[wp-trac] [WordPress Trac] #44901: Remove unneeded WP_Error in confirmaction

WordPress Trac noreply at wordpress.org
Mon Mar 4 09:25:13 UTC 2019 

#44901: Remove unneeded WP_Error in confirmaction
-----------------------------+------------------------------
 Reporter:  garrett-eclipse  |       Owner:  garrett-eclipse
     Type:  enhancement      |      Status:  accepted
 Priority:  normal           |   Milestone:  5.2
Component:  Privacy          |     Version:  4.9.6
 Severity:  normal           |  Resolution:
 Keywords:  has-patch        |     Focuses:
-----------------------------+------------------------------
Changes (by birgire):

 * keywords:  has-patch needs-testing => has-patch


Comment:

 I tested this successfully. Here's how I tested it:

 - Create an export request.
 - Remove the confirm_key in
   https://example.com/wp-
 login.php?action=confirmaction&request_id=123&confirm_key=...
   and open it in the browser.

 Before:
 - https://example.com/wp-login.php?action=confirmaction&request_id=123
   displays the "Invalid key" wp_die message.
 - https://example.com/wp-
 login.php?action=confirmaction&request_id=123&confirm_key=INVALID
   displays the "Invalid key" wp_die message.

 After:
  - https://example.com/wp-login.php?action=confirmaction&request_id=123
   displayes the "Missing confirm key." wp_die message.
  - https://example.com/wp-
 login.php?action=confirmaction&request_id=123&confirm_key=INVALID
   displays the "Invalid key" wp_die message.
  - Applying a valid confirm key also works successfully after the change.

 The patch changes the existing "Invalid key" to "Missing confirm key."
 when {{{$_GET['confirm_key']}}} is not set.


 PS:

 If the {{{request_id}}} is missing then we get "Invalid key" too. I wonder
 if that should also be "Missing request ID." when
 {{{$_GET['request_id']}}} is not set.?

 The "Invalid key" string is also used seven times in
 {{{check_password_reset_key( $key )}}} to check the dynamic {{{$key}}}
 input. I noticed it's missing the ending period, like in "Invalid key.".
 I guess the reason to use this string in the privacy implementation, was
 to reuse an existing string.

 There's also a missing end period for "Invalid key" and "Invalid action"
 in {{{wp_validate_user_request_key()}}}, but in there we have "Invalid
 request." with the ending period.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44901#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list