From 85e65181899263fcc52e9f012a2b4ec9fd3a854e Mon Sep 17 00:00:00 2001
From: Pascal Birchler <swissspidy@git.wordpress.org>
Date: Fri, 23 Jun 2023 16:01:08 +0000
Subject: [PATCH] I18N: Ensure `determine_locale()` does not potentially return
 an empty string.

Call `get_locale()` as a last resort in case the sanitized locale is an empty string.

Also swaps conditionals to cater for more typical use case and adds tests.

Follow-up to [55862]

Props Cybr, swissspidy.
Fixes #58317.

git-svn-id: https://develop.svn.wordpress.org/trunk@56003 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/l10n.php                     | 10 ++++++----
 tests/phpunit/tests/l10n/determineLocale.php | 16 ++++++++++++++++
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/src/wp-includes/l10n.php b/src/wp-includes/l10n.php
index 8444bf2c82..951c1c316b 100644
--- a/src/wp-includes/l10n.php
+++ b/src/wp-includes/l10n.php
@@ -145,12 +145,14 @@ function determine_locale() {
 		} else {
 			$determined_locale = sanitize_locale_name( $_COOKIE['wp_lang'] );
 		}
-	} else if (
-		( isset( $_GET['_locale'] ) && 'user' === $_GET['_locale'] && wp_is_json_request() ) ||
-		is_admin()
+	} elseif (
+		is_admin() ||
+		( isset( $_GET['_locale'] ) && 'user' === $_GET['_locale'] && wp_is_json_request() )
 	) {
 		$determined_locale = get_user_locale();
-	} else {
+	}
+
+	if ( ! $determined_locale ) {
 		$determined_locale = get_locale();
 	}
 
diff --git a/tests/phpunit/tests/l10n/determineLocale.php b/tests/phpunit/tests/l10n/determineLocale.php
index 702690e6c1..a2c3febd4a 100644
--- a/tests/phpunit/tests/l10n/determineLocale.php
+++ b/tests/phpunit/tests/l10n/determineLocale.php
@@ -211,6 +211,22 @@ class Tests_L10n_DetermineLocale extends WP_UnitTestCase {
 		$this->assertSame( 'siteLocale', determine_locale() );
 	}
 
+	public function test_wp_login_get_param_on_login_page_incorrect_string() {
+		add_filter(
+			'locale',
+			static function() {
+				return 'siteLocale';
+			}
+		);
+
+		wp_set_current_user( self::$user_id );
+
+		$GLOBALS['pagenow'] = 'wp-login.php';
+		$_GET['wp_lang']    = '###'; // Something sanitize_locale_name() strips away.
+
+		$this->assertSame( 'siteLocale', determine_locale() );
+	}
+
 	public function test_wp_login_cookie_not_on_login_page() {
 		add_filter(
 			'locale',