General: Remove any usage of wp_reset_vars().

The way `wp_reset_vars()` sets global variables based on `$_POST` and `$_GET` values makes code hard to understand and maintain. It also makes it easy to forget to sanitize input. This change removes the few places where `wp_reset_vars()` is used in the admin to explicitly use `$_REQUEST` and sanitize any input. Props swissspidy, audrasjb, davideferre, killua99, weijland, voldemortensen. Fixes #38073. git-svn-id: https://develop.svn.wordpress.org/trunk@58069 602fd350-edb4-49c9-b593-d223f7449a82
ramonjd · May 1, 2024 · 2f2dbbf · 2f2dbbf
1 parent 816ff68
commit 2f2dbbf
Show file tree

Hide file tree

Showing 22 changed files with 48 additions and 30 deletions.
diff --git a/src/wp-admin/admin-post.php b/src/wp-admin/admin-post.php
@@ -29,7 +29,7 @@
 /** This action is documented in wp-admin/admin.php */
 do_action( 'admin_init' );
 
-$action = ! empty( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
+$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
 
 // Reject invalid parameters.
 if ( ! is_scalar( $action ) ) {

diff --git a/src/wp-admin/comment.php b/src/wp-admin/comment.php
@@ -16,7 +16,8 @@
  * @global string $action
  */
 global $action;
-wp_reset_vars( array( 'action' ) );
+
+$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
 
 if ( isset( $_POST['deletecomment'] ) ) {
 	$action = 'deletecomment';

diff --git a/src/wp-admin/customize.php b/src/wp-admin/customize.php
@@ -84,8 +84,10 @@
 	}
 }
 
+$url       = ! empty( $_REQUEST['url'] ) ? sanitize_text_field( $_REQUEST['url'] ) : '';
+$return    = ! empty( $_REQUEST['return'] ) ? sanitize_text_field( $_REQUEST['return'] ) : '';
+$autofocus = ! empty( $_REQUEST['autofocus'] ) ? sanitize_text_field( $_REQUEST['autofocus'] ) : '';
 
-wp_reset_vars( array( 'url', 'return', 'autofocus' ) );
 if ( ! empty( $url ) ) {
 	$wp_customize->set_preview_url( wp_unslash( $url ) );
 }

diff --git a/src/wp-admin/edit-tag-form.php b/src/wp-admin/edit-tag-form.php
@@ -44,11 +44,7 @@
 	do_action_deprecated( 'edit_tag_form_pre', array( $tag ), '3.0.0', '{$taxonomy}_pre_edit_form' );
 }
 
-/**
- * Use with caution, see https://developer.wordpress.org/reference/functions/wp_reset_vars/
- */
-wp_reset_vars( array( 'wp_http_referer' ) );
-
+$wp_http_referer = ! empty( $_REQUEST['wp_http_referer'] ) ? sanitize_text_field( $_REQUEST['wp_http_referer'] ) : '';
 $wp_http_referer = remove_query_arg( array( 'action', 'message', 'tag_ID' ), $wp_http_referer );
 
 // Also used by Edit Tags.

diff --git a/src/wp-admin/includes/class-wp-links-list-table.php b/src/wp-admin/includes/class-wp-links-list-table.php
@@ -50,7 +50,10 @@ public function ajax_user_can() {
 	public function prepare_items() {
 		global $cat_id, $s, $orderby, $order;
 
-		wp_reset_vars( array( 'action', 'cat_id', 'link_id', 'orderby', 'order', 's' ) );
+		$cat_id  = ! empty( $_REQUEST['cat_id'] ) ? absint( $_REQUEST['cat_id'] ) : 0;
+		$orderby = ! empty( $_REQUEST['orderby'] ) ? sanitize_text_field( $_REQUEST['orderby'] ) : '';
+		$order   = ! empty( $_REQUEST['order'] ) ? sanitize_text_field( $_REQUEST['order'] ) : '';
+		$s       = ! empty( $_REQUEST['s'] ) ? sanitize_text_field( $_REQUEST['s'] ) : '';
 
 		$args = array(
 			'hide_invisible' => 0,

diff --git a/src/wp-admin/includes/class-wp-ms-themes-list-table.php b/src/wp-admin/includes/class-wp-ms-themes-list-table.php
@@ -99,7 +99,9 @@ public function ajax_user_can() {
 	public function prepare_items() {
 		global $status, $totals, $page, $orderby, $order, $s;
 
-		wp_reset_vars( array( 'orderby', 'order', 's' ) );
+		$orderby = ! empty( $_REQUEST['orderby'] ) ? sanitize_text_field( $_REQUEST['orderby'] ) : '';
+		$order   = ! empty( $_REQUEST['order'] ) ? sanitize_text_field( $_REQUEST['order'] ) : '';
+		$s       = ! empty( $_REQUEST['s'] ) ? sanitize_text_field( $_REQUEST['s'] ) : '';
 
 		$themes = array(
 			/**

diff --git a/src/wp-admin/includes/class-wp-plugin-install-list-table.php b/src/wp-admin/includes/class-wp-plugin-install-list-table.php
@@ -92,7 +92,7 @@ public function prepare_items() {
 
 		global $tabs, $tab, $paged, $type, $term;
 
-		wp_reset_vars( array( 'tab' ) );
+		$tab = ! empty( $_REQUEST['tab'] ) ? sanitize_text_field( $_REQUEST['tab'] ) : '';
 
 		$paged = $this->get_pagenum();
 

diff --git a/src/wp-admin/includes/class-wp-plugins-list-table.php b/src/wp-admin/includes/class-wp-plugins-list-table.php
@@ -90,7 +90,8 @@ public function ajax_user_can() {
 	public function prepare_items() {
 		global $status, $plugins, $totals, $page, $orderby, $order, $s;
 
-		wp_reset_vars( array( 'orderby', 'order' ) );
+		$orderby = ! empty( $_REQUEST['orderby'] ) ? sanitize_text_field( $_REQUEST['orderby'] ) : '';
+		$order   = ! empty( $_REQUEST['order'] ) ? sanitize_text_field( $_REQUEST['order'] ) : '';
 
 		/**
 		 * Filters the full array of plugins to list in the Plugins list table.

diff --git a/src/wp-admin/includes/class-wp-theme-install-list-table.php b/src/wp-admin/includes/class-wp-theme-install-list-table.php
@@ -36,7 +36,8 @@ public function prepare_items() {
 		require ABSPATH . 'wp-admin/includes/theme-install.php';
 
 		global $tabs, $tab, $paged, $type, $theme_field_defaults;
-		wp_reset_vars( array( 'tab' ) );
+
+		$tab = ! empty( $_REQUEST['tab'] ) ? sanitize_text_field( $_REQUEST['tab'] ) : '';
 
 		$search_terms  = array();
 		$search_string = '';

diff --git a/src/wp-admin/includes/misc.php b/src/wp-admin/includes/misc.php
@@ -575,7 +575,6 @@ function update_home_siteurl( $old_value, $value ) {
 	}
 }
 
-
 /**
  * Resets global variables based on $_GET and $_POST.
  *

diff --git a/src/wp-admin/link-add.php b/src/wp-admin/link-add.php
@@ -17,7 +17,9 @@
 $title       = __( 'Add New Link' );
 $parent_file = 'link-manager.php';
 
-wp_reset_vars( array( 'action', 'cat_id', 'link_id' ) );
+$action  = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
+$cat_id  = ! empty( $_REQUEST['cat_id'] ) ? absint( $_REQUEST['cat_id'] ) : 0;
+$link_id = ! empty( $_REQUEST['link_id'] ) ? absint( $_REQUEST['link_id'] ) : 0;
 
 wp_enqueue_script( 'link' );
 wp_enqueue_script( 'xfn' );

diff --git a/src/wp-admin/link.php b/src/wp-admin/link.php
@@ -12,7 +12,9 @@
 /** Load WordPress Administration Bootstrap */
 require_once __DIR__ . '/admin.php';
 
-wp_reset_vars( array( 'action', 'cat_id', 'link_id' ) );
+$action  = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
+$cat_id  = ! empty( $_REQUEST['cat_id'] ) ? absint( $_REQUEST['cat_id'] ) : 0;
+$link_id = ! empty( $_REQUEST['link_id'] ) ? absint( $_REQUEST['link_id'] ) : 0;
 
 if ( ! current_user_can( 'manage_links' ) ) {
 	wp_link_manager_disabled_message();

diff --git a/src/wp-admin/media.php b/src/wp-admin/media.php
@@ -15,7 +15,7 @@
 $parent_file  = 'upload.php';
 $submenu_file = 'upload.php';
 
-wp_reset_vars( array( 'action' ) );
+$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
 
 switch ( $action ) {
 	case 'editattachment':

diff --git a/src/wp-admin/options-head.php b/src/wp-admin/options-head.php
@@ -8,7 +8,7 @@
  * @subpackage Administration
  */
 
-wp_reset_vars( array( 'action' ) );
+$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
 
 if ( isset( $_GET['updated'] ) && isset( $_GET['page'] ) ) {
 	// For back-compat with plugins that don't use the Settings API and just set updated=1 in the redirect.

diff --git a/src/wp-admin/options.php b/src/wp-admin/options.php
@@ -23,7 +23,8 @@
 $this_file   = 'options.php';
 $parent_file = 'options-general.php';
 
-wp_reset_vars( array( 'action', 'option_page' ) );
+$action      = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
+$option_page = ! empty( $_REQUEST['option_page'] ) ? sanitize_text_field( $_REQUEST['option_page'] ) : '';
 
 $capability = 'manage_options';
 

diff --git a/src/wp-admin/post.php b/src/wp-admin/post.php
@@ -14,7 +14,7 @@
 $parent_file  = 'edit.php';
 $submenu_file = 'edit.php';
 
-wp_reset_vars( array( 'action' ) );
+$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
 
 if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] ) {
 	wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );

diff --git a/src/wp-admin/revision.php b/src/wp-admin/revision.php
@@ -21,14 +21,16 @@
  * @global int    $from     The revision to compare from.
  * @global int    $to       Optional, required if revision missing. The revision to compare to.
  */
-wp_reset_vars( array( 'revision', 'action', 'from', 'to' ) );
 
-$revision_id = absint( $revision );
+$revision_id = ! empty( $_REQUEST['revision'] ) ? absint( $_REQUEST['revision'] ) : 0;
+$action      = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
+$from        = ! empty( $_REQUEST['from'] ) && is_numeric( $_REQUEST['from'] ) ? absint( $_REQUEST['from'] ) : null;
+$to          = ! empty( $_REQUEST['to'] ) && is_numeric( $_REQUEST['to'] ) ? absint( $_REQUEST['to'] ) : null;
 
-$from = is_numeric( $from ) ? absint( $from ) : null;
 if ( ! $revision_id ) {
-	$revision_id = absint( $to );
+	$revision_id = $to;
 }
+
 $redirect = 'edit.php';
 
 switch ( $action ) {

diff --git a/src/wp-admin/site-health.php b/src/wp-admin/site-health.php
@@ -9,7 +9,7 @@
 /** WordPress Administration Bootstrap */
 require_once __DIR__ . '/admin.php';
 
-wp_reset_vars( array( 'action' ) );
+$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
 
 $tabs = array(
 	/* translators: Tab heading for Site Health Status page. */

diff --git a/src/wp-admin/theme-editor.php b/src/wp-admin/theme-editor.php
@@ -56,7 +56,10 @@
 	'<p>' . __( '<a href="https://wordpress.org/support/forums/">Support forums</a>' ) . '</p>'
 );
 
-wp_reset_vars( array( 'action', 'error', 'file', 'theme' ) );
+$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
+$theme  = ! empty( $_REQUEST['theme'] ) ? sanitize_text_field( $_REQUEST['theme'] ) : '';
+$file   = ! empty( $_REQUEST['file'] ) ? sanitize_text_field( $_REQUEST['file'] ) : '';
+$error  = ! empty( $_REQUEST['error'] );
 
 if ( $theme ) {
 	$stylesheet = $theme;

diff --git a/src/wp-admin/theme-install.php b/src/wp-admin/theme-install.php
@@ -10,7 +10,7 @@
 require_once __DIR__ . '/admin.php';
 require ABSPATH . 'wp-admin/includes/theme-install.php';
 
-wp_reset_vars( array( 'tab' ) );
+$tab = ! empty( $_REQUEST['tab'] ) ? sanitize_text_field( $_REQUEST['tab'] ) : '';
 
 if ( ! current_user_can( 'install_themes' ) ) {
 	wp_die( __( 'Sorry, you are not allowed to install themes on this site.' ) );

diff --git a/src/wp-admin/themes.php b/src/wp-admin/themes.php
@@ -215,7 +215,9 @@
 } else {
 	$themes = wp_prepare_themes_for_js( array( wp_get_theme() ) );
 }
-wp_reset_vars( array( 'theme', 'search' ) );
+
+$theme  = ! empty( $_REQUEST['theme'] ) ? sanitize_text_field( $_REQUEST['theme'] ) : '';
+$search = ! empty( $_REQUEST['search'] ) ? sanitize_text_field( $_REQUEST['search'] ) : '';
 
 wp_localize_script(
 	'theme',

diff --git a/src/wp-admin/user-edit.php b/src/wp-admin/user-edit.php
@@ -12,9 +12,10 @@
 /** WordPress Translation Installation API */
 require_once ABSPATH . 'wp-admin/includes/translation-install.php';
 
-wp_reset_vars( array( 'action', 'user_id', 'wp_http_referer' ) );
+$action          = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
+$user_id         = ! empty( $_REQUEST['user_id'] ) ? absint( $_REQUEST['user_id'] ) : 0;
+$wp_http_referer = ! empty( $_REQUEST['wp_http_referer'] ) ? sanitize_text_field( $_REQUEST['wp_http_referer'] ) : '';
 
-$user_id      = (int) $user_id;
 $current_user = wp_get_current_user();
 
 if ( ! defined( 'IS_PROFILE_PAGE' ) ) {
-Original file line number
+Diff line change
@@ Expand Up / @@ -575,7 +575,6 @@ function update_home_siteurl( $old_value, $value ) { @@
     	}
     }
     /**
      * Resets global variables based on $_GET and $_POST.
      *
@@ Expand Down @@