diff --git a/.phpcs.ruleset.xml b/.phpcs.ruleset.xml
index 87a70d8..599af99 100644
--- a/.phpcs.ruleset.xml
+++ b/.phpcs.ruleset.xml
@@ -24,6 +24,12 @@
https://github.com/PHPCompatibility/PHPCompatibilityWP -->
+
+
+
+
+
+
diff --git a/composer.json b/composer.json
index cddfb26..cdaf16f 100644
--- a/composer.json
+++ b/composer.json
@@ -16,7 +16,8 @@
"php-coveralls/php-coveralls": "^2.1",
"slowprog/composer-copy-file": "0.2.1",
"wp-coding-standards/wpcs": "*",
- "xwp/wp-dev-lib": "^1.1.1"
+ "xwp/wp-dev-lib": "^1.1.1",
+ "automattic/vipwpcs": "^2.0"
},
"scripts": {
"phpcs": [
diff --git a/wp-includes/rest-api/auth/class-wp-rest-key-pair.php b/wp-includes/rest-api/auth/class-wp-rest-key-pair.php
index df47258..6f55faa 100644
--- a/wp-includes/rest-api/auth/class-wp-rest-key-pair.php
+++ b/wp-includes/rest-api/auth/class-wp-rest-key-pair.php
@@ -356,11 +356,14 @@ public function authenticate( $user, WP_REST_Request $request ) {
$found = false;
$keypairs = $this->get_user_key_pairs( $get_user->ID );
+
+ // Update the "Last IP" which accessed the keypair. This may not work
+ // in some environments due to caching.
foreach ( $keypairs as $_key => $item ) {
if ( isset( $item['api_key'] ) && $item['api_key'] === $key ) {
$keypairs[ $_key ]['last_used'] = time();
- $ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null;
+ $ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null; // phpcs:ignore WordPressVIPMinimum.Variables.ServerVariables.UserControlledHeaders, WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__REMOTE_ADDR__
if ( $ip ) {
$keypairs[ $_key ]['last_ip'] = $ip;
}
@@ -705,6 +708,7 @@ public function template_new_key_pair() {
* @since 0.1
*/
public function template_new_token_key_pair() {
+ // phpcs:disable WordPressVIPMinimum.Security.Mustache.OutputNotation
?>
data->user->api_key ) {
$keypairs[ $_key ]['last_used'] = time();
- $ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null;
+ $ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null; // phpcs:ignore WordPressVIPMinimum.Variables.ServerVariables.UserControlledHeaders, WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__REMOTE_ADDR__
if ( $ip ) {
$keypairs[ $_key ]['last_ip'] = $ip;
}
@@ -380,8 +380,8 @@ public function authenticate_refresh_token( $user, WP_REST_Request $request ) {
*/
public function require_token() {
$require_token = true;
- $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( $_SERVER['REQUEST_URI'] ) : false;
- $request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? sanitize_text_field( $_SERVER['REQUEST_METHOD'] ) : false;
+ $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : false;
+ $request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_METHOD'] ) ) : false;
// User is already authenticated.
$user = wp_get_current_user();
@@ -775,11 +775,11 @@ public function validate_token() {
public function get_auth_header() {
// Get HTTP Authorization Header.
- $header = isset( $_SERVER['HTTP_AUTHORIZATION'] ) ? sanitize_text_field( $_SERVER['HTTP_AUTHORIZATION'] ) : false;
+ $header = isset( $_SERVER['HTTP_AUTHORIZATION'] ) ? sanitize_text_field( wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] ) ) : false;
// Check for alternative header.
if ( ! $header && isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) {
- $header = sanitize_text_field( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] );
+ $header = sanitize_text_field( wp_unslash( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) );
}
// The HTTP Authorization Header is missing, return an error.