Skip to content

Commit

Permalink
refactor: check data sanitization (#481)
Browse files Browse the repository at this point in the history
  • Loading branch information
@saimonh3 @sabbir1991
saimonh3 authored and sabbir1991 committed Dec 14, 2018
1 parent 471f018 commit 088a6ec
Show file tree
Hide file tree
Showing 8 changed files with 109 additions and 73 deletions.
27 changes: 15 additions & 12 deletions classes/ajax.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -369,15 +369,15 @@ public function add_order_note() {

check_ajax_referer( 'add-order-note', 'security' );

if ( !is_user_logged_in() ) {
if ( ! is_user_logged_in() ) {
die(-1);
}
if ( ! current_user_can( 'dokan_manage_order_note' ) ) {
die(-1);
}

$post_id = isset( $_POST['post_id'] ) ? absint( sanitize_text_field( wp_unslash( $_POST['post_id'] ) ) ) : '';
$note = wp_kses_post( trim( stripslashes( $_POST['note'] ) ) );
$note = isset( $_POST['note'] ) ? wp_kses_post( trim( sanitize_text_field( wp_unslash( $_POST['note'] ) ) ) ) : '';
$note_type = isset( $_POST['note_type'] ) ? sanitize_text_field( wp_unslash( $_POST['note_type'] ) ) : '';

$is_customer_note = $note_type == 'customer' ? 1 : 0;
Expand Down Expand Up @@ -570,16 +570,18 @@ public function crop_store_banner() {
wp_send_json_error();
}

check_ajax_referer( 'image_editor-' . $_POST['id'], 'nonce' );
$post_id = isset( $_POST['id'] ) ? sanitize_text_field( wp_unslash( $_POST['id'] ) ) : '';

check_ajax_referer( 'image_editor-' . $post_id, 'nonce' );

$crop_details = $_POST['cropDetails'];
$crop_details = isset( $_POST['cropDetails'] ) ? sanitize_text_field( wp_unslash( $_POST['cropDetails'] ) ) : '';

$dimensions = $this->get_header_dimensions( array(
'height' => $crop_details['height'],
'width' => $crop_details['width'],
) );

$attachment_id = absint( $_POST['id'] );
$attachment_id = absint( $post_id );

$cropped = wp_crop_image(
$attachment_id,
Expand Down Expand Up @@ -622,9 +624,10 @@ public function crop_store_banner() {
public function json_search_product() {
check_ajax_referer( 'search-products', 'security' );

$term = wc_clean( empty( $term ) ? stripslashes( $_GET['term'] ) : $term );
$_term = isset( $_GET['term'] ) ? sanitize_text_field( wp_unslash( $_GET['term'] ) ) : '';
$term = wc_clean( empty( $term ) ? $_term : $term );
$include_variations = ! empty( $_GET['include_variations'] ) ? true : false;
$user_ids = ! empty( $_GET['user_ids'] ) ? $_GET['user_ids'] : false;
$user_ids = ! empty( $_GET['user_ids'] ) ? sanitize_text_field( wp_unslash( $_GET['user_ids'] ) ) : false;

if ( empty( $term ) ) {
wp_die();
Expand All @@ -633,15 +636,15 @@ public function json_search_product() {
$ids = dokan_search_seller_products( $term, $user_ids, '', (bool) $include_variations );

if ( ! empty( $_GET['exclude'] ) ) {
$ids = array_diff( $ids, (array) $_GET['exclude'] );
$ids = array_diff( $ids, (array) sanitize_text_field( wp_unslash( $_GET['exclude'] ) ) );
}

if ( ! empty( $_GET['include'] ) ) {
$ids = array_intersect( $ids, (array) $_GET['include'] );
$ids = array_intersect( $ids, (array) sanitize_text_field( wp_unslash( $_GET['include'] ) ) );
}

if ( ! empty( $_GET['limit'] ) ) {
$ids = array_slice( $ids, 0, absint( $_GET['limit'] ) );
$ids = array_slice( $ids, 0, absint( sanitize_text_field( wp_unslash( $_GET['limit'] ) ) ) );
}

$product_objects = array_filter( array_map( 'wc_get_product', $ids ), 'dokan_products_array_filter_editable' );
Expand All @@ -668,7 +671,7 @@ public function dokan_json_search_vendor_customers() {
wp_die( -1 );
}

$term = wc_clean( wp_unslash( $_GET['term'] ) );
$term = isset( $_GET['term'] ) ? wc_clean( sanitize_text_field( wp_unslash( $_GET['term'] ) ) ) : '';
$exclude = array();
$limit = '';

Expand Down Expand Up @@ -702,7 +705,7 @@ public function dokan_json_search_vendor_customers() {
$found_customers = array();

if ( ! empty( $_GET['exclude'] ) ) {
$ids = array_diff( $ids, (array) $_GET['exclude'] );
$ids = array_diff( $ids, (array) sanitize_text_field( wp_unslash( $_GET['exclude'] ) ) );
}

foreach ( $ids as $id ) {
Expand Down
2 changes: 1 addition & 1 deletion classes/pageviews.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ public function load_views() {
if ( empty( $_COOKIE['dokan_product_viewed'] ) ) {
$dokan_viewed_products = array();
} else {
$dokan_viewed_products = (array) explode( ',', $_COOKIE['dokan_product_viewed'] );
$dokan_viewed_products = (array) explode( ',', sanitize_text_field( wp_unslash( $_COOKIE['dokan_product_viewed'] ) ) );
}

if ( ! in_array( $post->ID, $dokan_viewed_products ) ) {
Expand Down
26 changes: 19 additions & 7 deletions classes/seller-setup-wizard.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -326,14 +326,20 @@ public function dokan_setup_store() {
* Save store options.
*/
public function dokan_setup_store_save() {
if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'dokan-seller-setup' ) ) {
if ( ! isset( $_POST['_wpnonce'] ) ) {
return;
}

$nonce = sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) );

if ( ! wp_verify_nonce( $nonce, 'dokan-seller-setup' ) ) {
return;
}

$dokan_settings = $this->store_info;

$dokan_settings['store_ppp'] = absint( $_POST['store_ppp'] );
$dokan_settings['address'] = isset( $_POST['address'] ) ? $_POST['address'] : [];
$dokan_settings['store_ppp'] = isset( $_POST['store_ppp'] ) ? absint( sanitize_text_field( wp_unslash( $_POST['store_ppp'] ) ) ) : '';
$dokan_settings['address'] = isset( $_POST['address'] ) ? sanitize_text_field( wp_unslash( $_POST['address'] ) ) : [];
$dokan_settings['show_email'] = isset( $_POST['show_email'] ) ? 'yes' : 'no';

update_user_meta( $this->store_id, 'dokan_profile_settings', $dokan_settings );
Expand Down Expand Up @@ -389,14 +395,20 @@ public function dokan_setup_payment() {
* Save payment options.
*/
public function dokan_setup_payment_save() {
if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'dokan-seller-setup' ) ) {
if ( ! isset( $_POST['_wpnonce'] ) ) {
return;
}

$nonce = sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) );

if ( ! wp_verify_nonce( $nonce, 'dokan-seller-setup' ) ) {
return;
}

$dokan_settings = $this->store_info;

if ( isset( $_POST['settings']['bank'] ) ) {
$bank = $_POST['settings']['bank'];
$bank = array_map( 'sanitize_text_field', array_map( 'wp_unslash', $_POST['settings']['bank'] ) );

$dokan_settings['payment']['bank'] = array(
'ac_name' => sanitize_text_field( $bank['ac_name'] ),
Expand All @@ -411,13 +423,13 @@ public function dokan_setup_payment_save() {

if ( isset( $_POST['settings']['paypal'] ) ) {
$dokan_settings['payment']['paypal'] = array(
'email' => filter_var( $_POST['settings']['paypal']['email'], FILTER_VALIDATE_EMAIL )
'email' => filter_var( sanitize_text_field( wp_unslash( $_POST['settings']['paypal']['email'] ) ), FILTER_VALIDATE_EMAIL )
);
}

if ( isset( $_POST['settings']['skrill'] ) ) {
$dokan_settings['payment']['skrill'] = array(
'email' => filter_var( $_POST['settings']['skrill']['email'], FILTER_VALIDATE_EMAIL )
'email' => filter_var( sanitize_text_field( wp_unslash( $_POST['settings']['skrill']['email'] ) ), FILTER_VALIDATE_EMAIL )
);
}

Expand Down
15 changes: 9 additions & 6 deletions classes/template-orders.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,8 +73,9 @@ public function order_main_content() {
$order_id = isset( $_GET['order_id'] ) ? intval( $_GET['order_id'] ) : 0;

if ( $order_id ) {
$_nonce = isset( $_REQUEST['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : '';

if ( wp_verify_nonce( $_REQUEST['_wpnonce'], 'dokan_view_order' ) && current_user_can( 'dokan_view_order' ) ) {
if ( wp_verify_nonce( $_nonce, 'dokan_view_order' ) && current_user_can( 'dokan_view_order' ) ) {
dokan_get_template_part( 'orders/details' );
} else {
dokan_get_template_part( 'global/dokan-error', '', array( 'deleted' => false, 'message' => __( 'You have no permission to view this order', 'dokan-lite' ) ) );
Expand Down Expand Up @@ -102,11 +103,13 @@ function handle_order_export() {
return;
}

if ( isset( $_POST['dokan_vendor_order_export_nonce'] ) && ! wp_verify_nonce( $_POST['dokan_vendor_order_export_nonce'], 'dokan_vendor_order_export_action' ) ) {
$post_data = wp_unslash( $_POST );

if ( isset( $post_data['dokan_vendor_order_export_nonce'] ) && ! wp_verify_nonce( sanitize_text_field( $post_data['dokan_vendor_order_export_nonce'] ), 'dokan_vendor_order_export_action' ) ) {
return;
}

if ( isset( $_POST['dokan_order_export_all'] ) ) {
if ( isset( $post_data['dokan_order_export_all'] ) ) {

$filename = "Orders-".time();
header( "Content-Type: application/csv; charset=" . get_option( 'blog_charset' ) );
Expand All @@ -117,14 +120,14 @@ function handle_order_export() {
exit();
}

if ( isset( $_POST['dokan_order_export_filtered'] ) ) {
if ( isset( $post_data['dokan_order_export_filtered'] ) ) {

$filename = "Orders-".time();
header( "Content-Type: application/csv; charset=" . get_option( 'blog_charset' ) );
header( "Content-Disposition: attachment; filename=$filename.csv" );

$order_date = ( isset( $_POST['order_date'] ) ) ? $_POST['order_date'] : NULL;
$order_status = ( isset( $_POST['order_status'] ) ) ? $_POST['order_status'] : 'all';
$order_date = ( isset( $post_data['order_date'] ) ) ? sanitize_text_field( $post_data['order_date'] ) : NULL;
$order_status = ( isset( $post_data['order_status'] ) ) ? sanitize_text_field( $post_data['order_status'] ) : 'all';

$user_orders = dokan_get_seller_orders( dokan_get_current_user_id(), $order_status, $order_date, 10000000, 0 );
dokan_order_csv_export( $user_orders );
Expand Down
24 changes: 12 additions & 12 deletions classes/template-products.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,21 +199,21 @@ function handle_product_add() {
return;
}

if ( ! wp_verify_nonce( $_POST['dokan_add_new_product_nonce'], 'dokan_add_new_product' ) ) {
$postdata = wp_unslash( $_POST );

if ( ! wp_verify_nonce( sanitize_text_field( $postdata['dokan_add_new_product_nonce'] ), 'dokan_add_new_product' ) ) {
return;
}

$errors = array();
$postdata = $_POST;

$errors = array();
self::$product_cat = -1;
self::$post_content = __( 'Details of your product ...', 'dokan-lite' );

if ( isset( $postdata['add_product'] ) ) {
$post_title = trim( $postdata['post_title'] );
$post_content = trim( $postdata['post_content'] );
$post_excerpt = trim( $postdata['post_excerpt'] );
$featured_image = absint( $postdata['feat_image_id'] );
$post_title = trim( sanitize_text_field( $postdata['post_title'] ) );
$post_content = trim( sanitize_text_field( $postdata['post_content'] ) );
$post_excerpt = trim( sanitize_text_field( $postdata['post_excerpt'] ) );
$featured_image = absint( sanitize_text_field( $postdata['feat_image_id'] ) );

if ( empty( $post_title ) ) {
$errors[] = __( 'Please enter product title', 'dokan-lite' );
Expand Down Expand Up @@ -357,13 +357,13 @@ public function handle_product_update() {
return;
}

if ( ! wp_verify_nonce( $_POST['dokan_edit_product_nonce'], 'dokan_edit_product' ) ) {
$postdata = wp_unslash( $_POST );

if ( ! wp_verify_nonce( sanitize_text_field( $postdata['dokan_edit_product_nonce'] ), 'dokan_edit_product' ) ) {
return;
}

$errors = array();
$postdata = $_POST;

$errors = array();
$post_title = trim( $postdata['post_title'] );

if ( empty( $post_title ) ) {
Expand Down
56 changes: 34 additions & 22 deletions includes/functions.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -187,12 +187,14 @@ function dokan_delete_product_handler() {
if ( isset( $_GET['action'] ) && $_GET['action'] == 'dokan-delete-product' ) {
$product_id = isset( $_GET['product_id'] ) ? (int) $_GET['product_id'] : 0;

$getdata = wp_unslash( $_GET );

if ( !$product_id ) {
wp_redirect( add_query_arg( array( 'message' => 'error' ), dokan_get_navigation_url( 'products' ) ) );
return;
}

if ( !wp_verify_nonce( $_GET['_wpnonce'], 'dokan-delete-product' ) ) {
if ( !wp_verify_nonce( $getdata['_wpnonce'], 'dokan-delete-product' ) ) {
wp_redirect( add_query_arg( array( 'message' => 'error' ), dokan_get_navigation_url( 'products' ) ) );
return;
}
Expand Down Expand Up @@ -609,18 +611,20 @@ function dokan_get_new_post_status() {
function dokan_get_client_ip() {
$ipaddress = '';

if ( isset($_SERVER['HTTP_CLIENT_IP'] ) ) {
$ipaddress = $_SERVER['HTTP_CLIENT_IP'];
} else if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
$ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else if ( isset( $_SERVER['HTTP_X_FORWARDED'] ) ) {
$ipaddress = $_SERVER['HTTP_X_FORWARDED'];
} else if ( isset( $_SERVER['HTTP_FORWARDED_FOR'] ) ) {
$ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
} else if ( isset( $_SERVER['HTTP_FORWARDED'] ) ) {
$ipaddress = $_SERVER['HTTP_FORWARDED'];
} else if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
$ipaddress = $_SERVER['REMOTE_ADDR'];
$_server = wp_unslash( $_SERVER );

if ( isset( $_server['HTTP_CLIENT_IP'] ) ) {
$ipaddress = $_server['HTTP_CLIENT_IP'];
} else if ( isset( $_server['HTTP_X_FORWARDED_FOR'] ) ) {
$ipaddress = $_server['HTTP_X_FORWARDED_FOR'];
} else if ( isset( $_server['HTTP_X_FORWARDED'] ) ) {
$ipaddress = $_server['HTTP_X_FORWARDED'];
} else if ( isset( $_server['HTTP_FORWARDED_FOR'] ) ) {
$ipaddress = $_server['HTTP_FORWARDED_FOR'];
} else if ( isset( $_server['HTTP_FORWARDED'] ) ) {
$ipaddress = $_server['HTTP_FORWARDED'];
} else if ( isset( $_server['REMOTE_ADDR'] ) ) {
$ipaddress = $_server['REMOTE_ADDR'];
} else {
$ipaddress = 'UNKNOWN';
}
Expand Down Expand Up @@ -799,12 +803,13 @@ function dokan_get_product_types( $status = '' ) {
*/
function dokan_posted_input( $key, $array = false ) {

$postdata = wp_unslash( $_POST );
//If array value is submitted return array
if ( $array && isset( $_POST[$key] ) ) { // WPCS: CSRF ok.
return $_POST[$key]; // WPCS: CSRF ok.
if ( $array && isset( $postdata[$key] ) ) { // WPCS: CSRF ok.
return $postdata[$key]; // WPCS: CSRF ok.
}

$value = isset( $_POST[$key] ) ? trim( $_POST[$key] ) : ''; // WPCS: CSRF ok.
$value = isset( $postdata[$key] ) ? trim( $postdata[$key] ) : ''; // WPCS: CSRF ok.
return esc_attr( $value );
}

Expand All @@ -815,7 +820,8 @@ function dokan_posted_input( $key, $array = false ) {
* @return string
*/
function dokan_posted_textarea( $key ) {
$value = isset( $_POST[$key] ) ? trim( $_POST[$key] ) : ''; // WPCS: CSRF ok.
$postdata = wp_unslash( $_POST );
$value = isset( $postdata[$key] ) ? trim( $postdata[$key] ) : ''; // WPCS: CSRF ok.

return esc_textarea( $value );
}
Expand Down Expand Up @@ -1603,7 +1609,9 @@ function dokan_filter_orders_for_current_vendor( $args, $query ) {

if ( current_user_can( 'manage_woocommerce' ) ) {
if ( ! empty( $_GET['vendor_id'] ) ) {
$vendor_id = $_GET['vendor_id'];
$getdata = wp_unslash( $_GET );

$vendor_id = wc_clean( $getdata['vendor_id'] );
$args['join'] .= " LEFT JOIN {$wpdb->prefix}dokan_orders as do ON $wpdb->posts.ID=do.order_id";
$args['where'] .= " AND do.seller_id=$vendor_id";
}
Expand Down Expand Up @@ -2013,12 +2021,14 @@ function dokan_product_listing_filter() {
function dokan_product_search_by_sku( $where ) {
global $pagenow, $wpdb, $wp;

if ( !isset( $_GET['product_search_name'] ) || empty( $_GET['product_search_name'] ) || ! isset( $_GET['dokan_product_search_nonce'] ) || ! wp_verify_nonce( $_GET['dokan_product_search_nonce'], 'dokan_product_search' ) ) {
$getdata = wp_unslash( $_GET );

if ( ! isset( $getdata['product_search_name'] ) || empty( $getdata['product_search_name'] ) || ! isset( $getdata['dokan_product_search_nonce'] ) || ! wp_verify_nonce( wc_clean( $getdata['dokan_product_search_nonce'] ), 'dokan_product_search' ) ) {
return $where;
}

$search_ids = array();
$terms = explode( ',', $_GET['product_search_name'] );
$terms = explode( ',', wc_clean( $getdata['product_search_name'] ) );

foreach ( $terms as $term ) {
if ( is_numeric( $term ) ) {
Expand Down Expand Up @@ -2296,8 +2306,10 @@ function dokan_after_login_redirect( $redirect_to, $user ) {
}
}

if ( isset( $_GET['redirect_to'] ) && !empty( $_GET['redirect_to'] ) ) {
$redirect_to = esc_url( $_GET['redirect_to'] );
$getdata = wp_unslash( $_GET );

if ( isset( $getdata['redirect_to'] ) && ! empty( $getdata['redirect_to'] ) ) {
$redirect_to = esc_url( $getdata['redirect_to'] );
}

return $redirect_to;
Expand Down
Loading

0 comments on commit 088a6ec

Please sign in to comment.