fix: Fixes incorrect order of array_replace_recursive arguments & oth…

…er issues (#434) * fix: Fixes incorrect order of array_replace_recursive arguments & other issues * Fixes #433 * Fixes #432 * Fixes #431 * Further clean-up & standardization between object-cache.php & wp-redis.php. * Fixes incorrect order of array_replace_recursive arguments. * Addresses issue with port still not being null for socket connections due to defaults array_repalce_recursive use. * fix: Fixes sanitization methods and linting issues * Adjusts some items to use type-based sanitization. * Adds linting expection handling with comments for cases that require it. * fix: Removes invalid change made in #437 * Reverts this incorrect change that was made due to the incorrect use of `array_replace_recursive()`. * update changelog * Update wp-redis.php * update language in changelogs * fix missing closing ) --------- Co-authored-by: Chris Reynolds <[email protected]> Co-authored-by: Phil Tyler <[email protected]>
pantheon-systems · Jun 26, 2023 · 3c30e6f · 3c30e6f
1 parent 1d9bf7b
commit 3c30e6f
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -107,6 +107,9 @@ There's a known issue with WordPress `alloptions` cache design. Specifically, a
 ### 1.4.3-dev ###
 * Bug fix: Fixes assumption that CACHE_PORT & CACHE_PASSWORD are Set. [[428](https://github.com/pantheon-systems/wp-redis/pull/428)] (props @timnolte)
 * Adds WP.org validation GitHub action [[#435](https://github.com/pantheon-systems/wp-redis/pull/435)]
+* Bug fix: Fixes incorrect order of `array_replace_recursive` and other issues [[434](https://github.com/pantheon-systems/wp-redis/pull/434)] (props @timnolte)
+* Bug fix: Replace use of wp_strip_all_tags in object-cache.php [[434](https://github.com/pantheon-systems/wp-redis/pull/434)] (props @timnolte)
+* Bug fix: Don't strip tags from the cache password. [[434](https://github.com/pantheon-systems/wp-redis/pull/434)] (props @timnolte)
 
 ### 1.4.2 (May 15, 2023) ###
 * Bug fix: Removes exception loop caused by `esc_html` in `_exception_handler()` [[421](https://github.com/pantheon-systems/wp-redis/pull/421)]

diff --git a/object-cache.php b/object-cache.php
@@ -1247,10 +1247,14 @@ public function build_client_parameters( $redis_server ) {
 			// Attempt to automatically load Pantheon's Redis config from the env.
 			if ( isset( $_SERVER['CACHE_HOST'] ) ) {
 				$redis_server = [
-					'host' => wp_strip_all_tags( $_SERVER['CACHE_HOST'] ),
-					'port' => isset( $_SERVER['CACHE_PORT'] ) ? wp_strip_all_tags( $_SERVER['CACHE_PORT'] ) : $port,
-					'auth' => isset( $_SERVER['CACHE_PASSWORD'] ) ? wp_strip_all_tags( $_SERVER['CACHE_PASSWORD'] ) : null,
-					'database' => isset( $_SERVER['CACHE_DB'] ) ? wp_strip_all_tags( $_SERVER['CACHE_DB'] ) : $database,
+					// Don't use WP methods to sanitize the host due to plugin loading issues with other caching methods.
+					// @phpcs:ignore WordPressVIPMinimum.Functions.StripTags.StripTagsOneParameter,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+					'host' => strip_tags( $_SERVER['CACHE_HOST'] ),
+					'port' => ! empty( $_SERVER['CACHE_PORT'] ) ? intval( $_SERVER['CACHE_PORT'] ) : $port,
+					// Don't attempt to sanitize passwords as this can break authentication.
+					// @phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+					'auth' => ! empty( $_SERVER['CACHE_PASSWORD'] ) ? $_SERVER['CACHE_PASSWORD'] : null,
+					'database' => ! empty( $_SERVER['CACHE_DB'] ) ? intval( $_SERVER['CACHE_DB'] ) : $database,
 				];
 			} else {
 				$redis_server = [
@@ -1263,9 +1267,8 @@ public function build_client_parameters( $redis_server ) {
 
 		if ( file_exists( $redis_server['host'] ) && 'socket' === filetype( $redis_server['host'] ) ) { // unix socket connection.
 			// port must be null or socket won't connect.
+			unset( $redis_server['port'] );
 			$port = null;
-		} elseif ( ! empty( $redis_server['port'] ) ) { // tcp connection.
-			$port = $redis_server['port'];
 		}
 
 		$defaults = [
@@ -1277,7 +1280,7 @@ public function build_client_parameters( $redis_server ) {
 		// 1s timeout, 100ms delay between reconnections.
 
 		// merging the defaults with the original $redis_server enables any custom parameters to get sent downstream to the redis client.
-		return array_replace_recursive( $redis_server, $defaults );
+		return array_replace_recursive( $defaults, $redis_server );
 	}
 
 	/**

diff --git a/readme.txt b/readme.txt
@@ -105,6 +105,9 @@ There's a known issue with WordPress `alloptions` cache design. Specifically, a
 = 1.4.3-dev =
 * Bug fix: Fixes assumption that CACHE_PORT & CACHE_PASSWORD are Set. [[428](https://github.com/pantheon-systems/wp-redis/pull/428)] (props @tnolte)
 * Adds WP.org validation GitHub action [[#435](https://github.com/pantheon-systems/wp-redis/pull/435)]
+* Bug fix: Fixes incorrect order of `array_replace_recursive` and other issues [[434](https://github.com/pantheon-systems/wp-redis/pull/434)] (props @timnolte)
+* Bug fix: Replace use of wp_strip_all_tags in object-cache.php [[434](https://github.com/pantheon-systems/wp-redis/pull/434)] (props @timnolte)
+* Bug fix: Don't strip tags from the cache password. [[434](https://github.com/pantheon-systems/wp-redis/pull/434)] (props @timnolte)
 
 = 1.4.2 (May 15, 2023) =
 * Bug fix: Removes exception loop caused by `esc_html` in `_exception_handler()` [[421](https://github.com/pantheon-systems/wp-redis/pull/421)]

diff --git a/wp-redis.php b/wp-redis.php
@@ -35,21 +35,29 @@
  */
 function wp_redis_get_info() {
 	global $wp_object_cache, $redis_server;
+	// Default Redis port.
+	$port = 6379;
+	// Default Redis database number.
+	$database = 0;
 
 	if ( empty( $redis_server ) ) {
 		// Attempt to automatically load Pantheon's Redis config from the env.
 		if ( isset( $_SERVER['CACHE_HOST'] ) ) {
 			$redis_server = [
-				'host' => sanitize_text_field( $_SERVER['CACHE_HOST'] ),
-				'port' => isset( $_SERVER['CACHE_PORT'] ) ? sanitize_text_field( $_SERVER['CACHE_PORT'] ) : 6379,
-				'auth' => isset( $_SERVER['CACHE_PASSWORD'] ) ? sanitize_text_field( $_SERVER['CACHE_PASSWORD'] ) : null,
-				'database' => isset( $_SERVER['CACHE_DB'] ) ? sanitize_text_field( $_SERVER['CACHE_DB'] ) : 0,
+				// Don't use WP methods to sanitize the host due to plugin loading issues with other caching methods.
+				// @phpcs:ignore WordPressVIPMinimum.Functions.StripTags.StripTagsOneParameter,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+				'host' => strip_tags( $_SERVER['CACHE_HOST'] ),
+				'port' => ! empty( $_SERVER['CACHE_PORT'] ) ? intval( $_SERVER['CACHE_PORT'] ) : $port,
+				// Don't attempt to sanitize passwords as this can break authentication.
+				// @phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+				'auth' => ! empty( $_SERVER['CACHE_PASSWORD'] ) ? $_SERVER['CACHE_PASSWORD'] : null,
+				'database' => ! empty( $_SERVER['CACHE_DB'] ) ? intval( $_SERVER['CACHE_DB'] ) : $database,
 			];
 		} else {
 			$redis_server = [
 				'host' => '127.0.0.1',
-				'port' => 6379,
-				'database' => 0,
+				'port' => $port,
+				'database' => $database,
 			];
 		}
 	}
@@ -73,7 +81,9 @@ function wp_redis_get_info() {
 	} else {
 		$uptime_in_days .= ' days';
 	}
-	$database  = ! empty( $redis_server['database'] ) ? $redis_server['database'] : 0;
+	if ( ! empty( $redis_server['database'] ) ) {
+		$database = $redis_server['database'];
+	}
 	$key_count = 0;
 	if ( isset( $info[ 'db' . $database ] ) && preg_match( '#keys=([\d]+)#', $info[ 'db' . $database ], $matches ) ) {
 		$key_count = $matches[1];