Skip to content

Commit

Permalink
Merge pull request #4 from alleyinteractive/update-for-phpcs
Browse files Browse the repository at this point in the history
Update standards and address some VIP errors and warnings
  • Loading branch information
jameswburke authored Apr 21, 2020
2 parents 75d38cc + b1ff22c commit 5ca835e
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 7 deletions.
6 changes: 6 additions & 0 deletions .phpcs.ruleset.xml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,12 @@
https://github.com/PHPCompatibility/PHPCompatibilityWP -->
<rule ref="PHPCompatibilityWP"/>

<!-- Use the VIP Go ruleset. -->
<rule ref="WordPress-VIP-Go" />

<!-- Use the WordPress.com VIP ruleset. -->
<rule ref="WordPressVIPMinimum" />

<!-- For help in understanding this testVersion:
https://github.com/PHPCompatibility/PHPCompatibility#sniffing-your-code-for-compatibility-with-specific-php-versions -->
<config name="testVersion" value="5.3-"/>
Expand Down
3 changes: 2 additions & 1 deletion composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@
"php-coveralls/php-coveralls": "^2.1",
"slowprog/composer-copy-file": "0.2.1",
"wp-coding-standards/wpcs": "*",
"xwp/wp-dev-lib": "^1.1.1"
"xwp/wp-dev-lib": "^1.1.1",
"automattic/vipwpcs": "^2.0"
},
"scripts": {
"phpcs": [
Expand Down
7 changes: 6 additions & 1 deletion wp-includes/rest-api/auth/class-wp-rest-key-pair.php
Original file line number Diff line number Diff line change
Expand Up @@ -356,11 +356,14 @@ public function authenticate( $user, WP_REST_Request $request ) {

$found = false;
$keypairs = $this->get_user_key_pairs( $get_user->ID );

// Update the "Last IP" which accessed the keypair. This may not work
// in some environments due to caching.
foreach ( $keypairs as $_key => $item ) {
if ( isset( $item['api_key'] ) && $item['api_key'] === $key ) {
$keypairs[ $_key ]['last_used'] = time();

$ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null;
$ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null; // phpcs:ignore WordPressVIPMinimum.Variables.ServerVariables.UserControlledHeaders, WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__REMOTE_ADDR__
if ( $ip ) {
$keypairs[ $_key ]['last_ip'] = $ip;
}
Expand Down Expand Up @@ -705,6 +708,7 @@ public function template_new_key_pair() {
* @since 0.1
*/
public function template_new_token_key_pair() {
// phpcs:disable WordPressVIPMinimum.Security.Mustache.OutputNotation
?>
<script type="text/html" id="tmpl-new-token-key-pair">
<div class="new-key-pair notification-dialog-wrap" data-api_key="{{ data.api_key }}" data-name="{{ data.name }}">
Expand Down Expand Up @@ -761,6 +765,7 @@ public function template_new_token_key_pair() {
</div>
</script>
<?php
// phpcs:enable WordPressVIPMinimum.Security.Mustache.OutputNotation
}

/**
Expand Down
10 changes: 5 additions & 5 deletions wp-includes/rest-api/auth/class-wp-rest-token.php
Original file line number Diff line number Diff line change
Expand Up @@ -344,7 +344,7 @@ public function authenticate_refresh_token( $user, WP_REST_Request $request ) {
if ( isset( $item['api_key'] ) && $item['api_key'] === $token->data->user->api_key ) {
$keypairs[ $_key ]['last_used'] = time();

$ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null;
$ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null; // phpcs:ignore WordPressVIPMinimum.Variables.ServerVariables.UserControlledHeaders, WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__REMOTE_ADDR__
if ( $ip ) {
$keypairs[ $_key ]['last_ip'] = $ip;
}
Expand Down Expand Up @@ -380,8 +380,8 @@ public function authenticate_refresh_token( $user, WP_REST_Request $request ) {
*/
public function require_token() {
$require_token = true;
$request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( $_SERVER['REQUEST_URI'] ) : false;
$request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? sanitize_text_field( $_SERVER['REQUEST_METHOD'] ) : false;
$request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : false;
$request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_METHOD'] ) ) : false;

// User is already authenticated.
$user = wp_get_current_user();
Expand Down Expand Up @@ -775,11 +775,11 @@ public function validate_token() {
public function get_auth_header() {

// Get HTTP Authorization Header.
$header = isset( $_SERVER['HTTP_AUTHORIZATION'] ) ? sanitize_text_field( $_SERVER['HTTP_AUTHORIZATION'] ) : false;
$header = isset( $_SERVER['HTTP_AUTHORIZATION'] ) ? sanitize_text_field( wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] ) ) : false;

// Check for alternative header.
if ( ! $header && isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) {
$header = sanitize_text_field( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] );
$header = sanitize_text_field( wp_unslash( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) );
}

// The HTTP Authorization Header is missing, return an error.
Expand Down

0 comments on commit 5ca835e

Please sign in to comment.