Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PHPCS fixes: strict comparison, rawurlencode(), sanitization #16

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

PHPCS fixes: strict comparison, rawurlencode(), sanitization #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
86ad8bc
PHPCS fixes: strict comparison, rawurlencode(), sanitization
Mar 2, 2017
95e0e0e
move die() to its own line
Mar 2, 2017
f94b233
add @uses sanitize_text_field() and wp_unslash() to handle_postback d…
paulschreiber Mar 8, 2017
0cc9856
add mocks for sanitize_text_field() and wp_unslash()
paulschreiber Mar 8, 2017
c785cb5
remove sanitize_text_field() and wp_unslash() calls from verify_async…
Mar 8, 2017
e5de001
Merge branch 'phpcs' of github.com:paulschreiber/wp-async-task into p…
Mar 8, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion tests/phpunit/WP-Async-TaskTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,7 +226,8 @@ public function test_handle_postback_invalid_nonce() {
die();
} );
WP_Mock::wpFunction( 'wp_die', array( 'times' => 1 ) );

WP_Mock::wpPassthruFunction( 'sanitize_text_field' );
WP_Mock::wpPassthruFunction( 'wp_unslash' );
/** @var Async $async */
$async->handle_postback();

Expand Down
16 changes: 10 additions & 6 deletions wp-async-task.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,8 +128,8 @@ public function launch() {
public function launch_on_shutdown() {
if ( ! empty( $this->_body_data ) ) {
$cookies = array();
foreach ( $_COOKIE as $name => $value ) {
$cookies[] = "$name=" . urlencode( is_array( $value ) ? serialize( $value ) : $value );
foreach ( $_COOKIE as $name => $value ) { // input var ok
$cookies[] = "$name=" . rawurlencode( is_array( $value ) ? serialize( $value ) : $value );
}

$request_args = array(
Expand All @@ -155,16 +155,20 @@ public function launch_on_shutdown() {
* @uses is_user_logged_in()
* @uses add_filter()
* @uses wp_die()
* @uses sanitize_text_field()
* @uses wp_unslash()
*/
public function handle_postback() {
if ( isset( $_POST['_nonce'] ) && $this->verify_async_nonce( $_POST['_nonce'] ) ) {
if ( isset( $_POST['_nonce'] ) && $this->verify_async_nonce( $_POST['_nonce'] ) ) { // input var ok
if ( ! is_user_logged_in() ) {
$this->action = "nopriv_$this->action";
}
$this->run_action();
}

add_filter( 'wp_die_handler', function() { die(); } );
add_filter( 'wp_die_handler', function() {
die();
});
wp_die();
}

Expand Down Expand Up @@ -201,12 +205,12 @@ protected function verify_async_nonce( $nonce ) {
$i = wp_nonce_tick();

// Nonce generated 0-12 hours ago
if ( substr( wp_hash( $i . $action . get_class( $this ), 'nonce' ), - 12, 10 ) == $nonce ) {
if ( substr( wp_hash( $i . $action . get_class( $this ), 'nonce' ), - 12, 10 ) === $nonce ) {
return 1;
}

// Nonce generated 12-24 hours ago
if ( substr( wp_hash( ( $i - 1 ) . $action . get_class( $this ), 'nonce' ), - 12, 10 ) == $nonce ) {
if ( substr( wp_hash( ( $i - 1 ) . $action . get_class( $this ), 'nonce' ), - 12, 10 ) === $nonce ) {
return 2;
}

Expand Down