From c3a5242bd2b06358caffdc3139a3f5571a2103f8 Mon Sep 17 00:00:00 2001 From: Tim Nolte Date: Fri, 23 Jun 2023 14:08:19 -0400 Subject: [PATCH] fix: Fixes incorrect order of array_replace_recursive arguments & other issues (#434) * fix: Fixes incorrect order of array_replace_recursive arguments & other issues * Fixes #433 * Fixes #432 * Fixes #431 * Further clean-up & standardization between object-cache.php & wp-redis.php. * Fixes incorrect order of array_replace_recursive arguments. * Addresses issue with port still not being null for socket connections due to defaults array_repalce_recursive use. * fix: Fixes sanitization methods and linting issues * Adjusts some items to use type-based sanitization. * Adds linting expection handling with comments for cases that require it. * fix: Removes invalid change made in #437 * Reverts this incorrect change that was made due to the incorrect use of `array_replace_recursive()`. * update changelog * Update wp-redis.php * update language in changelogs * fix missing closing ) --------- Co-authored-by: Chris Reynolds Co-authored-by: Phil Tyler --- README.md | 3 +++ object-cache.php | 17 ++++++++++------- readme.txt | 3 +++ wp-redis.php | 24 +++++++++++++++++------- 4 files changed, 33 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index e25712a..d245c43 100644 --- a/README.md +++ b/README.md @@ -107,6 +107,9 @@ There's a known issue with WordPress `alloptions` cache design. Specifically, a ### 1.4.3-dev ### * Bug fix: Fixes assumption that CACHE_PORT & CACHE_PASSWORD are Set. [[428](https://github.com/pantheon-systems/wp-redis/pull/428)] (props @timnolte) * Adds WP.org validation GitHub action [[#435](https://github.com/pantheon-systems/wp-redis/pull/435)] +* Bug fix: Fixes incorrect order of `array_replace_recursive` and other issues [[434](https://github.com/pantheon-systems/wp-redis/pull/434)] (props @timnolte) +* Bug fix: Replace use of wp_strip_all_tags in object-cache.php [[434](https://github.com/pantheon-systems/wp-redis/pull/434)] (props @timnolte) +* Bug fix: Don't strip tags from the cache password. [[434](https://github.com/pantheon-systems/wp-redis/pull/434)] (props @timnolte) ### 1.4.2 (May 15, 2023) ### * Bug fix: Removes exception loop caused by `esc_html` in `_exception_handler()` [[421](https://github.com/pantheon-systems/wp-redis/pull/421)] diff --git a/object-cache.php b/object-cache.php index 78b04fb..f2fd428 100644 --- a/object-cache.php +++ b/object-cache.php @@ -1247,10 +1247,14 @@ public function build_client_parameters( $redis_server ) { // Attempt to automatically load Pantheon's Redis config from the env. if ( isset( $_SERVER['CACHE_HOST'] ) ) { $redis_server = [ - 'host' => wp_strip_all_tags( $_SERVER['CACHE_HOST'] ), - 'port' => isset( $_SERVER['CACHE_PORT'] ) ? wp_strip_all_tags( $_SERVER['CACHE_PORT'] ) : $port, - 'auth' => isset( $_SERVER['CACHE_PASSWORD'] ) ? wp_strip_all_tags( $_SERVER['CACHE_PASSWORD'] ) : null, - 'database' => isset( $_SERVER['CACHE_DB'] ) ? wp_strip_all_tags( $_SERVER['CACHE_DB'] ) : $database, + // Don't use WP methods to sanitize the host due to plugin loading issues with other caching methods. + // @phpcs:ignore WordPressVIPMinimum.Functions.StripTags.StripTagsOneParameter,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized + 'host' => strip_tags( $_SERVER['CACHE_HOST'] ), + 'port' => ! empty( $_SERVER['CACHE_PORT'] ) ? intval( $_SERVER['CACHE_PORT'] ) : $port, + // Don't attempt to sanitize passwords as this can break authentication. + // @phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized + 'auth' => ! empty( $_SERVER['CACHE_PASSWORD'] ) ? $_SERVER['CACHE_PASSWORD'] : null, + 'database' => ! empty( $_SERVER['CACHE_DB'] ) ? intval( $_SERVER['CACHE_DB'] ) : $database, ]; } else { $redis_server = [ @@ -1263,9 +1267,8 @@ public function build_client_parameters( $redis_server ) { if ( file_exists( $redis_server['host'] ) && 'socket' === filetype( $redis_server['host'] ) ) { // unix socket connection. // port must be null or socket won't connect. + unset( $redis_server['port'] ); $port = null; - } elseif ( ! empty( $redis_server['port'] ) ) { // tcp connection. - $port = $redis_server['port']; } $defaults = [ @@ -1277,7 +1280,7 @@ public function build_client_parameters( $redis_server ) { // 1s timeout, 100ms delay between reconnections. // merging the defaults with the original $redis_server enables any custom parameters to get sent downstream to the redis client. - return array_replace_recursive( $redis_server, $defaults ); + return array_replace_recursive( $defaults, $redis_server ); } /** diff --git a/readme.txt b/readme.txt index 08fcb5b..8f25348 100644 --- a/readme.txt +++ b/readme.txt @@ -105,6 +105,9 @@ There's a known issue with WordPress `alloptions` cache design. Specifically, a = 1.4.3-dev = * Bug fix: Fixes assumption that CACHE_PORT & CACHE_PASSWORD are Set. [[428](https://github.com/pantheon-systems/wp-redis/pull/428)] (props @tnolte) * Adds WP.org validation GitHub action [[#435](https://github.com/pantheon-systems/wp-redis/pull/435)] +* Bug fix: Fixes incorrect order of `array_replace_recursive` and other issues [[434](https://github.com/pantheon-systems/wp-redis/pull/434)] (props @timnolte) +* Bug fix: Replace use of wp_strip_all_tags in object-cache.php [[434](https://github.com/pantheon-systems/wp-redis/pull/434)] (props @timnolte) +* Bug fix: Don't strip tags from the cache password. [[434](https://github.com/pantheon-systems/wp-redis/pull/434)] (props @timnolte) = 1.4.2 (May 15, 2023) = * Bug fix: Removes exception loop caused by `esc_html` in `_exception_handler()` [[421](https://github.com/pantheon-systems/wp-redis/pull/421)] diff --git a/wp-redis.php b/wp-redis.php index e420231..dde161f 100644 --- a/wp-redis.php +++ b/wp-redis.php @@ -35,21 +35,29 @@ */ function wp_redis_get_info() { global $wp_object_cache, $redis_server; + // Default Redis port. + $port = 6379; + // Default Redis database number. + $database = 0; if ( empty( $redis_server ) ) { // Attempt to automatically load Pantheon's Redis config from the env. if ( isset( $_SERVER['CACHE_HOST'] ) ) { $redis_server = [ - 'host' => sanitize_text_field( $_SERVER['CACHE_HOST'] ), - 'port' => isset( $_SERVER['CACHE_PORT'] ) ? sanitize_text_field( $_SERVER['CACHE_PORT'] ) : 6379, - 'auth' => isset( $_SERVER['CACHE_PASSWORD'] ) ? sanitize_text_field( $_SERVER['CACHE_PASSWORD'] ) : null, - 'database' => isset( $_SERVER['CACHE_DB'] ) ? sanitize_text_field( $_SERVER['CACHE_DB'] ) : 0, + // Don't use WP methods to sanitize the host due to plugin loading issues with other caching methods. + // @phpcs:ignore WordPressVIPMinimum.Functions.StripTags.StripTagsOneParameter,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized + 'host' => strip_tags( $_SERVER['CACHE_HOST'] ), + 'port' => ! empty( $_SERVER['CACHE_PORT'] ) ? intval( $_SERVER['CACHE_PORT'] ) : $port, + // Don't attempt to sanitize passwords as this can break authentication. + // @phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized + 'auth' => ! empty( $_SERVER['CACHE_PASSWORD'] ) ? $_SERVER['CACHE_PASSWORD'] : null, + 'database' => ! empty( $_SERVER['CACHE_DB'] ) ? intval( $_SERVER['CACHE_DB'] ) : $database, ]; } else { $redis_server = [ 'host' => '127.0.0.1', - 'port' => 6379, - 'database' => 0, + 'port' => $port, + 'database' => $database, ]; } } @@ -73,7 +81,9 @@ function wp_redis_get_info() { } else { $uptime_in_days .= ' days'; } - $database = ! empty( $redis_server['database'] ) ? $redis_server['database'] : 0; + if ( ! empty( $redis_server['database'] ) ) { + $database = $redis_server['database']; + } $key_count = 0; if ( isset( $info[ 'db' . $database ] ) && preg_match( '#keys=([\d]+)#', $info[ 'db' . $database ], $matches ) ) { $key_count = $matches[1];