apc: rework sanitization to not use WP functions (#240) (#241)

WordPress is not initialized when the APC proxy is called, so we must not rely on logic like wp_unslash(). Use filter_input to sanitize untrusted data and drop the unslashing, as it is not necessary in this place.
pluginkollektiv · Oct 28, 2021 · 22b637a · 22b637a
1 parent 0a12e6c
commit 22b637a
Showing 1 changed file with 8 additions and 10 deletions.
diff --git a/apc/proxy.php b/apc/proxy.php
@@ -23,12 +23,8 @@
  */
 function cachify_is_ssl() {
 	if ( isset( $_SERVER['HTTPS'] ) ) {
-		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
-		if ( 'on' === strtolower( wp_unslash( $_SERVER['HTTPS'] ) ) ) {
-			return true;
-		}
-
-		if ( '1' === $_SERVER['HTTPS'] ) {
+		$https = filter_input( INPUT_SERVER, 'HTTPS', FILTER_SANITIZE_STRING );
+		if ( 'on' === strtolower( $https ) || '1' === $https ) {
 			return true;
 		}
 	} elseif ( isset( $_SERVER['SERVER_PORT'] ) && ( '443' === $_SERVER['SERVER_PORT'] ) ) {
@@ -44,11 +40,13 @@ function cachify_is_ssl() {
 	&& ( strpos( filter_input( INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_STRING ), '/wp-admin/' ) === false )
 	&& ( strpos( filter_input( INPUT_SERVER, 'HTTP_ACCEPT_ENCODING', FILTER_SANITIZE_STRING ), 'gzip' ) !== false )
 ) {
-	$prefix = cachify_is_ssl() ? 'https-' : '';
 	$cache = apc_fetch(
-		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.InputNotValidated
-		md5( $prefix . wp_unslash( $_SERVER['HTTP_HOST'] ) . wp_unslash( $_SERVER['REQUEST_URI'] ) )
-		. '.cachify'
+		md5(
+			( cachify_is_ssl() ? 'https-' : '' ) .
+			filter_input( INPUT_SERVER, 'HTTP_HOST', FILTER_SANITIZE_STRING ) .
+			filter_input( INPUT_SERVER, 'REQUEST_URI', FILTER_SANITIZE_URL )
+		) .
+		'.cachify'
 	);
 	if ( $cache ) {
 		ini_set( 'zlib.output_compression', 'Off' );