From e363ca806f6fbfea5e7c322d19b2224771796436 Mon Sep 17 00:00:00 2001 From: James Burke Date: Mon, 20 Apr 2020 17:59:25 -0500 Subject: [PATCH 1/2] Update standards and address some VIP errors and warnings --- .phpcs.ruleset.xml | 6 ++++++ composer.json | 3 ++- wp-includes/rest-api/auth/class-wp-rest-key-pair.php | 7 ++++++- wp-includes/rest-api/auth/class-wp-rest-token.php | 2 +- 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/.phpcs.ruleset.xml b/.phpcs.ruleset.xml index 87a70d8..599af99 100644 --- a/.phpcs.ruleset.xml +++ b/.phpcs.ruleset.xml @@ -24,6 +24,12 @@ https://github.com/PHPCompatibility/PHPCompatibilityWP --> + + + + + + diff --git a/composer.json b/composer.json index cddfb26..cdaf16f 100644 --- a/composer.json +++ b/composer.json @@ -16,7 +16,8 @@ "php-coveralls/php-coveralls": "^2.1", "slowprog/composer-copy-file": "0.2.1", "wp-coding-standards/wpcs": "*", - "xwp/wp-dev-lib": "^1.1.1" + "xwp/wp-dev-lib": "^1.1.1", + "automattic/vipwpcs": "^2.0" }, "scripts": { "phpcs": [ diff --git a/wp-includes/rest-api/auth/class-wp-rest-key-pair.php b/wp-includes/rest-api/auth/class-wp-rest-key-pair.php index df47258..6f55faa 100644 --- a/wp-includes/rest-api/auth/class-wp-rest-key-pair.php +++ b/wp-includes/rest-api/auth/class-wp-rest-key-pair.php @@ -356,11 +356,14 @@ public function authenticate( $user, WP_REST_Request $request ) { $found = false; $keypairs = $this->get_user_key_pairs( $get_user->ID ); + + // Update the "Last IP" which accessed the keypair. This may not work + // in some environments due to caching. foreach ( $keypairs as $_key => $item ) { if ( isset( $item['api_key'] ) && $item['api_key'] === $key ) { $keypairs[ $_key ]['last_used'] = time(); - $ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null; + $ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null; // phpcs:ignore WordPressVIPMinimum.Variables.ServerVariables.UserControlledHeaders, WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__REMOTE_ADDR__ if ( $ip ) { $keypairs[ $_key ]['last_ip'] = $ip; } @@ -705,6 +708,7 @@ public function template_new_key_pair() { * @since 0.1 */ public function template_new_token_key_pair() { + // phpcs:disable WordPressVIPMinimum.Security.Mustache.OutputNotation ?> data->user->api_key ) { $keypairs[ $_key ]['last_used'] = time(); - $ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null; + $ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null; // phpcs:ignore WordPressVIPMinimum.Variables.ServerVariables.UserControlledHeaders, WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__REMOTE_ADDR__ if ( $ip ) { $keypairs[ $_key ]['last_ip'] = $ip; } From b1ff22c04e593148aed307986d47d45c69339443 Mon Sep 17 00:00:00 2001 From: James Burke Date: Mon, 20 Apr 2020 18:02:19 -0500 Subject: [PATCH 2/2] Additional sanitization --- wp-includes/rest-api/auth/class-wp-rest-token.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/wp-includes/rest-api/auth/class-wp-rest-token.php b/wp-includes/rest-api/auth/class-wp-rest-token.php index bc2f21f..b308f0b 100644 --- a/wp-includes/rest-api/auth/class-wp-rest-token.php +++ b/wp-includes/rest-api/auth/class-wp-rest-token.php @@ -380,8 +380,8 @@ public function authenticate_refresh_token( $user, WP_REST_Request $request ) { */ public function require_token() { $require_token = true; - $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( $_SERVER['REQUEST_URI'] ) : false; - $request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? sanitize_text_field( $_SERVER['REQUEST_METHOD'] ) : false; + $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : false; + $request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_METHOD'] ) ) : false; // User is already authenticated. $user = wp_get_current_user(); @@ -775,11 +775,11 @@ public function validate_token() { public function get_auth_header() { // Get HTTP Authorization Header. - $header = isset( $_SERVER['HTTP_AUTHORIZATION'] ) ? sanitize_text_field( $_SERVER['HTTP_AUTHORIZATION'] ) : false; + $header = isset( $_SERVER['HTTP_AUTHORIZATION'] ) ? sanitize_text_field( wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] ) ) : false; // Check for alternative header. if ( ! $header && isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) { - $header = sanitize_text_field( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ); + $header = sanitize_text_field( wp_unslash( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ); } // The HTTP Authorization Header is missing, return an error.