mirror of
https://github.com/gosticks/wordpress-develop.git
synced 2026-06-28 14:20:15 +00:00
Introduce wp_validate_action( $action = '' ), a helper function that checks $_REQUEST for action and returns it, or empty string if not present. If $action is passed, it checks to make sure they match before returning it, or an empty string. Strings are always returned to avoid returning multiple types.
Implementing this removes 27 uses of direct superglobal access in the admin. For more reading: https://codeclimate.com/github/WordPress/WordPress/wp-admin/edit-comments.php See #33837. git-svn-id: https://develop.svn.wordpress.org/trunk@34059 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Scott Taylor
@@ -28,7 +28,7 @@ nocache_headers();
|
||||
/** This action is documented in wp-admin/admin.php */
|
||||
do_action( 'admin_init' );
|
||||
|
||||
$action = empty( $_REQUEST['action'] ) ? '' : $_REQUEST['action'];
|
||||
$action = wp_validate_action();
|
||||
|
||||
if ( ! wp_validate_auth_cookie() ) {
|
||||
if ( empty( $action ) ) {
|
||||
|
||||
@@ -358,14 +358,16 @@ if ( isset($plugin_page) ) {
|
||||
}
|
||||
}
|
||||
|
||||
if ( ! empty( $_REQUEST['action'] ) ) {
|
||||
$_action = wp_validate_action();
|
||||
if ( ! empty( $_action ) ) {
|
||||
/**
|
||||
* Fires when an 'action' request variable is sent.
|
||||
*
|
||||
* The dynamic portion of the hook name, `$_REQUEST['action']`,
|
||||
* The dynamic portion of the hook name, `$_action`,
|
||||
* refers to the action derived from the `GET` or `POST` request.
|
||||
*
|
||||
* @since 2.6.0
|
||||
*/
|
||||
do_action( 'admin_action_' . $_REQUEST['action'] );
|
||||
do_action( 'admin_action_' . $_action );
|
||||
}
|
||||
unset( $_action );
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
* @subpackage Administration
|
||||
*/
|
||||
|
||||
// `wp_validate_action()` isn't loaded yet
|
||||
if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) {
|
||||
define( 'DOING_AJAX', true );
|
||||
}
|
||||
@@ -19,7 +20,7 @@ if ( defined('ABSPATH') )
|
||||
else
|
||||
require_once( dirname( dirname( __FILE__ ) ) . '/wp-load.php' );
|
||||
|
||||
if ( ! ( isset( $_REQUEST['action'] ) && 'upload-attachment' == $_REQUEST['action'] ) ) {
|
||||
if ( ! wp_validate_action( 'upload-attachment' ) ) {
|
||||
// Flash often fails to send cookies with the POST or upload, so we need to pass it in GET or POST instead
|
||||
if ( is_ssl() && empty($_COOKIE[SECURE_AUTH_COOKIE]) && !empty($_REQUEST['auth_cookie']) )
|
||||
$_COOKIE[SECURE_AUTH_COOKIE] = $_REQUEST['auth_cookie'];
|
||||
@@ -34,7 +35,7 @@ require_once( ABSPATH . 'wp-admin/admin.php' );
|
||||
|
||||
header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
|
||||
|
||||
if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) {
|
||||
if ( wp_validate_action( 'upload-attachment' ) ) {
|
||||
include( ABSPATH . 'wp-admin/includes/ajax-actions.php' );
|
||||
|
||||
send_nosniff_header();
|
||||
|
||||
@@ -153,7 +153,8 @@ class WP_Terms_List_Table extends WP_List_Table {
|
||||
* @return string
|
||||
*/
|
||||
public function current_action() {
|
||||
if ( isset( $_REQUEST['action'] ) && isset( $_REQUEST['delete_tags'] ) && ( 'delete' == $_REQUEST['action'] || 'delete' == $_REQUEST['action2'] ) )
|
||||
$action = wp_validate_action();
|
||||
if ( $action && isset( $_REQUEST['delete_tags'] ) && ( 'delete' == $action || 'delete' == $_REQUEST['action2'] ) )
|
||||
return 'bulk-delete';
|
||||
|
||||
return parent::current_action();
|
||||
|
||||
@@ -53,7 +53,7 @@ if ( ! can_edit_network( $details->site_id ) ) {
|
||||
$parsed_scheme = parse_url( $details->siteurl, PHP_URL_SCHEME );
|
||||
$is_main_site = is_main_site( $id );
|
||||
|
||||
if ( isset( $_REQUEST['action'] ) && 'update-site' == $_REQUEST['action'] ) {
|
||||
if ( wp_validate_action( 'update-site' ) ) {
|
||||
check_admin_referer( 'edit-site' );
|
||||
|
||||
switch_to_blog( $id );
|
||||
|
||||
@@ -33,7 +33,7 @@ get_current_screen()->set_help_sidebar(
|
||||
'<p>' . __('<a href="https://wordpress.org/support/forum/multisite/" target="_blank">Support Forums</a>') . '</p>'
|
||||
);
|
||||
|
||||
if ( isset($_REQUEST['action']) && 'add-site' == $_REQUEST['action'] ) {
|
||||
if ( wp_validate_action( 'add-site' ) ) {
|
||||
check_admin_referer( 'add-blog', '_wpnonce_add-blog' );
|
||||
|
||||
if ( ! is_array( $_POST['blog'] ) )
|
||||
|
||||
@@ -48,7 +48,7 @@ if ( !can_edit_network( $details->site_id ) )
|
||||
|
||||
$is_main_site = is_main_site( $id );
|
||||
|
||||
if ( isset($_REQUEST['action']) && 'update-site' == $_REQUEST['action'] && is_array( $_POST['option'] ) ) {
|
||||
if ( wp_validate_action( 'update-site' ) && is_array( $_POST['option'] ) ) {
|
||||
check_admin_referer( 'edit-site' );
|
||||
|
||||
switch_to_blog( $id );
|
||||
|
||||
@@ -30,7 +30,7 @@ get_current_screen()->set_help_sidebar(
|
||||
'<p>' . __('<a href="https://wordpress.org/support/forum/multisite/" target="_blank">Support Forums</a>') . '</p>'
|
||||
);
|
||||
|
||||
if ( isset($_REQUEST['action']) && 'add-user' == $_REQUEST['action'] ) {
|
||||
if ( wp_validate_action( 'add-user' ) ) {
|
||||
check_admin_referer( 'add-user', '_wpnonce_add-user' );
|
||||
|
||||
if ( ! current_user_can( 'manage_network_users' ) )
|
||||
|
||||
@@ -174,11 +174,12 @@ get_current_screen()->set_help_sidebar(
|
||||
|
||||
require_once( ABSPATH . 'wp-admin/admin-header.php' );
|
||||
|
||||
if ( isset( $_REQUEST['updated'] ) && $_REQUEST['updated'] == 'true' && ! empty( $_REQUEST['action'] ) ) {
|
||||
$action = wp_validate_action();
|
||||
if ( isset( $_REQUEST['updated'] ) && $_REQUEST['updated'] == 'true' && ! empty( $action ) ) {
|
||||
?>
|
||||
<div id="message" class="updated notice is-dismissible"><p>
|
||||
<?php
|
||||
switch ( $_REQUEST['action'] ) {
|
||||
switch ( $action ) {
|
||||
case 'delete':
|
||||
_e( 'User deleted.' );
|
||||
break;
|
||||
|
||||
@@ -17,7 +17,7 @@ include_once( ABSPATH . 'wp-admin/includes/class-wp-upgrader.php' );
|
||||
if ( isset($_GET['action']) ) {
|
||||
$plugin = isset($_REQUEST['plugin']) ? trim($_REQUEST['plugin']) : '';
|
||||
$theme = isset($_REQUEST['theme']) ? urldecode($_REQUEST['theme']) : '';
|
||||
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : '';
|
||||
$action = wp_validate_action();
|
||||
|
||||
if ( 'update-selected' == $action ) {
|
||||
if ( ! current_user_can( 'update_plugins' ) )
|
||||
|
||||
@@ -29,7 +29,7 @@ if ( is_multisite() ) {
|
||||
add_filter( 'wpmu_signup_user_notification_email', 'admin_created_user_email' );
|
||||
}
|
||||
|
||||
if ( isset($_REQUEST['action']) && 'adduser' == $_REQUEST['action'] ) {
|
||||
if ( wp_validate_action( 'adduser' ) ) {
|
||||
check_admin_referer( 'add-user', '_wpnonce_add-user' );
|
||||
|
||||
$user_details = null;
|
||||
@@ -101,7 +101,7 @@ Please click the following link to confirm the invite:
|
||||
}
|
||||
wp_redirect( $redirect );
|
||||
die();
|
||||
} elseif ( isset($_REQUEST['action']) && 'createuser' == $_REQUEST['action'] ) {
|
||||
} elseif ( wp_validate_action( 'createuser' ) ) {
|
||||
check_admin_referer( 'create-user', '_wpnonce_create-user' );
|
||||
|
||||
if ( ! current_user_can( 'create_users' ) ) {
|
||||
|
||||
@@ -4980,3 +4980,26 @@ function wp_post_preview_js() {
|
||||
</script>
|
||||
<?php
|
||||
}
|
||||
|
||||
/**
|
||||
* Retrieve and, optionally, validate, an `action` query var
|
||||
*
|
||||
* @since 4.4.0
|
||||
*
|
||||
* @param string $action Optional. Action to validate.
|
||||
* @return string Empty string if there is no action in the request or it doesn't
|
||||
* match the passed `$action`. Returns the [passed `$action` or
|
||||
* request action on succcess.
|
||||
*/
|
||||
function wp_validate_action( $action = '' ) {
|
||||
$r = $_REQUEST;
|
||||
if ( ! isset( $r['action'] ) ) {
|
||||
return '';
|
||||
}
|
||||
|
||||
if ( ! empty( $action ) ) {
|
||||
return $action === $r['action'] ? $action : '';
|
||||
}
|
||||
|
||||
return $r['action'];
|
||||
}
|
||||
Reference in New Issue
Block a user