[wp-trac] [WordPress Trac] #46536: wp_create_user_request should sanitize the action_name using _wp_privacy_action_request_types

WordPress Trac noreply at wordpress.org
Sat Mar 16 08:09:50 UTC 2019 

#46536: wp_create_user_request should sanitize the action_name using
_wp_privacy_action_request_types
-------------------------------------------------+-------------------------
 Reporter:  garrett-eclipse                      |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  Awaiting
                                                 |  Review
Component:  Privacy                              |     Version:  4.9.6
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch has-unit-tests needs-      |     Focuses:
  testing                                        |
-------------------------------------------------+-------------------------
Changes (by garrett-eclipse):

 * keywords:   => has-patch has-unit-tests needs-testing


Comment:

 Attached
 [https://core.trac.wordpress.org/attachment/ticket/46536/46536.diff
 46536.diff] to move the check on `_wp_privacy_action_request_types` into
 `wp_create_user_request` to ensure more coverage of the check as it
 previously only covered `_wp_personal_data_handle_actions` and overlooked
 actions like `_wp_privacy_send_erasure_fulfillment_notification`.

 To reduce and still distinguish the `! $action_name` check I updated it to
 `missing_action` error and used it's `invalid_action` for the new check on
 `_wp_privacy_action_request_types`.

 In order for the changes to pass existing unit tests I had to make the
 following adjustments;
 - Replaced the original `test_invalid_action` in `wpCreateUserRequest.php`
 with `test_missing_action` to confirm the change to the `! $action_name`
 error.
 - Updated the `test_invalid_action` to confirm action names that don't
 pass the `_wp_privacy_action_request_types` check are caught
 - Updated `test_sanitized_action_name` to use a unsanitized version of
 `export_personal_data` which passes the `_wp_privacy_action_request_types`
 error check.
 - Updated `wpSetUpBeforeClass`
 in`wpPrivacySendErasureFulfillmentNotification.php` to use a valid action
 name `remove_personal_data`. NOTE: This test is also being addressed in
 #44721 so one or the other ticket will need a refresh once one is
 committed.
 - Updated two additional invalid action names found in
 `wpSendUserRequest.php`

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/46536#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list