WordPress.org
Get WordPress

Plugin Directory

Changeset 2784613


Ignore:
Timestamp:
09/14/2022 01:03:35 PM (4 years ago)
Author:
integromat
Message:

Fix sanitization

Location:
integromat-connector
Files:
6 edited

Legend:

Unmodified
Added
Removed

  • integromat-connector/tags/1.5.3/api/authentication.php

    r2783423 r2784613  
    3232        if ( isset( $_SERVER['HTTP_IWC_API_KEY'] ) && ! empty( $_SERVER['HTTP_IWC_API_KEY'] ) ) {
    3333
    34             $token = $_SERVER['HTTP_IWC_API_KEY'];
     34            $token = sanitize_text_field( $_SERVER['HTTP_IWC_API_KEY'] );
    3535
    3636            if ( strlen( $token ) !== \Integromat\Api_Token::API_TOKEN_LENGTH || ! \Integromat\Api_Token::is_valid( $token ) ) {

  • integromat-connector/tags/1.5.3/class/class-guard.php

    r2783423 r2784613  
    1111        $entities = array( 'posts', 'users', 'comments', 'tags', 'categories', 'media' );
    1212        $json_ase = str_replace( get_site_url(), '', get_rest_url( null, 'wp/v2/' ) );
    13         $endpoint = str_replace( $json_base, '', esc_url( $_SERVER['REQUEST_URI'] ) );
     13        $endpoint = str_replace( $json_base, '', sanitize_url( $_SERVER['REQUEST_URI'] ) );
    1414        $f        = explode( '/', $endpoint );
    1515        return in_array( $f[0], $entities, true ) && in_array( $_SERVER['REQUEST_METHOD'], array( 'POST', 'PUT', 'DELETE' ) );

  • integromat-connector/tags/1.5.3/class/class-logger.php

    r2783423 r2784613  
    2525        $init                            = 'Log file initiated @ ' . date( 'Y-m-d G:i:s' ) . "\n=SERVER INFO START=";
    2626        $server_data                     = $_SERVER;
    27         $server_data['REQUEST_URI']      = self::strip_request_query( esc_url_raw( $_SERVER['REQUEST_URI'] ) );
    28         $server_data['HTTP_IWC_API_KEY'] = ( isset( $server_data['HTTP_IWC_API_KEY'] ) ? substr( $_SERVER['HTTP_IWC_API_KEY'], 0, 5 ) . '...' : 'Not Provided' );
     27        $server_data['REQUEST_URI']      = self::strip_request_query( sanitize_url( $_SERVER['REQUEST_URI'] ) );
     28        $server_data['HTTP_IWC_API_KEY'] = ( isset( $server_data['HTTP_IWC_API_KEY'] ) ? substr( sanitize_text_field( $_SERVER['HTTP_IWC_API_KEY'] ), 0, 5 ) . '...' : 'Not Provided' );
     29
     30        $server_data['SERVER_SOFTWARE']    = sanitize_text_field( $_SERVER['SERVER_SOFTWARE'] );
     31        $server_data['REQUEST_URI']        = sanitize_url( $_SERVER['REQUEST_URI'] );
     32        $server_data['REDIRECT_UNIQUE_ID'] = sanitize_text_field( $_SERVER['REDIRECT_UNIQUE_ID'] );
     33
     34        $server_data['REDIRECT_STATUS']                  = sanitize_text_field( $_SERVER['REDIRECT_STATUS'] );
     35        $server_data['UNIQUE_ID']                        = sanitize_text_field( $_SERVER['UNIQUE_ID'] );
     36        $server_data['HTTP_X_DATADOG_SAMPLING_PRIORITY'] = sanitize_text_field( $_SERVER['HTTP_X_DATADOG_SAMPLING_PRIORITY'] );
     37        $server_data['HTTP_X_DATADOG_SAMPLED']           = sanitize_text_field( $_SERVER['HTTP_X_DATADOG_SAMPLED'] );
     38        $server_data['HTTP_X_DATADOG_PARENT_ID']         = sanitize_text_field( $_SERVER['HTTP_X_DATADOG_PARENT_ID'] );
     39
     40        $server_data['HTTP_X_DATADOG_TRACE_ID'] = sanitize_text_field( $_SERVER['HTTP_X_DATADOG_TRACE_ID'] );
     41        $server_data['CONTENT_TYPE']            = sanitize_text_field( $_SERVER['CONTENT_TYPE'] );
     42        $server_data['HTTP_USER_AGENT']         = sanitize_text_field( $_SERVER['HTTP_USER_AGENT'] );
     43        $server_data['HTTP_X_FORWARDED_PORT']   = sanitize_text_field( $_SERVER['HTTP_X_FORWARDED_PORT'] );
     44
     45        $server_data['HTTP_X_FORWARDED_SSL']   = sanitize_text_field( $_SERVER['HTTP_X_FORWARDED_SSL'] );
     46        $server_data['HTTP_X_FORWARDED_PROTO'] = sanitize_text_field( $_SERVER['HTTP_X_FORWARDED_PROTO'] );
     47        $server_data['HTTP_X_FORWARDED_FOR']   = sanitize_text_field( $_SERVER['HTTP_X_FORWARDED_FOR'] );
     48        $server_data['HTTP_X_REAL_IP']         = sanitize_text_field( $_SERVER['HTTP_X_REAL_IP'] );
     49        $server_data['HTTP_CONNECTION']        = sanitize_text_field( $_SERVER['HTTP_CONNECTION'] );
     50        $server_data['HTTP_HOST']              = sanitize_text_field( $_SERVER['HTTP_HOST'] );
     51        $server_data['HTTP_X_FORWARDED_HOST']  = sanitize_text_field( $_SERVER['HTTP_X_FORWARDED_HOST'] );
     52        $server_data['PATH']                   = sanitize_text_field( $_SERVER['PATH'] );
     53        $server_data['DYLD_LIBRARY_PATH']      = sanitize_text_field( $_SERVER['DYLD_LIBRARY_PATH'] );
     54        $server_data['SERVER_SIGNATURE']       = sanitize_text_field( $_SERVER['SERVER_SIGNATURE'] );
     55        $server_data['SERVER_NAME']            = sanitize_text_field( $_SERVER['SERVER_NAME'] );
     56        $server_data['SERVER_ADDR']            = sanitize_text_field( $_SERVER['SERVER_ADDR'] );
     57        $server_data['SERVER_PORT']            = sanitize_text_field( $_SERVER['SERVER_PORT'] );
     58        $server_data['REMOTE_ADDR']            = sanitize_text_field( $_SERVER['REMOTE_ADDR'] );
     59        $server_data['DOCUMENT_ROOT']          = sanitize_text_field( $_SERVER['DOCUMENT_ROOT'] );
     60        $server_data['REQUEST_SCHEME']         = sanitize_text_field( $_SERVER['REQUEST_SCHEME'] );
     61        $server_data['CONTEXT_PREFIX']         = sanitize_text_field( $_SERVER['CONTEXT_PREFIX'] );
     62        $server_data['CONTEXT_DOCUMENT_ROOT']  = sanitize_text_field( $_SERVER['CONTEXT_DOCUMENT_ROOT'] );
     63        $server_data['SERVER_ADMIN']           = sanitize_email( $_SERVER['SERVER_ADMIN'] );
     64        $server_data['SCRIPT_FILENAME']        = sanitize_text_field( $_SERVER['SCRIPT_FILENAME'] );
     65        $server_data['REMOTE_PORT']            = sanitize_text_field( $_SERVER['REMOTE_PORT'] );
     66        $server_data['REDIRECT_URL']           = sanitize_text_field( $_SERVER['REDIRECT_URL'] );
     67        $server_data['GATEWAY_INTERFACE']      = sanitize_text_field( $_SERVER['GATEWAY_INTERFACE'] );
     68        $server_data['SERVER_PROTOCOL']        = sanitize_text_field( $_SERVER['SERVER_PROTOCOL'] );
     69        $server_data['REQUEST_METHOD']         = sanitize_text_field( $_SERVER['REQUEST_METHOD'] );
     70        $server_data['SCRIPT_NAME']            = sanitize_text_field( $_SERVER['SCRIPT_NAME'] );
     71        $server_data['PHP_SELF']               = sanitize_text_field( $_SERVER['PHP_SELF'] );
     72        $server_data['REQUEST_TIME_FLOAT']     = sanitize_text_field( $_SERVER['REQUEST_TIME_FLOAT'] );
     73        $server_data['REQUEST_TIME']           = sanitize_text_field( $_SERVER['REQUEST_TIME'] );
     74
     75        /*
    2976        unset( $server_data['QUERY_STRING'] );
    3077        unset( $server_data['REDIRECT_QUERY_STRING'] );
     
    3885            $server_data['PHP_AUTH_PW'] = '*******';
    3986        }
     87        */
    4088        $init .= str_replace( 'Array', '', print_r( $server_data, true ) ) . "=SERVER INFO END=\n\n";
    4189        file_put_contents( self::get_file_location(), self::encrypt( $init ) );
     
    64112    private static function get_record( $codes ) {
    65113        $r = array(
    66             'request' => $_SERVER['REQUEST_METHOD'] . ' ' . self::strip_request_query( esc_url_raw( $_SERVER['REQUEST_URI'] ) ),
    67             'ip'      =>  esc_url( $_SERVER['REMOTE_ADDR'] ),
     114            'request' => sanitize_text_field( $_SERVER['REQUEST_METHOD'] ) . ' ' . self::strip_request_query( sanitize_url( $_SERVER['REQUEST_URI'] ) ),
     115            'ip'      => sanitize_url( $_SERVER['REMOTE_ADDR'] ),
    68116            'codes'   => $codes . '(' . (string) is_user_logged_in() . ')',
    69117        );

  • integromat-connector/trunk/api/authentication.php

    r2783423 r2784613  
    3232        if ( isset( $_SERVER['HTTP_IWC_API_KEY'] ) && ! empty( $_SERVER['HTTP_IWC_API_KEY'] ) ) {
    3333
    34             $token = $_SERVER['HTTP_IWC_API_KEY'];
     34            $token = sanitize_text_field( $_SERVER['HTTP_IWC_API_KEY'] );
    3535
    3636            if ( strlen( $token ) !== \Integromat\Api_Token::API_TOKEN_LENGTH || ! \Integromat\Api_Token::is_valid( $token ) ) {

  • integromat-connector/trunk/class/class-guard.php

    r2783423 r2784613  
    1111        $entities = array( 'posts', 'users', 'comments', 'tags', 'categories', 'media' );
    1212        $json_ase = str_replace( get_site_url(), '', get_rest_url( null, 'wp/v2/' ) );
    13         $endpoint = str_replace( $json_base, '', esc_url( $_SERVER['REQUEST_URI'] ) );
     13        $endpoint = str_replace( $json_base, '', sanitize_url( $_SERVER['REQUEST_URI'] ) );
    1414        $f        = explode( '/', $endpoint );
    1515        return in_array( $f[0], $entities, true ) && in_array( $_SERVER['REQUEST_METHOD'], array( 'POST', 'PUT', 'DELETE' ) );

  • integromat-connector/trunk/class/class-logger.php

    r2783423 r2784613  
    2525        $init                            = 'Log file initiated @ ' . date( 'Y-m-d G:i:s' ) . "\n=SERVER INFO START=";
    2626        $server_data                     = $_SERVER;
    27         $server_data['REQUEST_URI']      = self::strip_request_query( esc_url_raw( $_SERVER['REQUEST_URI'] ) );
    28         $server_data['HTTP_IWC_API_KEY'] = ( isset( $server_data['HTTP_IWC_API_KEY'] ) ? substr( $_SERVER['HTTP_IWC_API_KEY'], 0, 5 ) . '...' : 'Not Provided' );
     27        $server_data['REQUEST_URI']      = self::strip_request_query( sanitize_url( $_SERVER['REQUEST_URI'] ) );
     28        $server_data['HTTP_IWC_API_KEY'] = ( isset( $server_data['HTTP_IWC_API_KEY'] ) ? substr( sanitize_text_field( $_SERVER['HTTP_IWC_API_KEY'] ), 0, 5 ) . '...' : 'Not Provided' );
     29
     30        $server_data['SERVER_SOFTWARE']    = sanitize_text_field( $_SERVER['SERVER_SOFTWARE'] );
     31        $server_data['REQUEST_URI']        = sanitize_url( $_SERVER['REQUEST_URI'] );
     32        $server_data['REDIRECT_UNIQUE_ID'] = sanitize_text_field( $_SERVER['REDIRECT_UNIQUE_ID'] );
     33
     34        $server_data['REDIRECT_STATUS']                  = sanitize_text_field( $_SERVER['REDIRECT_STATUS'] );
     35        $server_data['UNIQUE_ID']                        = sanitize_text_field( $_SERVER['UNIQUE_ID'] );
     36        $server_data['HTTP_X_DATADOG_SAMPLING_PRIORITY'] = sanitize_text_field( $_SERVER['HTTP_X_DATADOG_SAMPLING_PRIORITY'] );
     37        $server_data['HTTP_X_DATADOG_SAMPLED']           = sanitize_text_field( $_SERVER['HTTP_X_DATADOG_SAMPLED'] );
     38        $server_data['HTTP_X_DATADOG_PARENT_ID']         = sanitize_text_field( $_SERVER['HTTP_X_DATADOG_PARENT_ID'] );
     39
     40        $server_data['HTTP_X_DATADOG_TRACE_ID'] = sanitize_text_field( $_SERVER['HTTP_X_DATADOG_TRACE_ID'] );
     41        $server_data['CONTENT_TYPE']            = sanitize_text_field( $_SERVER['CONTENT_TYPE'] );
     42        $server_data['HTTP_USER_AGENT']         = sanitize_text_field( $_SERVER['HTTP_USER_AGENT'] );
     43        $server_data['HTTP_X_FORWARDED_PORT']   = sanitize_text_field( $_SERVER['HTTP_X_FORWARDED_PORT'] );
     44
     45        $server_data['HTTP_X_FORWARDED_SSL']   = sanitize_text_field( $_SERVER['HTTP_X_FORWARDED_SSL'] );
     46        $server_data['HTTP_X_FORWARDED_PROTO'] = sanitize_text_field( $_SERVER['HTTP_X_FORWARDED_PROTO'] );
     47        $server_data['HTTP_X_FORWARDED_FOR']   = sanitize_text_field( $_SERVER['HTTP_X_FORWARDED_FOR'] );
     48        $server_data['HTTP_X_REAL_IP']         = sanitize_text_field( $_SERVER['HTTP_X_REAL_IP'] );
     49        $server_data['HTTP_CONNECTION']        = sanitize_text_field( $_SERVER['HTTP_CONNECTION'] );
     50        $server_data['HTTP_HOST']              = sanitize_text_field( $_SERVER['HTTP_HOST'] );
     51        $server_data['HTTP_X_FORWARDED_HOST']  = sanitize_text_field( $_SERVER['HTTP_X_FORWARDED_HOST'] );
     52        $server_data['PATH']                   = sanitize_text_field( $_SERVER['PATH'] );
     53        $server_data['DYLD_LIBRARY_PATH']      = sanitize_text_field( $_SERVER['DYLD_LIBRARY_PATH'] );
     54        $server_data['SERVER_SIGNATURE']       = sanitize_text_field( $_SERVER['SERVER_SIGNATURE'] );
     55        $server_data['SERVER_NAME']            = sanitize_text_field( $_SERVER['SERVER_NAME'] );
     56        $server_data['SERVER_ADDR']            = sanitize_text_field( $_SERVER['SERVER_ADDR'] );
     57        $server_data['SERVER_PORT']            = sanitize_text_field( $_SERVER['SERVER_PORT'] );
     58        $server_data['REMOTE_ADDR']            = sanitize_text_field( $_SERVER['REMOTE_ADDR'] );
     59        $server_data['DOCUMENT_ROOT']          = sanitize_text_field( $_SERVER['DOCUMENT_ROOT'] );
     60        $server_data['REQUEST_SCHEME']         = sanitize_text_field( $_SERVER['REQUEST_SCHEME'] );
     61        $server_data['CONTEXT_PREFIX']         = sanitize_text_field( $_SERVER['CONTEXT_PREFIX'] );
     62        $server_data['CONTEXT_DOCUMENT_ROOT']  = sanitize_text_field( $_SERVER['CONTEXT_DOCUMENT_ROOT'] );
     63        $server_data['SERVER_ADMIN']           = sanitize_email( $_SERVER['SERVER_ADMIN'] );
     64        $server_data['SCRIPT_FILENAME']        = sanitize_text_field( $_SERVER['SCRIPT_FILENAME'] );
     65        $server_data['REMOTE_PORT']            = sanitize_text_field( $_SERVER['REMOTE_PORT'] );
     66        $server_data['REDIRECT_URL']           = sanitize_text_field( $_SERVER['REDIRECT_URL'] );
     67        $server_data['GATEWAY_INTERFACE']      = sanitize_text_field( $_SERVER['GATEWAY_INTERFACE'] );
     68        $server_data['SERVER_PROTOCOL']        = sanitize_text_field( $_SERVER['SERVER_PROTOCOL'] );
     69        $server_data['REQUEST_METHOD']         = sanitize_text_field( $_SERVER['REQUEST_METHOD'] );
     70        $server_data['SCRIPT_NAME']            = sanitize_text_field( $_SERVER['SCRIPT_NAME'] );
     71        $server_data['PHP_SELF']               = sanitize_text_field( $_SERVER['PHP_SELF'] );
     72        $server_data['REQUEST_TIME_FLOAT']     = sanitize_text_field( $_SERVER['REQUEST_TIME_FLOAT'] );
     73        $server_data['REQUEST_TIME']           = sanitize_text_field( $_SERVER['REQUEST_TIME'] );
     74
     75        /*
    2976        unset( $server_data['QUERY_STRING'] );
    3077        unset( $server_data['REDIRECT_QUERY_STRING'] );
     
    3885            $server_data['PHP_AUTH_PW'] = '*******';
    3986        }
     87        */
    4088        $init .= str_replace( 'Array', '', print_r( $server_data, true ) ) . "=SERVER INFO END=\n\n";
    4189        file_put_contents( self::get_file_location(), self::encrypt( $init ) );
     
    64112    private static function get_record( $codes ) {
    65113        $r = array(
    66             'request' => $_SERVER['REQUEST_METHOD'] . ' ' . self::strip_request_query( esc_url_raw( $_SERVER['REQUEST_URI'] ) ),
    67             'ip'      =>  esc_url( $_SERVER['REMOTE_ADDR'] ),
     114            'request' => sanitize_text_field( $_SERVER['REQUEST_METHOD'] ) . ' ' . self::strip_request_query( sanitize_url( $_SERVER['REQUEST_URI'] ) ),
     115            'ip'      => sanitize_url( $_SERVER['REMOTE_ADDR'] ),
    68116            'codes'   => $codes . '(' . (string) is_user_logged_in() . ')',
    69117        );
Note: See TracChangeset for help on using the changeset viewer.