stricter queries and output escaping

includes/class-webfinger.php

@@ -63,15 +63,17 @@ public static function parse_request( $wp ) {
 			exit;
 		}
 
+		$resource = esc_html( $wp->query_vars['resource'] );
+
 		// filter WebFinger array
-		$webfinger = apply_filters( 'webfinger_data', array(), $wp->query_vars['resource'] );
+		$webfinger = apply_filters( 'webfinger_data', array(), $resource );
 
 		// check if "user" exists
 		if ( empty( $webfinger ) ) {
 			status_header( 404 );
 			header( 'Content-Type: text/plain; charset=' . get_bloginfo( 'charset' ), true );
 
-			echo 'no data for resource "' . $wp->query_vars['resource'] . '" found';
+			printf( 'no data for resource "%s" found', $resource );
 
 			exit;
 		}
@@ -124,12 +126,12 @@ public static function generate_user_data( $webfinger, $resource ) {
 			'links' => array(
 				array(
 					'rel' => 'http://webfinger.net/rel/profile-page',
-					'href' => $url,
+					'href' => esc_url( $url ),
 					'type' => 'text/html',
 				),
 				array(
 					'rel' => 'http://webfinger.net/rel/avatar',
-					'href' => $photo,
+					'href' => esc_url( $photo ),
 				),
 			),
 		);
@@ -138,7 +140,7 @@ public static function generate_user_data( $webfinger, $resource ) {
 		if ( isset( $user->user_url ) && ! empty( $user->user_url ) ) {
 			$webfinger['links'][] = array(
 				'rel' => 'http://webfinger.net/rel/profile-page',
-				'href' => $user->user_url,
+				'href' => esc_url( $user->user_url ),
 				'type' => 'text/html',
 			);
 		}
@@ -278,21 +280,27 @@ public static function filter_by_rel( $webfinger ) {
 	 *       user and 'webfinger_user_query' to add custom query-params
 	 */
 	private static function get_user_by_uri( $uri ) {
-		$uri = urldecode( $uri );
+		$uri   = urldecode( $uri );
+		$uri   = str_replace( array( '*', '%' ), '', $uri );
 		$match = array();
 
 		// try to extract the scheme and the host
 		if ( preg_match( '/^([a-zA-Z^:]+):(.*)$/i', $uri, $match ) ) {
 			// extract the scheme
-			$scheme = $match[1];
+			$scheme = esc_attr( $match[1] );
 			// extract the "host"
-			$host = $match[2];
+			$host = sanitize_text_field( $match[2] );
 		} else { // fallback to 'acct' as default theme
 			$scheme = 'acct';
 			// extract the "host"
 			$host = $uri;
 		}
 
+		// check if $host and $uri are set
+		if ( ! $host || ! $uri ) {
+			return null;
+		}
+
 		switch ( $scheme ) {
 			case 'http': // check urls
 			case 'https':
@@ -302,14 +310,12 @@ private static function get_user_by_uri( $uri ) {
 					$args = array(
 						'search' => $author_id,
 						'search_columns' => array( 'ID' ),
-						'meta_compare' => '=',
 					);
 				} else { // check other urls
 					// search url in user_url
 					$args = array(
 						'search' => $uri,
 						'search_columns' => array( 'user_url' ),
-						'meta_compare' => '=',
 					);
 				}
 
@@ -318,6 +324,10 @@ private static function get_user_by_uri( $uri ) {
 				// get the identifier at the left of the '@'
 				$parts = explode( '@', $host );
 
+				if ( ! $parts[0] ) {
+					return null;
+				}
+
 				// check domain
 				if (
 					! isset( $parts[1] ) ||
@@ -332,60 +342,23 @@ private static function get_user_by_uri( $uri ) {
 						'user_nicename',
 						'user_login',
 					),
-					'meta_compare' => '=',
 				);
 				break;
 			case 'mailto': // check mailto scheme
 				$args = array(
 					'search' => $host,
 					'search_columns' => array( 'user_email' ),
-					'meta_compare' => '=',
 				);
 				break;
 			case 'xmpp': // check xmpp/jabber schemes
 			case 'urn:xmpp':
+			case 'im':
 				$args = array(
 					'meta_key' => 'jabber',
 					'meta_value' => $host,
 					'meta_compare' => '=',
 				);
 				break;
-			case 'ymsgr': // check Yahoo messenger schemes
-				$args = array(
-					'meta_key' => 'yim',
-					'meta_value' => $host,
-					'meta_compare' => '=',
-				);
-				break;
-			case 'aim': // check AOL messenger schemes
-				$args = array(
-					'meta_key'  => 'aim',
-					'meta_value' => $host,
-					'meta_compare' => '=',
-				);
-				break;
-			case 'im': // check instant messaging schemes
-				$args = array(
-					'meta_query' => array(
-						'relation' => 'OR',
-						array(
-							'key' => 'jabber',
-							'value' => $host,
-							'compare' => '=',
-						),
-						array(
-							'key' => 'yim',
-							'value' => $host,
-							'compare' => '=',
-						),
-						array(
-							'key' => 'aim',
-							'value' => $host,
-							'compare' => '=',
-						),
-					),
-				);
-				break;
 			default:
 				$args = array();
 				break;

languages/webfinger.pot

@@ -2,10 +2,10 @@
 # This file is distributed under the MIT.
 msgid ""
 msgstr ""
-"Project-Id-Version: WebFinger 3.2.6\n"
+"Project-Id-Version: WebFinger 3.2.7\n"
 "Report-Msgid-Bugs-To: "
 "https://wordpress.org/support/plugin/wordpress-webfinger\n"
-"POT-Creation-Date: 2023-10-23 09:55:41+00:00\n"
+"POT-Creation-Date: 2023-11-12 20:25:01+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"

readme.md

@@ -3,8 +3,8 @@
 **Donate link:** https://notiz.blog/donate/  
 **Tags:** well-known, discovery, webfinger, JRD, ostatus, activitypub  
 **Requires at least:** 4.2  
-**Tested up to:** 6.3  
-**Stable tag:** 3.2.6  
+**Tested up to:** 6.4  
+**Stable tag:** 3.2.7  
 **License:** MIT  
 **License URI:** https://opensource.org/licenses/MIT  
 
@@ -67,6 +67,11 @@ This versions drops classic WebFinger support to keep the plugin short and simpl
 
 Project maintained on github at [pfefferle/wordpress-webfinger](https://github.com/pfefferle/wordpress-webfinger).
 
+### 3.2.7 ###
+
+* Added: better output escaping
+* Fixed: stricter queries
+
 ### 3.2.6 ###
 
 * remove E-Mail address

readme.txt

@@ -3,8 +3,8 @@ Contributors: pfefferle, willnorris
 Donate link: https://notiz.blog/donate/
 Tags: well-known, discovery, webfinger, JRD, ostatus, activitypub
 Requires at least: 4.2
-Tested up to: 6.3
-Stable tag: 3.2.6
+Tested up to: 6.4
+Stable tag: 3.2.7
 License: MIT
 License URI: https://opensource.org/licenses/MIT
 
@@ -67,6 +67,11 @@ This versions drops classic WebFinger support to keep the plugin short and simpl
 
 Project maintained on github at [pfefferle/wordpress-webfinger](https://github.com/pfefferle/wordpress-webfinger).
 
+= 3.2.7 =
+
+* Added: better output escaping
+* Fixed: stricter queries
+
 = 3.2.6 =
 
 * remove E-Mail address

webfinger.php

@@ -3,7 +3,7 @@
  * Plugin Name: WebFinger
  * Plugin URI: https://github.com/pfefferle/wordpress-webfinger
  * Description: WebFinger for WordPress
- * Version: 3.2.6
+ * Version: 3.2.7
  * Author: Matthias Pfefferle
  * Author URI: https://notiz.blog/
  * License: MIT