diff --git a/class-two-factor-compat.php b/class-two-factor-compat.php index b578c847..731a2dff 100644 --- a/class-two-factor-compat.php +++ b/class-two-factor-compat.php @@ -35,7 +35,7 @@ public function init() { * @return boolean */ public function jetpack_rememberme( $rememberme ) { - $action = filter_input( INPUT_GET, 'action', FILTER_SANITIZE_STRING ); + $action = filter_input( INPUT_GET, 'action', FILTER_CALLBACK, array( 'options' => 'sanitize_key' ) ); if ( 'jetpack-sso' === $action && $this->jetpack_is_sso_active() ) { return true; diff --git a/class-two-factor-core.php b/class-two-factor-core.php index d9a85af7..ba3ff968 100644 --- a/class-two-factor-core.php +++ b/class-two-factor-core.php @@ -244,7 +244,7 @@ public static function get_user_update_action_url( $user_id, $action ) { * @return boolean */ public static function is_valid_user_action( $user_id, $action ) { - $request_nonce = filter_input( INPUT_GET, self::USER_SETTINGS_ACTION_NONCE_QUERY_ARG, FILTER_SANITIZE_STRING ); + $request_nonce = filter_input( INPUT_GET, self::USER_SETTINGS_ACTION_NONCE_QUERY_ARG, FILTER_CALLBACK, array( 'options' => 'sanitize_key' ) ); return wp_verify_nonce( $request_nonce, @@ -277,7 +277,7 @@ public static function current_user_being_edited() { * @return void */ public static function trigger_user_settings_action() { - $action = filter_input( INPUT_GET, self::USER_SETTINGS_ACTION_QUERY_VAR, FILTER_SANITIZE_STRING ); + $action = filter_input( INPUT_GET, self::USER_SETTINGS_ACTION_QUERY_VAR, FILTER_CALLBACK, array( 'options' => 'sanitize_key' ) ); $user_id = self::current_user_being_edited(); if ( ! empty( $action ) && self::is_valid_user_action( $user_id, $action ) ) { @@ -537,8 +537,8 @@ public static function show_two_factor_login( $user ) { */ public static function backup_2fa() { $wp_auth_id = filter_input( INPUT_GET, 'wp-auth-id', FILTER_SANITIZE_NUMBER_INT ); - $nonce = filter_input( INPUT_GET, 'wp-auth-nonce', FILTER_SANITIZE_STRING ); - $provider = filter_input( INPUT_GET, 'provider', FILTER_SANITIZE_STRING ); + $nonce = filter_input( INPUT_GET, 'wp-auth-nonce', FILTER_CALLBACK, array( 'options' => 'sanitize_key' ) ); + $provider = filter_input( INPUT_GET, 'provider', FILTER_CALLBACK, array( 'options' => 'sanitize_text_field' ) ); if ( ! $wp_auth_id || ! $nonce || ! $provider ) { return; @@ -794,7 +794,7 @@ public static function verify_login_nonce( $user_id, $nonce ) { */ public static function login_form_validate_2fa() { $wp_auth_id = filter_input( INPUT_POST, 'wp-auth-id', FILTER_SANITIZE_NUMBER_INT ); - $nonce = filter_input( INPUT_POST, 'wp-auth-nonce', FILTER_SANITIZE_STRING ); + $nonce = filter_input( INPUT_POST, 'wp-auth-nonce', FILTER_CALLBACK, array( 'options' => 'sanitize_key' ) ); if ( ! $wp_auth_id || ! $nonce ) { return; @@ -810,7 +810,7 @@ public static function login_form_validate_2fa() { exit; } - $provider = filter_input( INPUT_POST, 'provider', FILTER_SANITIZE_STRING ); + $provider = filter_input( INPUT_POST, 'provider', FILTER_CALLBACK, array( 'options' => 'sanitize_text_field' ) ); if ( $provider ) { $providers = self::get_available_providers_for_user( $user ); if ( isset( $providers[ $provider ] ) ) { diff --git a/providers/class-two-factor-backup-codes.php b/providers/class-two-factor-backup-codes.php index 5d2dcf88..f2978b61 100644 --- a/providers/class-two-factor-backup-codes.php +++ b/providers/class-two-factor-backup-codes.php @@ -304,8 +304,8 @@ public function authentication_page( $user ) { * @return boolean */ public function validate_authentication( $user ) { - $backup_code = isset( $_POST['two-factor-backup-code'] ) ? sanitize_text_field( wp_unslash( $_POST['two-factor-backup-code'] ) ) : false; - return $this->validate_code( $user, filter_var( $backup_code, FILTER_SANITIZE_STRING ) ); + $backup_code = isset( $_POST['two-factor-backup-code'] ) ? sanitize_text_field( wp_unslash( $_POST['two-factor-backup-code'] ) ) : ''; + return $this->validate_code( $user, $backup_code ); } /**