From 33953cb3928b24282814b6733acbacf01bd746ed Mon Sep 17 00:00:00 2001
From: Scott Taylor <wonderboymusic@git.wordpress.org>
Date: Fri, 11 Sep 2015 21:07:45 +0000
Subject: [PATCH] Introduce `wp_validate_action( $action = '' )`, a helper
 function that checks `$_REQUEST` for `action` and returns it, or empty string
 if not present. If `$action` is passed, it checks to make sure they match
 before returning it, or an empty string. Strings are always returned to avoid
 returning multiple types.

Implementing this removes 27 uses of direct superglobal access in the admin.

For more reading:
https://codeclimate.com/github/WordPress/WordPress/wp-admin/edit-comments.php

See #33837.


git-svn-id: https://develop.svn.wordpress.org/trunk@34059 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/admin-post.php                   |  2 +-
 src/wp-admin/admin.php                        |  8 ++++---
 src/wp-admin/async-upload.php                 |  5 ++--
 .../includes/class-wp-terms-list-table.php    |  3 ++-
 src/wp-admin/network/site-info.php            |  2 +-
 src/wp-admin/network/site-new.php             |  2 +-
 src/wp-admin/network/site-settings.php        |  2 +-
 src/wp-admin/network/user-new.php             |  2 +-
 src/wp-admin/network/users.php                |  5 ++--
 src/wp-admin/update.php                       |  2 +-
 src/wp-admin/user-new.php                     |  4 ++--
 src/wp-includes/functions.php                 | 23 +++++++++++++++++++
 12 files changed, 44 insertions(+), 16 deletions(-)

diff --git a/src/wp-admin/admin-post.php b/src/wp-admin/admin-post.php
index cb92699efd..8202f7ee98 100644
--- a/src/wp-admin/admin-post.php
+++ b/src/wp-admin/admin-post.php
@@ -28,7 +28,7 @@ nocache_headers();
 /** This action is documented in wp-admin/admin.php */
 do_action( 'admin_init' );
 
-$action = empty( $_REQUEST['action'] ) ? '' : $_REQUEST['action'];
+$action = wp_validate_action();
 
 if ( ! wp_validate_auth_cookie() ) {
 	if ( empty( $action ) ) {
diff --git a/src/wp-admin/admin.php b/src/wp-admin/admin.php
index d3e58d2549..1729232e10 100644
--- a/src/wp-admin/admin.php
+++ b/src/wp-admin/admin.php
@@ -358,14 +358,16 @@ if ( isset($plugin_page) ) {
 	}
 }
 
-if ( ! empty( $_REQUEST['action'] ) ) {
+$_action = wp_validate_action();
+if ( ! empty( $_action ) ) {
 	/**
 	 * Fires when an 'action' request variable is sent.
 	 *
-	 * The dynamic portion of the hook name, `$_REQUEST['action']`,
+	 * The dynamic portion of the hook name, `$_action`,
 	 * refers to the action derived from the `GET` or `POST` request.
 	 *
 	 * @since 2.6.0
 	 */
-	do_action( 'admin_action_' . $_REQUEST['action'] );
+	do_action( 'admin_action_' . $_action );
 }
+unset( $_action );
diff --git a/src/wp-admin/async-upload.php b/src/wp-admin/async-upload.php
index 9b668238f5..9dda8ae190 100644
--- a/src/wp-admin/async-upload.php
+++ b/src/wp-admin/async-upload.php
@@ -6,6 +6,7 @@
  * @subpackage Administration
  */
 
+// `wp_validate_action()` isn't loaded yet
 if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) {
 	define( 'DOING_AJAX', true );
 }
@@ -19,7 +20,7 @@ if ( defined('ABSPATH') )
 else
 	require_once( dirname( dirname( __FILE__ ) ) . '/wp-load.php' );
 
-if ( ! ( isset( $_REQUEST['action'] ) && 'upload-attachment' == $_REQUEST['action'] ) ) {
+if ( ! wp_validate_action( 'upload-attachment' ) ) {
 	// Flash often fails to send cookies with the POST or upload, so we need to pass it in GET or POST instead
 	if ( is_ssl() && empty($_COOKIE[SECURE_AUTH_COOKIE]) && !empty($_REQUEST['auth_cookie']) )
 		$_COOKIE[SECURE_AUTH_COOKIE] = $_REQUEST['auth_cookie'];
@@ -34,7 +35,7 @@ require_once( ABSPATH . 'wp-admin/admin.php' );
 
 header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
 
-if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) {
+if ( wp_validate_action( 'upload-attachment' ) ) {
 	include( ABSPATH . 'wp-admin/includes/ajax-actions.php' );
 
 	send_nosniff_header();
diff --git a/src/wp-admin/includes/class-wp-terms-list-table.php b/src/wp-admin/includes/class-wp-terms-list-table.php
index a4c81afbe7..c83f8d4eeb 100644
--- a/src/wp-admin/includes/class-wp-terms-list-table.php
+++ b/src/wp-admin/includes/class-wp-terms-list-table.php
@@ -153,7 +153,8 @@ class WP_Terms_List_Table extends WP_List_Table {
 	 * @return string
 	 */
 	public function current_action() {
-		if ( isset( $_REQUEST['action'] ) && isset( $_REQUEST['delete_tags'] ) && ( 'delete' == $_REQUEST['action'] || 'delete' == $_REQUEST['action2'] ) )
+		$action = wp_validate_action();
+		if ( $action && isset( $_REQUEST['delete_tags'] ) && ( 'delete' == $action || 'delete' == $_REQUEST['action2'] ) )
 			return 'bulk-delete';
 
 		return parent::current_action();
diff --git a/src/wp-admin/network/site-info.php b/src/wp-admin/network/site-info.php
index a4ee7bb6b2..9048129370 100644
--- a/src/wp-admin/network/site-info.php
+++ b/src/wp-admin/network/site-info.php
@@ -53,7 +53,7 @@ if ( ! can_edit_network( $details->site_id ) ) {
 $parsed_scheme = parse_url( $details->siteurl, PHP_URL_SCHEME );
 $is_main_site = is_main_site( $id );
 
-if ( isset( $_REQUEST['action'] ) && 'update-site' == $_REQUEST['action'] ) {
+if ( wp_validate_action( 'update-site' ) ) {
 	check_admin_referer( 'edit-site' );
 
 	switch_to_blog( $id );
diff --git a/src/wp-admin/network/site-new.php b/src/wp-admin/network/site-new.php
index 5876037e89..c5fa157a98 100644
--- a/src/wp-admin/network/site-new.php
+++ b/src/wp-admin/network/site-new.php
@@ -33,7 +33,7 @@ get_current_screen()->set_help_sidebar(
 	'<p>' . __('<a href="https://wordpress.org/support/forum/multisite/" target="_blank">Support Forums</a>') . '</p>'
 );
 
-if ( isset($_REQUEST['action']) && 'add-site' == $_REQUEST['action'] ) {
+if ( wp_validate_action( 'add-site' ) ) {
 	check_admin_referer( 'add-blog', '_wpnonce_add-blog' );
 
 	if ( ! is_array( $_POST['blog'] ) )
diff --git a/src/wp-admin/network/site-settings.php b/src/wp-admin/network/site-settings.php
index d2699986b9..f32fc65816 100644
--- a/src/wp-admin/network/site-settings.php
+++ b/src/wp-admin/network/site-settings.php
@@ -48,7 +48,7 @@ if ( !can_edit_network( $details->site_id ) )
 
 $is_main_site = is_main_site( $id );
 
-if ( isset($_REQUEST['action']) && 'update-site' == $_REQUEST['action'] && is_array( $_POST['option'] ) ) {
+if ( wp_validate_action( 'update-site' ) && is_array( $_POST['option'] ) ) {
 	check_admin_referer( 'edit-site' );
 
 	switch_to_blog( $id );
diff --git a/src/wp-admin/network/user-new.php b/src/wp-admin/network/user-new.php
index 002e098dc1..f2ccbb8abe 100644
--- a/src/wp-admin/network/user-new.php
+++ b/src/wp-admin/network/user-new.php
@@ -30,7 +30,7 @@ get_current_screen()->set_help_sidebar(
 	'<p>' . __('<a href="https://wordpress.org/support/forum/multisite/" target="_blank">Support Forums</a>') . '</p>'
 );
 
-if ( isset($_REQUEST['action']) && 'add-user' == $_REQUEST['action'] ) {
+if ( wp_validate_action( 'add-user' ) ) {
 	check_admin_referer( 'add-user', '_wpnonce_add-user' );
 
 	if ( ! current_user_can( 'manage_network_users' ) )
diff --git a/src/wp-admin/network/users.php b/src/wp-admin/network/users.php
index 767e03c55f..0c85aaaad9 100644
--- a/src/wp-admin/network/users.php
+++ b/src/wp-admin/network/users.php
@@ -174,11 +174,12 @@ get_current_screen()->set_help_sidebar(
 
 require_once( ABSPATH . 'wp-admin/admin-header.php' );
 
-if ( isset( $_REQUEST['updated'] ) && $_REQUEST['updated'] == 'true' && ! empty( $_REQUEST['action'] ) ) {
+$action = wp_validate_action();
+if ( isset( $_REQUEST['updated'] ) && $_REQUEST['updated'] == 'true' && ! empty( $action ) ) {
 	?>
 	<div id="message" class="updated notice is-dismissible"><p>
 		<?php
-		switch ( $_REQUEST['action'] ) {
+		switch ( $action ) {
 			case 'delete':
 				_e( 'User deleted.' );
 			break;
diff --git a/src/wp-admin/update.php b/src/wp-admin/update.php
index 4cfdeca6c6..3021a21013 100644
--- a/src/wp-admin/update.php
+++ b/src/wp-admin/update.php
@@ -17,7 +17,7 @@ include_once( ABSPATH . 'wp-admin/includes/class-wp-upgrader.php' );
 if ( isset($_GET['action']) ) {
 	$plugin = isset($_REQUEST['plugin']) ? trim($_REQUEST['plugin']) : '';
 	$theme = isset($_REQUEST['theme']) ? urldecode($_REQUEST['theme']) : '';
-	$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : '';
+	$action = wp_validate_action();
 
 	if ( 'update-selected' == $action ) {
 		if ( ! current_user_can( 'update_plugins' ) )
diff --git a/src/wp-admin/user-new.php b/src/wp-admin/user-new.php
index 9dce2c5e9a..67da518f6e 100644
--- a/src/wp-admin/user-new.php
+++ b/src/wp-admin/user-new.php
@@ -29,7 +29,7 @@ if ( is_multisite() ) {
 	add_filter( 'wpmu_signup_user_notification_email', 'admin_created_user_email' );
 }
 
-if ( isset($_REQUEST['action']) && 'adduser' == $_REQUEST['action'] ) {
+if ( wp_validate_action( 'adduser' ) ) {
 	check_admin_referer( 'add-user', '_wpnonce_add-user' );
 
 	$user_details = null;
@@ -101,7 +101,7 @@ Please click the following link to confirm the invite:
 	}
 	wp_redirect( $redirect );
 	die();
-} elseif ( isset($_REQUEST['action']) && 'createuser' == $_REQUEST['action'] ) {
+} elseif ( wp_validate_action( 'createuser' ) ) {
 	check_admin_referer( 'create-user', '_wpnonce_create-user' );
 
 	if ( ! current_user_can( 'create_users' ) ) {
diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
index 2f55528c7b..d726c07313 100644
--- a/src/wp-includes/functions.php
+++ b/src/wp-includes/functions.php
@@ -4980,3 +4980,26 @@ function wp_post_preview_js() {
 	</script>
 	<?php
 }
+
+/**
+ * Retrieve and, optionally, validate, an `action` query var
+ *
+ * @since 4.4.0
+ *
+ * @param string $action Optional. Action to validate.
+ * @return string Empty string if there is no action in the request or it doesn't
+ *                match the passed `$action`. Returns the [passed `$action` or
+ *                request action on succcess.
+ */
+function wp_validate_action( $action = '' ) {
+	$r = $_REQUEST;
+	if ( ! isset( $r['action'] ) ) {
+		return '';
+	}
+
+	if ( ! empty( $action ) ) {
+		return $action === $r['action'] ? $action : '';
+	}
+
+	return $r['action'];
+}
\ No newline at end of file