Fix some undefined index notices related to Comment unit tests:

* There are several places where a `$_POST` index was unchecked before setting a variable * In `wp_notify_postauthor()`, `$comment` was being returned null, but its properties were being accessed. * In `check_ajax_referer()`, 3 different values can be checked for nonce on `$_REQUEST`, but only 1 had an `isset()` See #25282. Built from https://develop.svn.wordpress.org/trunk@25433 git-svn-id: http://core.svn.wordpress.org/trunk@25355 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-09-24 21:32:51 +02:00 · 2013-09-13 22:18:08 +00:00 · 2013-09-13 22:18:08 +00:00 · 5df8338e0a
commit 5df8338e0a
parent e8c656a045
3 changed files with 45 additions and 26 deletions
--- a/wp-admin/includes/ajax-actions.php
+++ b/wp-admin/includes/ajax-actions.php
@ -547,7 +547,7 @@ function wp_ajax_dim_comment() {
 		wp_die( -1 );

 	$current = wp_get_comment_status( $comment->comment_ID );
-	if ( $_POST['new'] == $current )
+	if ( isset( $_POST['new'] ) && $_POST['new'] == $current )
 		wp_die( time() );

 	check_ajax_referer( "approve-comment_$id" );
@ -751,6 +751,9 @@ function wp_ajax_replyto_comment( $action ) {
 		$comment_author_url   = wp_slash( $user->user_url );
 		$comment_content      = trim($_POST['content']);
 		if ( current_user_can( 'unfiltered_html' ) ) {
+			if ( ! isset( $_POST['_wp_unfiltered_html_comment'] ) )
+				$_POST['_wp_unfiltered_html_comment'] = '';
+
 			if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) {
 				kses_remove_filters(); // start with a clean slate
 				kses_init_filters(); // set up the filters
@ -763,7 +766,9 @@ function wp_ajax_replyto_comment( $action ) {
 	if ( '' == $comment_content )
 		wp_die( __( 'ERROR: please type a comment.' ) );

-	$comment_parent = absint($_POST['comment_ID']);
+	$comment_parent = 0;
+	if ( isset( $_POST['comment_ID'] ) )
+		$comment_parent = absint( $_POST['comment_ID'] );
 	$comment_auto_approved = false;
 	$commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_email', 'comment_author_url', 'comment_content', 'comment_type', 'comment_parent', 'user_ID');

@ -784,19 +789,18 @@ function wp_ajax_replyto_comment( $action ) {
 	$position = ( isset($_POST['position']) && (int) $_POST['position'] ) ? (int) $_POST['position'] : '-1';

 	ob_start();
-		if ( 'dashboard' == $_REQUEST['mode'] ) {
+	if ( isset( $_REQUEST['mode'] ) && 'dashboard' == $_REQUEST['mode'] ) {
 		require_once( ABSPATH . 'wp-admin/includes/dashboard.php' );
 		_wp_dashboard_recent_comments_row( $comment );
 	} else {
-			if ( 'single' == $_REQUEST['mode'] ) {
+		if ( isset( $_REQUEST['mode'] ) && 'single' == $_REQUEST['mode'] ) {
 			$wp_list_table = _get_list_table('WP_Post_Comments_List_Table', array( 'screen' => 'edit-comments' ) );
 		} else {
 			$wp_list_table = _get_list_table('WP_Comments_List_Table', array( 'screen' => 'edit-comments' ) );
 		}
 		$wp_list_table->single_row( $comment );
 	}
-		$comment_list_item = ob_get_contents();
-	ob_end_clean();
+	$comment_list_item = ob_get_clean();

 	$response =  array(
 		'what' => 'comment',
@ -825,6 +829,7 @@ function wp_ajax_edit_comment() {
 	if ( '' == $_POST['content'] )
 		wp_die( __( 'ERROR: please type a comment.' ) );

+	if ( isset( $_POST['status'] ) )
 		$_POST['comment_status'] = $_POST['status'];
 	edit_comment();

@ -838,8 +843,7 @@ function wp_ajax_edit_comment() {

 	ob_start();
 	$wp_list_table->single_row( $comment );
-		$comment_list_item = ob_get_contents();
-	ob_end_clean();
+	$comment_list_item = ob_get_clean();

 	$x = new WP_Ajax_Response();

--- a/wp-admin/includes/comment.php
+++ b/wp-admin/includes/comment.php
@ -36,11 +36,17 @@ function edit_comment() {
 	if ( ! current_user_can( 'edit_comment', (int) $_POST['comment_ID'] ) )
 		wp_die ( __( 'You are not allowed to edit comments on this post.' ) );

+	if ( isset( $_POST['newcomment_author'] ) )
 		$_POST['comment_author'] = $_POST['newcomment_author'];
+	if ( isset( $_POST['newcomment_author_email'] ) )
 		$_POST['comment_author_email'] = $_POST['newcomment_author_email'];
+	if ( isset( $_POST['newcomment_author_url'] ) )
 		$_POST['comment_author_url'] = $_POST['newcomment_author_url'];
+	if ( isset( $_POST['comment_status'] ) )
 		$_POST['comment_approved'] = $_POST['comment_status'];
+	if ( isset( $_POST['content'] ) )
 		$_POST['comment_content'] = $_POST['content'];
+	if ( isset( $_POST['comment_ID'] ) )
 		$_POST['comment_ID'] = (int) $_POST['comment_ID'];

 	foreach ( array ('aa', 'mm', 'jj', 'hh', 'mn') as $timeunit ) {
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@ -830,10 +830,16 @@ if ( !function_exists('check_ajax_referer') ) :
 * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
 */
 function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
-	if ( $query_arg )
+	$nonce = '';
+
+	if ( $query_arg && isset( $_REQUEST[$query_arg] ) )
 		$nonce = $_REQUEST[$query_arg];
-	else
-		$nonce = isset($_REQUEST['_ajax_nonce']) ? $_REQUEST['_ajax_nonce'] : $_REQUEST['_wpnonce'];
+
+	if ( isset( $_REQUEST['_ajax_nonce'] ) )
+		$nonce = $_REQUEST['_ajax_nonce'];
+
+	if ( isset( $_REQUEST['_wpnonce'] ) )
+		$nonce = $_REQUEST['_wpnonce'];

 	$result = wp_verify_nonce( $nonce, $action );

@ -1009,6 +1015,9 @@ if ( ! function_exists('wp_notify_postauthor') ) :
 */
 function wp_notify_postauthor( $comment_id, $comment_type = '' ) {
 	$comment = get_comment( $comment_id );
+	if ( empty( $comment ) )
+		return false;
+
 	$post    = get_post( $comment->comment_post_ID );
 	$author  = get_userdata( $post->post_author );