From 22b637a52eba8913fbf0c9d192796a5d5a328a10 Mon Sep 17 00:00:00 2001 From: Stefan Kalscheuer Date: Wed, 27 Oct 2021 20:02:21 +0200 Subject: [PATCH] apc: rework sanitization to not use WP functions (#240) (#241) WordPress is not initialized when the APC proxy is called, so we must not rely on logic like wp_unslash(). Use filter_input to sanitize untrusted data and drop the unslashing, as it is not necessary in this place. --- apc/proxy.php | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/apc/proxy.php b/apc/proxy.php index e9449aa2..09e382fd 100644 --- a/apc/proxy.php +++ b/apc/proxy.php @@ -23,12 +23,8 @@ */ function cachify_is_ssl() { if ( isset( $_SERVER['HTTPS'] ) ) { - // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized - if ( 'on' === strtolower( wp_unslash( $_SERVER['HTTPS'] ) ) ) { - return true; - } - - if ( '1' === $_SERVER['HTTPS'] ) { + $https = filter_input( INPUT_SERVER, 'HTTPS', FILTER_SANITIZE_STRING ); + if ( 'on' === strtolower( $https ) || '1' === $https ) { return true; } } elseif ( isset( $_SERVER['SERVER_PORT'] ) && ( '443' === $_SERVER['SERVER_PORT'] ) ) { @@ -44,11 +40,13 @@ function cachify_is_ssl() { && ( strpos( filter_input( INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_STRING ), '/wp-admin/' ) === false ) && ( strpos( filter_input( INPUT_SERVER, 'HTTP_ACCEPT_ENCODING', FILTER_SANITIZE_STRING ), 'gzip' ) !== false ) ) { - $prefix = cachify_is_ssl() ? 'https-' : ''; $cache = apc_fetch( - // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.InputNotValidated - md5( $prefix . wp_unslash( $_SERVER['HTTP_HOST'] ) . wp_unslash( $_SERVER['REQUEST_URI'] ) ) - . '.cachify' + md5( + ( cachify_is_ssl() ? 'https-' : '' ) . + filter_input( INPUT_SERVER, 'HTTP_HOST', FILTER_SANITIZE_STRING ) . + filter_input( INPUT_SERVER, 'REQUEST_URI', FILTER_SANITIZE_URL ) + ) . + '.cachify' ); if ( $cache ) { ini_set( 'zlib.output_compression', 'Off' );