error_code() );
@@ -161,13 +174,13 @@ class Tests_WpCreateUserRequest extends WP_UnitTestCase {
 	 * @ticket 44707
 	 */
 	public function test_sanitized_action_name() {
-		$actual = wp_create_user_request( self::$non_registered_user_email, 'some[custom*action\name' );
+		$actual = wp_create_user_request( self::$non_registered_user_email, 'export[_person*al_\data' );
 
 		$this->assertNotWPError( $actual );
 
 		$post = get_post( $actual );
 
-		$this->assertSame( 'somecustomactionname', $post->post_name );
+		$this->assertSame( 'export_personal_data', $post->post_name );
 		$this->assertSame( self::$non_registered_user_email, $post->post_title );
 	}
 
diff --git a/tests/phpunit/tests/user/wpSendUserRequest.php b/tests/phpunit/tests/user/wpSendUserRequest.php
index bbc02ea98d..7f87cb8897 100644
--- a/tests/phpunit/tests/user/wpSendUserRequest.php
+++ b/tests/phpunit/tests/user/wpSendUserRequest.php
@@ -374,7 +374,7 @@ class Tests_User_WpSendUserRequest extends WP_UnitTestCase {
 		update_user_meta( self::$admin_user->ID, 'locale', 'es_ES' );
 		wp_set_current_user( self::$admin_user->ID );
 
-		$request_id = wp_create_user_request( 'erase-user-not-registered@example.com', 'erase_personal_data' );
+		$request_id = wp_create_user_request( 'erase-user-not-registered@example.com', 'remove_personal_data' );
 
 		wp_send_user_request( $request_id );
 		$mailer = tests_retrieve_phpmailer_instance();
@@ -396,7 +396,7 @@ class Tests_User_WpSendUserRequest extends WP_UnitTestCase {
 		update_user_meta( self::$admin_user->ID, 'locale', 'de_DE' );
 		wp_set_current_user( self::$admin_user->ID );
 
-		$request_id = wp_create_user_request( 'export-user-not-registered@example.com', 'erase_personal_data' );
+		$request_id = wp_create_user_request( 'export-user-not-registered@example.com', 'remove_personal_data' );
 
 		wp_send_user_request( $request_id );
 		$mailer = tests_retrieve_phpmailer_instance();
diff --git a/tests/qunit/fixtures/wp-api-generated.js b/tests/qunit/fixtures/wp-api-generated.js
index 20a1d682c5..94e7efcfb5 100644
--- a/tests/qunit/fixtures/wp-api-generated.js
+++ b/tests/qunit/fixtures/wp-api-generated.js
@@ -6159,6 +6159,27 @@ mockedApiResponse.Schema = {
                 ]
             }
         },
+        "/wp-site-health/v1/tests/authorization-header": {
+            "namespace": "wp-site-health/v1",
+            "methods": [
+                "GET"
+            ],
+            "endpoints": [
+                {
+                    "methods": [
+                        "GET"
+                    ],
+                    "args": []
+                }
+            ],
+            "_links": {
+                "self": [
+                    {
+                        "href": "http://example.org/index.php?rest_route=/wp-site-health/v1/tests/authorization-header"
+                    }
+                ]
+            }
+        },
         "/wp-site-health/v1/directory-sizes": {
             "namespace": "wp-site-health/v1",
             "methods": [