From 088a6ecd5255c144fed2134f9be4d29b25364b86 Mon Sep 17 00:00:00 2001 From: Saimon Sajjad Date: Fri, 14 Dec 2018 12:21:19 +0600 Subject: [PATCH] refactor: check data sanitization (#481) --- classes/ajax.php | 27 +++++++++------- classes/pageviews.php | 2 +- classes/seller-setup-wizard.php | 26 ++++++++++----- classes/template-orders.php | 15 +++++---- classes/template-products.php | 24 +++++++------- includes/functions.php | 56 ++++++++++++++++++++------------- includes/wc-functions.php | 30 +++++++++++------- includes/wc-template.php | 2 +- 8 files changed, 109 insertions(+), 73 deletions(-) diff --git a/classes/ajax.php b/classes/ajax.php index 6b33e331d6..57c4b57ea3 100755 --- a/classes/ajax.php +++ b/classes/ajax.php @@ -369,7 +369,7 @@ public function add_order_note() { check_ajax_referer( 'add-order-note', 'security' ); - if ( !is_user_logged_in() ) { + if ( ! is_user_logged_in() ) { die(-1); } if ( ! current_user_can( 'dokan_manage_order_note' ) ) { @@ -377,7 +377,7 @@ public function add_order_note() { } $post_id = isset( $_POST['post_id'] ) ? absint( sanitize_text_field( wp_unslash( $_POST['post_id'] ) ) ) : ''; - $note = wp_kses_post( trim( stripslashes( $_POST['note'] ) ) ); + $note = isset( $_POST['note'] ) ? wp_kses_post( trim( sanitize_text_field( wp_unslash( $_POST['note'] ) ) ) ) : ''; $note_type = isset( $_POST['note_type'] ) ? sanitize_text_field( wp_unslash( $_POST['note_type'] ) ) : ''; $is_customer_note = $note_type == 'customer' ? 1 : 0; @@ -570,16 +570,18 @@ public function crop_store_banner() { wp_send_json_error(); } - check_ajax_referer( 'image_editor-' . $_POST['id'], 'nonce' ); + $post_id = isset( $_POST['id'] ) ? sanitize_text_field( wp_unslash( $_POST['id'] ) ) : ''; + + check_ajax_referer( 'image_editor-' . $post_id, 'nonce' ); - $crop_details = $_POST['cropDetails']; + $crop_details = isset( $_POST['cropDetails'] ) ? sanitize_text_field( wp_unslash( $_POST['cropDetails'] ) ) : ''; $dimensions = $this->get_header_dimensions( array( 'height' => $crop_details['height'], 'width' => $crop_details['width'], ) ); - $attachment_id = absint( $_POST['id'] ); + $attachment_id = absint( $post_id ); $cropped = wp_crop_image( $attachment_id, @@ -622,9 +624,10 @@ public function crop_store_banner() { public function json_search_product() { check_ajax_referer( 'search-products', 'security' ); - $term = wc_clean( empty( $term ) ? stripslashes( $_GET['term'] ) : $term ); + $_term = isset( $_GET['term'] ) ? sanitize_text_field( wp_unslash( $_GET['term'] ) ) : ''; + $term = wc_clean( empty( $term ) ? $_term : $term ); $include_variations = ! empty( $_GET['include_variations'] ) ? true : false; - $user_ids = ! empty( $_GET['user_ids'] ) ? $_GET['user_ids'] : false; + $user_ids = ! empty( $_GET['user_ids'] ) ? sanitize_text_field( wp_unslash( $_GET['user_ids'] ) ) : false; if ( empty( $term ) ) { wp_die(); @@ -633,15 +636,15 @@ public function json_search_product() { $ids = dokan_search_seller_products( $term, $user_ids, '', (bool) $include_variations ); if ( ! empty( $_GET['exclude'] ) ) { - $ids = array_diff( $ids, (array) $_GET['exclude'] ); + $ids = array_diff( $ids, (array) sanitize_text_field( wp_unslash( $_GET['exclude'] ) ) ); } if ( ! empty( $_GET['include'] ) ) { - $ids = array_intersect( $ids, (array) $_GET['include'] ); + $ids = array_intersect( $ids, (array) sanitize_text_field( wp_unslash( $_GET['include'] ) ) ); } if ( ! empty( $_GET['limit'] ) ) { - $ids = array_slice( $ids, 0, absint( $_GET['limit'] ) ); + $ids = array_slice( $ids, 0, absint( sanitize_text_field( wp_unslash( $_GET['limit'] ) ) ) ); } $product_objects = array_filter( array_map( 'wc_get_product', $ids ), 'dokan_products_array_filter_editable' ); @@ -668,7 +671,7 @@ public function dokan_json_search_vendor_customers() { wp_die( -1 ); } - $term = wc_clean( wp_unslash( $_GET['term'] ) ); + $term = isset( $_GET['term'] ) ? wc_clean( sanitize_text_field( wp_unslash( $_GET['term'] ) ) ) : ''; $exclude = array(); $limit = ''; @@ -702,7 +705,7 @@ public function dokan_json_search_vendor_customers() { $found_customers = array(); if ( ! empty( $_GET['exclude'] ) ) { - $ids = array_diff( $ids, (array) $_GET['exclude'] ); + $ids = array_diff( $ids, (array) sanitize_text_field( wp_unslash( $_GET['exclude'] ) ) ); } foreach ( $ids as $id ) { diff --git a/classes/pageviews.php b/classes/pageviews.php index 4bd6e816c6..cd67e4bd3d 100755 --- a/classes/pageviews.php +++ b/classes/pageviews.php @@ -38,7 +38,7 @@ public function load_views() { if ( empty( $_COOKIE['dokan_product_viewed'] ) ) { $dokan_viewed_products = array(); } else { - $dokan_viewed_products = (array) explode( ',', $_COOKIE['dokan_product_viewed'] ); + $dokan_viewed_products = (array) explode( ',', sanitize_text_field( wp_unslash( $_COOKIE['dokan_product_viewed'] ) ) ); } if ( ! in_array( $post->ID, $dokan_viewed_products ) ) { diff --git a/classes/seller-setup-wizard.php b/classes/seller-setup-wizard.php index 09a7bab36a..ff011d2e23 100644 --- a/classes/seller-setup-wizard.php +++ b/classes/seller-setup-wizard.php @@ -326,14 +326,20 @@ public function dokan_setup_store() { * Save store options. */ public function dokan_setup_store_save() { - if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'dokan-seller-setup' ) ) { + if ( ! isset( $_POST['_wpnonce'] ) ) { + return; + } + + $nonce = sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ); + + if ( ! wp_verify_nonce( $nonce, 'dokan-seller-setup' ) ) { return; } $dokan_settings = $this->store_info; - $dokan_settings['store_ppp'] = absint( $_POST['store_ppp'] ); - $dokan_settings['address'] = isset( $_POST['address'] ) ? $_POST['address'] : []; + $dokan_settings['store_ppp'] = isset( $_POST['store_ppp'] ) ? absint( sanitize_text_field( wp_unslash( $_POST['store_ppp'] ) ) ) : ''; + $dokan_settings['address'] = isset( $_POST['address'] ) ? sanitize_text_field( wp_unslash( $_POST['address'] ) ) : []; $dokan_settings['show_email'] = isset( $_POST['show_email'] ) ? 'yes' : 'no'; update_user_meta( $this->store_id, 'dokan_profile_settings', $dokan_settings ); @@ -389,14 +395,20 @@ public function dokan_setup_payment() { * Save payment options. */ public function dokan_setup_payment_save() { - if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'dokan-seller-setup' ) ) { + if ( ! isset( $_POST['_wpnonce'] ) ) { + return; + } + + $nonce = sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ); + + if ( ! wp_verify_nonce( $nonce, 'dokan-seller-setup' ) ) { return; } $dokan_settings = $this->store_info; if ( isset( $_POST['settings']['bank'] ) ) { - $bank = $_POST['settings']['bank']; + $bank = array_map( 'sanitize_text_field', array_map( 'wp_unslash', $_POST['settings']['bank'] ) ); $dokan_settings['payment']['bank'] = array( 'ac_name' => sanitize_text_field( $bank['ac_name'] ), @@ -411,13 +423,13 @@ public function dokan_setup_payment_save() { if ( isset( $_POST['settings']['paypal'] ) ) { $dokan_settings['payment']['paypal'] = array( - 'email' => filter_var( $_POST['settings']['paypal']['email'], FILTER_VALIDATE_EMAIL ) + 'email' => filter_var( sanitize_text_field( wp_unslash( $_POST['settings']['paypal']['email'] ) ), FILTER_VALIDATE_EMAIL ) ); } if ( isset( $_POST['settings']['skrill'] ) ) { $dokan_settings['payment']['skrill'] = array( - 'email' => filter_var( $_POST['settings']['skrill']['email'], FILTER_VALIDATE_EMAIL ) + 'email' => filter_var( sanitize_text_field( wp_unslash( $_POST['settings']['skrill']['email'] ) ), FILTER_VALIDATE_EMAIL ) ); } diff --git a/classes/template-orders.php b/classes/template-orders.php index 8d11183f0a..1db61c1a20 100644 --- a/classes/template-orders.php +++ b/classes/template-orders.php @@ -73,8 +73,9 @@ public function order_main_content() { $order_id = isset( $_GET['order_id'] ) ? intval( $_GET['order_id'] ) : 0; if ( $order_id ) { + $_nonce = isset( $_REQUEST['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; - if ( wp_verify_nonce( $_REQUEST['_wpnonce'], 'dokan_view_order' ) && current_user_can( 'dokan_view_order' ) ) { + if ( wp_verify_nonce( $_nonce, 'dokan_view_order' ) && current_user_can( 'dokan_view_order' ) ) { dokan_get_template_part( 'orders/details' ); } else { dokan_get_template_part( 'global/dokan-error', '', array( 'deleted' => false, 'message' => __( 'You have no permission to view this order', 'dokan-lite' ) ) ); @@ -102,11 +103,13 @@ function handle_order_export() { return; } - if ( isset( $_POST['dokan_vendor_order_export_nonce'] ) && ! wp_verify_nonce( $_POST['dokan_vendor_order_export_nonce'], 'dokan_vendor_order_export_action' ) ) { + $post_data = wp_unslash( $_POST ); + + if ( isset( $post_data['dokan_vendor_order_export_nonce'] ) && ! wp_verify_nonce( sanitize_text_field( $post_data['dokan_vendor_order_export_nonce'] ), 'dokan_vendor_order_export_action' ) ) { return; } - if ( isset( $_POST['dokan_order_export_all'] ) ) { + if ( isset( $post_data['dokan_order_export_all'] ) ) { $filename = "Orders-".time(); header( "Content-Type: application/csv; charset=" . get_option( 'blog_charset' ) ); @@ -117,14 +120,14 @@ function handle_order_export() { exit(); } - if ( isset( $_POST['dokan_order_export_filtered'] ) ) { + if ( isset( $post_data['dokan_order_export_filtered'] ) ) { $filename = "Orders-".time(); header( "Content-Type: application/csv; charset=" . get_option( 'blog_charset' ) ); header( "Content-Disposition: attachment; filename=$filename.csv" ); - $order_date = ( isset( $_POST['order_date'] ) ) ? $_POST['order_date'] : NULL; - $order_status = ( isset( $_POST['order_status'] ) ) ? $_POST['order_status'] : 'all'; + $order_date = ( isset( $post_data['order_date'] ) ) ? sanitize_text_field( $post_data['order_date'] ) : NULL; + $order_status = ( isset( $post_data['order_status'] ) ) ? sanitize_text_field( $post_data['order_status'] ) : 'all'; $user_orders = dokan_get_seller_orders( dokan_get_current_user_id(), $order_status, $order_date, 10000000, 0 ); dokan_order_csv_export( $user_orders ); diff --git a/classes/template-products.php b/classes/template-products.php index fb3def0431..85140b2ea5 100644 --- a/classes/template-products.php +++ b/classes/template-products.php @@ -199,21 +199,21 @@ function handle_product_add() { return; } - if ( ! wp_verify_nonce( $_POST['dokan_add_new_product_nonce'], 'dokan_add_new_product' ) ) { + $postdata = wp_unslash( $_POST ); + + if ( ! wp_verify_nonce( sanitize_text_field( $postdata['dokan_add_new_product_nonce'] ), 'dokan_add_new_product' ) ) { return; } - $errors = array(); - $postdata = $_POST; - + $errors = array(); self::$product_cat = -1; self::$post_content = __( 'Details of your product ...', 'dokan-lite' ); if ( isset( $postdata['add_product'] ) ) { - $post_title = trim( $postdata['post_title'] ); - $post_content = trim( $postdata['post_content'] ); - $post_excerpt = trim( $postdata['post_excerpt'] ); - $featured_image = absint( $postdata['feat_image_id'] ); + $post_title = trim( sanitize_text_field( $postdata['post_title'] ) ); + $post_content = trim( sanitize_text_field( $postdata['post_content'] ) ); + $post_excerpt = trim( sanitize_text_field( $postdata['post_excerpt'] ) ); + $featured_image = absint( sanitize_text_field( $postdata['feat_image_id'] ) ); if ( empty( $post_title ) ) { $errors[] = __( 'Please enter product title', 'dokan-lite' ); @@ -357,13 +357,13 @@ public function handle_product_update() { return; } - if ( ! wp_verify_nonce( $_POST['dokan_edit_product_nonce'], 'dokan_edit_product' ) ) { + $postdata = wp_unslash( $_POST ); + + if ( ! wp_verify_nonce( sanitize_text_field( $postdata['dokan_edit_product_nonce'] ), 'dokan_edit_product' ) ) { return; } - $errors = array(); - $postdata = $_POST; - + $errors = array(); $post_title = trim( $postdata['post_title'] ); if ( empty( $post_title ) ) { diff --git a/includes/functions.php b/includes/functions.php index 285e10c319..1b08c4ecb0 100755 --- a/includes/functions.php +++ b/includes/functions.php @@ -187,12 +187,14 @@ function dokan_delete_product_handler() { if ( isset( $_GET['action'] ) && $_GET['action'] == 'dokan-delete-product' ) { $product_id = isset( $_GET['product_id'] ) ? (int) $_GET['product_id'] : 0; + $getdata = wp_unslash( $_GET ); + if ( !$product_id ) { wp_redirect( add_query_arg( array( 'message' => 'error' ), dokan_get_navigation_url( 'products' ) ) ); return; } - if ( !wp_verify_nonce( $_GET['_wpnonce'], 'dokan-delete-product' ) ) { + if ( !wp_verify_nonce( $getdata['_wpnonce'], 'dokan-delete-product' ) ) { wp_redirect( add_query_arg( array( 'message' => 'error' ), dokan_get_navigation_url( 'products' ) ) ); return; } @@ -609,18 +611,20 @@ function dokan_get_new_post_status() { function dokan_get_client_ip() { $ipaddress = ''; - if ( isset($_SERVER['HTTP_CLIENT_IP'] ) ) { - $ipaddress = $_SERVER['HTTP_CLIENT_IP']; - } else if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) { - $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR']; - } else if ( isset( $_SERVER['HTTP_X_FORWARDED'] ) ) { - $ipaddress = $_SERVER['HTTP_X_FORWARDED']; - } else if ( isset( $_SERVER['HTTP_FORWARDED_FOR'] ) ) { - $ipaddress = $_SERVER['HTTP_FORWARDED_FOR']; - } else if ( isset( $_SERVER['HTTP_FORWARDED'] ) ) { - $ipaddress = $_SERVER['HTTP_FORWARDED']; - } else if ( isset( $_SERVER['REMOTE_ADDR'] ) ) { - $ipaddress = $_SERVER['REMOTE_ADDR']; + $_server = wp_unslash( $_SERVER ); + + if ( isset( $_server['HTTP_CLIENT_IP'] ) ) { + $ipaddress = $_server['HTTP_CLIENT_IP']; + } else if ( isset( $_server['HTTP_X_FORWARDED_FOR'] ) ) { + $ipaddress = $_server['HTTP_X_FORWARDED_FOR']; + } else if ( isset( $_server['HTTP_X_FORWARDED'] ) ) { + $ipaddress = $_server['HTTP_X_FORWARDED']; + } else if ( isset( $_server['HTTP_FORWARDED_FOR'] ) ) { + $ipaddress = $_server['HTTP_FORWARDED_FOR']; + } else if ( isset( $_server['HTTP_FORWARDED'] ) ) { + $ipaddress = $_server['HTTP_FORWARDED']; + } else if ( isset( $_server['REMOTE_ADDR'] ) ) { + $ipaddress = $_server['REMOTE_ADDR']; } else { $ipaddress = 'UNKNOWN'; } @@ -799,12 +803,13 @@ function dokan_get_product_types( $status = '' ) { */ function dokan_posted_input( $key, $array = false ) { + $postdata = wp_unslash( $_POST ); //If array value is submitted return array - if ( $array && isset( $_POST[$key] ) ) { // WPCS: CSRF ok. - return $_POST[$key]; // WPCS: CSRF ok. + if ( $array && isset( $postdata[$key] ) ) { // WPCS: CSRF ok. + return $postdata[$key]; // WPCS: CSRF ok. } - $value = isset( $_POST[$key] ) ? trim( $_POST[$key] ) : ''; // WPCS: CSRF ok. + $value = isset( $postdata[$key] ) ? trim( $postdata[$key] ) : ''; // WPCS: CSRF ok. return esc_attr( $value ); } @@ -815,7 +820,8 @@ function dokan_posted_input( $key, $array = false ) { * @return string */ function dokan_posted_textarea( $key ) { - $value = isset( $_POST[$key] ) ? trim( $_POST[$key] ) : ''; // WPCS: CSRF ok. + $postdata = wp_unslash( $_POST ); + $value = isset( $postdata[$key] ) ? trim( $postdata[$key] ) : ''; // WPCS: CSRF ok. return esc_textarea( $value ); } @@ -1603,7 +1609,9 @@ function dokan_filter_orders_for_current_vendor( $args, $query ) { if ( current_user_can( 'manage_woocommerce' ) ) { if ( ! empty( $_GET['vendor_id'] ) ) { - $vendor_id = $_GET['vendor_id']; + $getdata = wp_unslash( $_GET ); + + $vendor_id = wc_clean( $getdata['vendor_id'] ); $args['join'] .= " LEFT JOIN {$wpdb->prefix}dokan_orders as do ON $wpdb->posts.ID=do.order_id"; $args['where'] .= " AND do.seller_id=$vendor_id"; } @@ -2013,12 +2021,14 @@ function dokan_product_listing_filter() { function dokan_product_search_by_sku( $where ) { global $pagenow, $wpdb, $wp; - if ( !isset( $_GET['product_search_name'] ) || empty( $_GET['product_search_name'] ) || ! isset( $_GET['dokan_product_search_nonce'] ) || ! wp_verify_nonce( $_GET['dokan_product_search_nonce'], 'dokan_product_search' ) ) { + $getdata = wp_unslash( $_GET ); + + if ( ! isset( $getdata['product_search_name'] ) || empty( $getdata['product_search_name'] ) || ! isset( $getdata['dokan_product_search_nonce'] ) || ! wp_verify_nonce( wc_clean( $getdata['dokan_product_search_nonce'] ), 'dokan_product_search' ) ) { return $where; } $search_ids = array(); - $terms = explode( ',', $_GET['product_search_name'] ); + $terms = explode( ',', wc_clean( $getdata['product_search_name'] ) ); foreach ( $terms as $term ) { if ( is_numeric( $term ) ) { @@ -2296,8 +2306,10 @@ function dokan_after_login_redirect( $redirect_to, $user ) { } } - if ( isset( $_GET['redirect_to'] ) && !empty( $_GET['redirect_to'] ) ) { - $redirect_to = esc_url( $_GET['redirect_to'] ); + $getdata = wp_unslash( $_GET ); + + if ( isset( $getdata['redirect_to'] ) && ! empty( $getdata['redirect_to'] ) ) { + $redirect_to = esc_url( $getdata['redirect_to'] ); } return $redirect_to; diff --git a/includes/wc-functions.php b/includes/wc-functions.php index f83b526e9c..82ceae6fa9 100755 --- a/includes/wc-functions.php +++ b/includes/wc-functions.php @@ -810,11 +810,15 @@ function dokan_filter_woocommerce_dashboard_status_widget_sales_query( $query ) */ function dokan_save_account_details(){ - if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) ) { + $_server = isset( $_SERVER['REQUEST_METHOD'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_METHOD'] ) ) : ''; + + if ( 'POST' !== strtoupper( $_server ) ) { return; } - if ( empty( $_POST['_wpnonce'] ) || !wp_verify_nonce( $_POST['_wpnonce'], 'dokan_save_account_details' ) ) { + $postdata = wp_unslash( $_POST ); + + if ( empty( $postdata['_wpnonce'] ) || ! wp_verify_nonce( $postdata['_wpnonce'], 'dokan_save_account_details' ) ) { return; } @@ -828,12 +832,12 @@ function dokan_save_account_details(){ return; } - $account_first_name = !empty( $_POST['account_first_name'] ) ? wc_clean( $_POST['account_first_name'] ) : ''; - $account_last_name = !empty( $_POST['account_last_name'] ) ? wc_clean( $_POST['account_last_name'] ) : ''; - $account_email = !empty( $_POST['account_email'] ) ? sanitize_email( $_POST['account_email'] ) : ''; - $pass_cur = !empty( $_POST['password_current'] ) ? $_POST['password_current'] : ''; - $pass1 = !empty( $_POST['password_1'] ) ? $_POST['password_1'] : ''; - $pass2 = !empty( $_POST['password_2'] ) ? $_POST['password_2'] : ''; + $account_first_name = !empty( $postdata['account_first_name'] ) ? wc_clean( $postdata['account_first_name'] ) : ''; + $account_last_name = !empty( $postdata['account_last_name'] ) ? wc_clean( $postdata['account_last_name'] ) : ''; + $account_email = !empty( $postdata['account_email'] ) ? sanitize_email( $postdata['account_email'] ) : ''; + $pass_cur = !empty( $postdata['password_current'] ) ? $postdata['password_current'] : ''; + $pass1 = !empty( $postdata['password_1'] ) ? $postdata['password_1'] : ''; + $pass2 = !empty( $postdata['password_2'] ) ? $postdata['password_2'] : ''; $save_pass = true; $user->first_name = $account_first_name; @@ -1060,16 +1064,18 @@ function dokan_bulk_order_status_change() { return; } - if ( ! isset( $_POST['security'] ) || ! wp_verify_nonce( $_POST['security'], 'bulk_order_status_change' ) ) { + $postdata = wp_unslash( $_POST ); + + if ( ! isset( $postdata['security'] ) || ! wp_verify_nonce( $postdata['security'], 'bulk_order_status_change' ) ) { return; } - if ( ! isset( $_POST['status'] ) || ! isset( $_POST['bulk_orders'] ) ) { + if ( ! isset( $postdata['status'] ) || ! isset( $postdata['bulk_orders'] ) ) { return; } - $status = $_POST['status']; - $orders = $_POST['bulk_orders']; + $status = $postdata['status']; + $orders = $postdata['bulk_orders']; // -1 means bluk action option value $excluded_status = array( '-1', 'cancelled', 'refunded' ); diff --git a/includes/wc-template.php b/includes/wc-template.php index a374687f65..49797e9c33 100755 --- a/includes/wc-template.php +++ b/includes/wc-template.php @@ -215,7 +215,7 @@ function dokan_save_quick_edit_vendor_data ( $product ) { } if ( isset( $_REQUEST['dokan_product_author_override'] ) ) { - $vendor_id = esc_attr( $_REQUEST['dokan_product_author_override'] ); + $vendor_id = sanitize_text_field( wp_unslash( $_REQUEST['dokan_product_author_override'] ) ); if ( ! $vendor_id ) { return;