fix: applying nonce right

openedx · Feb 2, 2024 · f7c9558 · f7c9558
1 parent 379aa87
commit f7c9558
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 17 deletions.
diff --git a/admin/class-openedx-commerce-admin.php b/admin/class-openedx-commerce-admin.php
@@ -232,7 +232,12 @@ public function add_openedx_course_product_type( $type_options ) {
 	 * @return void
 	 */
 	public function save_openedx_option( $post_id ) {
-		$openedx_course = isset( $_POST['is_openedx_course'] ) ? 'yes' : 'no';  // phpcs:ignore WordPress.Security.NonceVerification.Missing
+		if ( ! isset( $_POST['openedx_commerce_custom_product_nonce'] ) ||
+			! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['openedx_commerce_custom_product_nonce'] ) ), 'openedx_commerce_custom_product_nonce' )
+		) {
+			return;
+		}
+		$openedx_course = isset( $_POST['is_openedx_course'] ) ? 'yes' : 'no';
 		update_post_meta( $post_id, 'is_openedx_course', $openedx_course );
 	}
 
@@ -245,11 +250,11 @@ public function add_custom_product_fields() {
 
 		global $post;
 
-		$nonce = wp_create_nonce( 'openedx_commerce_admin' );
+		$nonce = wp_create_nonce( 'openedx_commerce_custom_product_nonce' );
 
 		echo '<div class="custom_options_group">';
 
-		echo '<input type="hidden" name="openedx_commerce_admin" value="<?php echo esc_attr($nonce); ?>">';
+		echo '<input type="hidden" name="openedx_commerce_custom_product_nonce" value="' . esc_attr($nonce) . '">';
 
 		woocommerce_wp_text_input(
 			array(
@@ -308,6 +313,7 @@ public function add_admin_order_item_values( $product, $item, $item_id = null )
 
 		// Check if the product has a non-empty "_course_id" metadata.
 		$course_id = '';
+		$nonce = wp_create_nonce( 'openedx_commerce_order_item_nonce' );
 
 		if ( $product ) {
 			$course_id    = get_post_meta( $product->get_id(), '_course_id', true );
@@ -321,7 +327,7 @@ public function add_admin_order_item_values( $product, $item, $item_id = null )
 			$order_url   = esc_url( admin_url( 'post.php?post=' . intval( $input_value ) . '&action=edit' ) );
 
 			$html_output  = '<td>';
-			$html_output .= '<input type="hidden" name="openedx_commerce_admin" value="<?php echo esc_attr($nonce); ?>">';
+			$html_output .= '<input type="hidden" name="openedx_commerce_order_item_nonce"  value="' . esc_attr($nonce) . '">';
 			$html_output .= '<input style="height:30px;" type="text" name="openedx_order_id_input' . esc_attr( $item_id ) . '" value="' . esc_attr( $input_value ) . '" pattern="\d*" />';
 			$html_output .= '<a href="' . $order_url . '" class="button" style="margin-left: 5px; vertical-align: bottom;' . ( $input_value ? '' : 'pointer-events: none; opacity: 0.6;' ) . '">View Request</a>';
 			$html_output .= '</td>';
@@ -370,8 +376,14 @@ public function save_order_meta_data( $order_id ) {
 
 		$items = wc_get_order( $order_id )->get_items();
 
+		if ( ! isset( $_POST['openedx_commerce_order_item_nonce'] ) ||
+			! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['openedx_commerce_order_item_nonce'] ) ), 'openedx_commerce_order_item_nonce' )
+		) {
+			return;
+		}
+
 		foreach ( $items as $item_id => $item ) {
-			if ( wp_verify_nonce( isset( $_POST[ 'openedx_order_id_input' . $item_id ] ), 'openedx_commerce_admin' ) ) {
+			if ( isset( $_POST[ 'openedx_order_id_input' . $item_id ] ) ) {
 				$input_value = sanitize_text_field( wp_unslash( $_POST[ 'openedx_order_id_input' . $item_id ] ) );
 				update_post_meta( $order_id, 'enrollment_id' . $item_id, $input_value );
 			}
@@ -386,8 +398,13 @@ public function save_order_meta_data( $order_id ) {
 	 * @since    1.1.1
 	 */
 	public function save_custom_product_fields( $post_id ) {
-		$course_id = isset( $_POST['_course_id'] ) ? wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_course_id'] ) ), 'openedx_commerce_admin' ) : '';
-		$mode      = isset( $_POST['_mode'] ) ? wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_mode'] ) ), 'openedx_commerce_admin' ) : '';
+		if ( ! isset( $_POST['openedx_commerce_custom_product_nonce'] ) ||
+			! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['openedx_commerce_custom_product_nonce'] ) ), 'openedx_commerce_custom_product_nonce' )
+		) {
+			return;
+		}
+		$course_id = isset( $_POST['_course_id'] ) ? sanitize_text_field( wp_unslash( $_POST['_course_id'] ) ) : '';
+		$mode      = isset( $_POST['_mode'] ) ? sanitize_text_field( wp_unslash( $_POST['_mode'] ) ) : '';
 
 		update_post_meta( $post_id, '_course_id', $course_id );
 		update_post_meta( $post_id, '_mode', $mode );

diff --git a/admin/views/class-openedx-commerce-enrollment-info-form.php b/admin/views/class-openedx-commerce-enrollment-info-form.php
@@ -93,15 +93,14 @@ public function render_enrollment_info_form( $post ) {
 			$openedx_new_enrollment = true;
 		}
 
-		$nonce = wp_create_nonce( 'openedx_commerce_enrollment_form' );
+		wp_nonce_field( 'openedx_commerce_enrollment_form', 'openedx_commerce_enrollment_form_nonce' );
 
 		?>
 		<div id="namediv" class="postbox">
 
 			<fieldset>
 				<h2 class="">Open edX enrollment request</h2>
 				<input type="hidden" name="openedx_new_enrollment" value="<?php echo wp_kses( $openedx_new_enrollment, array( 'true', 'false' ) ); ?>">
-				<input type="hidden" name="openedx_commerce_enrollment_form" value="<?php echo esc_attr( $nonce ); ?>">
 				<table class="form-table">
 					<tbody>
 						<tr>

diff --git a/admin/views/class-openedx-commerce-settings.php b/admin/views/class-openedx-commerce-settings.php
@@ -149,7 +149,13 @@ public function openedx_settings_init() {
 			'sanitize_text_field'
 		);
 
-		if ( wp_verify_nonce( isset( $_POST['generate_new_token'] ), 'openedx_commerce_new_token' ) ) {
+		if ( ! isset( $_POST['openedx_commerce_new_token_nonce'] ) ||
+			! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['openedx_commerce_new_token_nonce'] ) ), 'openedx_commerce_token' )
+		) {
+			return;
+		}
+
+		if ( isset( $_POST['generate_new_token'] ) ) {
 			$this->set_new_token();
 		}
 
@@ -188,7 +194,6 @@ public function set_new_token() {
 			$exp_date->add( new DateInterval( 'PT' . $exp_time . 'S' ) );
 			update_option( 'openedx-token-expiration-overlap', $exp_date );
 
-			$nonce = wp_create_nonce( 'openedx_commerce_new_token' );
 			update_option( 'openedx-jwt-token', $response_data['access_token'] );
 
 			set_transient( 'openedx_success_message', 'Token generated', 10 );
@@ -285,10 +290,11 @@ public function openedx_jwt_token_callback() {
 			$masked_value = '';
 		}
 
+		wp_nonce_field( 'openedx_commerce_token', 'openedx_commerce_new_token_nonce' );
+
 		?>
 
 		<div class="openedx-jwt-token-wrapper">
-			<input type="hidden" name="openedx_commerce_new_token" value="<?php echo esc_attr( $nonce ); ?>">
 
 			<input class="setting_input" class="openedx-jwt-token-input" type="text" name="openedx-jwt-token" id="openedx-jwt-token"
 				value="<?php echo esc_attr( $value ); ?>" hidden/>

diff --git a/includes/model/class-openedx-commerce-enrollment.php b/includes/model/class-openedx-commerce-enrollment.php
@@ -231,32 +231,38 @@ public function save_action( $post_id, $post ) {
 		$enrollment_arr    = array();
 		$enrollment_action = '';
 
+		if ( ! isset( $_POST['openedx_commerce_enrollment_form_nonce'] ) ||
+			! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['openedx_commerce_enrollment_form_nonce'] ) ), 'openedx_commerce_enrollment_form' )
+		) {
+			return;
+		}
+
 		if ( isset( $_POST['openedx_enrollment_course_id'] ) ) {
-			$enrollment_arr['openedx_enrollment_course_id'] = wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_course_id'] ) ), 'openedx_commerce_enrollment_form' );
+			$enrollment_arr['openedx_enrollment_course_id'] = sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_course_id'] ) );
 		} else {
 			$enrollment_arr['openedx_enrollment_course_id'] = sanitize_text_field( wp_unslash( '' ) );
 		}
 
 		if ( isset( $_POST['openedx_enrollment_email'] ) ) {
-			$enrollment_arr['openedx_enrollment_email'] = wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_email'] ) ), 'openedx_commerce_enrollment_form' );
+			$enrollment_arr['openedx_enrollment_email'] = sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_email'] ) );
 		} else {
 			$enrollment_arr['openedx_enrollment_email'] = sanitize_text_field( wp_unslash( '' ) );
 		}
 
 		if ( isset( $_POST['openedx_enrollment_mode'] ) ) {
-			$enrollment_arr['openedx_enrollment_mode'] = wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_mode'] ) ), 'openedx_commerce_enrollment_form' );
+			$enrollment_arr['openedx_enrollment_mode'] = sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_mode'] ) );
 		} else {
 			$enrollment_arr['openedx_enrollment_mode'] = sanitize_text_field( wp_unslash( '' ) );
 		}
 
 		if ( isset( $_POST['openedx_enrollment_request_type'] ) ) {
-			$enrollment_arr['openedx_enrollment_request_type'] = wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_request_type'] ) ), 'openedx_commerce_enrollment_form' );
+			$enrollment_arr['openedx_enrollment_request_type'] = sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_request_type'] ) );
 		} else {
 			$enrollment_arr['openedx_enrollment_request_type'] = sanitize_text_field( wp_unslash( '' ) );
 		}
 
 		if ( isset( $_POST['openedx_enrollment_order_id'] ) ) {
-			$enrollment_arr['openedx_enrollment_order_id'] = wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_order_id'] ) ), 'openedx_commerce_enrollment_form' );
+			$enrollment_arr['openedx_enrollment_order_id'] = sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_order_id'] ) );
 		} else {
 			$enrollment_arr['openedx_enrollment_order_id'] = sanitize_text_field( wp_unslash( '' ) );
 		}