Sanitize, validate, and escape $_POST, $_REQUEST & $_SERVER usage

buddypress · Apr 20, 2022 · 05559b2 · 05559b2
1 parent 9c18dc3
commit 05559b2
Show file tree

Hide file tree

Showing 8 changed files with 53 additions and 37 deletions.
diff --git a/inc/functions.php b/inc/functions.php
@@ -416,8 +416,9 @@ function is_login_page() {
 
 	if ( isset( $GLOBALS['pagenow'] ) && ( false !== strpos( $GLOBALS['pagenow'], 'wp-login.php' ) ) ) {
 		$is_login = true;
-	} elseif ( isset( $_SERVER['SCRIPT_NAME'] ) && false !== strpos( $_SERVER['SCRIPT_NAME'], 'wp-login.php' ) ) { // phpcs:ignore
-		$is_login = true;
+	} elseif ( isset( $_SERVER['SCRIPT_NAME'] ) ) {
+		$script_name = esc_url_raw( wp_unslash( $_SERVER['SCRIPT_NAME'] ) );
+		$is_login    = false !== strpos( $script_name, 'wp-login.php' );
 	}
 
 	return $is_login;

diff --git a/src/bp-core/admin/bp-core-admin-rewrites.php b/src/bp-core/admin/bp-core-admin-rewrites.php
@@ -272,12 +272,14 @@ function bp_core_admin_rewrites_setup_handler() {
 		wp_safe_redirect( add_query_arg( 'error', 'true', $base_url ) );
 	}
 
-	$directory_pages     = bp_core_get_directory_pages();
+	$directory_pages     = (array) bp_core_get_directory_pages();
 	$current_page_slugs  = wp_list_pluck( $directory_pages, 'slug', 'id' );
 	$current_page_titles = wp_list_pluck( $directory_pages, 'title', 'id' );
 	$reset_rewrites      = false;
 
-	$components = wp_unslash( $_POST['components'] ); // phpcs:ignore
+	// Data is sanitized inside the foreach loop.
+	$components = wp_unslash( $_POST['components'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
+
 	foreach ( $components as $page_id => $posted_data ) {
 		$postarr = array();
 
@@ -287,21 +289,29 @@ function bp_core_admin_rewrites_setup_handler() {
 
 		$postarr['ID'] = $page_id;
 
-		if ( $current_page_titles[ $page_id ] !== $posted_data['post_title'] ) {
-			$postarr['post_title'] = $posted_data['post_title'];
+		if ( isset( $posted_data['post_title'] ) ) {
+			$post_title = sanitize_text_field( $posted_data['post_title'] );
+
+			if ( $current_page_titles[ $page_id ] !== $post_title ) {
+				$postarr['post_title'] = $post_title;
+			}
 		}
 
-		if ( $current_page_slugs[ $page_id ] !== $posted_data['post_name'] ) {
-			$reset_rewrites       = true;
-			$postarr['post_name'] = $posted_data['post_name'];
+		if ( isset( $posted_data['post_name'] ) ) {
+			$post_name = sanitize_text_field( $posted_data['post_name'] );
+
+			if ( $current_page_slugs[ $page_id ] !== $post_name ) {
+				$reset_rewrites       = true;
+				$postarr['post_name'] = $post_name;
+			}
 		}
 
 		if ( isset( $posted_data['_bp_component_slugs'] ) && is_array( $posted_data['_bp_component_slugs'] ) ) {
 			$postarr['meta_input']['_bp_component_slugs'] = array_map( 'sanitize_title', $posted_data['_bp_component_slugs'] );
 		}
 
 		if ( isset( $posted_data['_bp_component_slugs']['bp_group_create'] ) ) {
-			$new_current_group_create_slug    = $posted_data['_bp_component_slugs']['bp_group_create'];
+			$new_current_group_create_slug    = sanitize_text_field( $posted_data['_bp_component_slugs']['bp_group_create'] );
 			$current_group_create_custom_slug = '';
 
 			if ( isset( $directory_pages->groups->custom_slugs['bp_group_create'] ) ) {

diff --git a/src/bp-core/bp-core-catchuri.php b/src/bp-core/bp-core-catchuri.php
@@ -61,7 +61,7 @@ function bp_core_get_from_uri( $bp_global = array() ) {
 
 		// calculate the BuddyPress URI.
 	} elseif ( isset( $_SERVER['REQUEST_URI'] ) ) {
-		$requested_uri = esc_url( wp_unslash( $_SERVER['REQUEST_URI'] ) ); // phpcs:ignore
+		$requested_uri = esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) );
 
 		/**
 		 * Filters the BuddyPress global URI path.

diff --git a/src/bp-core/bp-core-template-loader.php b/src/bp-core/bp-core-template-loader.php
@@ -79,7 +79,7 @@ function bp_reset_query( $bp_request = '', \WP_Query $query = null ) {
 	// Back up request uri.
 	$reset_server_request_uri = '';
 	if ( isset( $_SERVER['REQUEST_URI'] ) ) {
-		$reset_server_request_uri = wp_unslash( $_SERVER['REQUEST_URI'] ); // phpcs:ignore
+		$reset_server_request_uri = esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) );
 	}
 
 	// Temporarly override it.

diff --git a/src/bp-core/bp-core-template.php b/src/bp-core/bp-core-template.php
@@ -25,8 +25,13 @@
  * @return mixed            The BuddyPress global value set using the BP Legacy URL parser.
  */
 function _was_called_too_early( $function, $bp_global ) {
-	$retval   = null;
-	$request  = wp_parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH ); // phpcs:ignore
+	$retval      = null;
+	$request_uri = '';
+	if ( isset( $_SERVER['REQUEST_URI'] ) ) {
+		$request_uri = esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) );
+	}
+
+	$request  = wp_parse_url( $request_uri, PHP_URL_PATH );
 	$is_admin = ( false !== strpos( $request, '/wp-admin' ) || is_admin() ) && ! wp_doing_ajax();
 
 	// The BP REST API needs more work.

diff --git a/src/bp-core/classes/class-core-component.php b/src/bp-core/classes/class-core-component.php
@@ -18,14 +18,17 @@ class Core_Component extends \BP_Core {
 	/**
 	 * Parse the WP_Query and eventually display the component's directory or single item.
 	 *
+	 * Search doesn't have an associated page, so we check for it separately.
+	 *
 	 * @since 1.0.0
 	 *
 	 * @param WP_Query $query Required. See BP_Component::parse_query() for
 	 *                        description.
 	 */
 	public function parse_query( $query ) {
-		// Search doesn't have an associated page, so we check for it separately.
-		if ( isset( $_POST['search-terms'] ) && $query->get( 'pagename' ) === bp_get_search_slug() ) { // phpcs:ignore
+		// phpcs:disable WordPress.Security.NonceVerification
+		if ( isset( $_POST['search-terms'] ) && $query->get( 'pagename' ) === bp_get_search_slug() ) {
+			// phpcs:enable WordPress.Security.NonceVerification
 			buddypress()->current_component = bp_get_search_slug();
 		}
 

diff --git a/src/bp-groups/actions/create.php b/src/bp-groups/actions/create.php
@@ -112,11 +112,9 @@ function groups_action_create_group() {
 				$new_group_id = $bp->groups->new_group_id;
 			}
 
-			// phpcs:disable WordPress.Security.ValidatedSanitizedInput
-			$new_group_name = wp_unslash( $_POST['group-name'] );
-			$new_group_slug = sanitize_title( esc_attr( $new_group_name ) );
-			$new_group_desc = wp_unslash( $_POST['group-desc'] );
-			// phpcs:enable WordPress.Security.ValidatedSanitizedInput
+			$new_group_name = sanitize_text_field( wp_unslash( $_POST['group-name'] ) );
+			$new_group_slug = sanitize_title( $new_group_name );
+			$new_group_desc = sanitize_textarea_field( wp_unslash( $_POST['group-desc'] ) );
 
 			$bp->groups->new_group_id = groups_create_group(
 				array(
@@ -143,15 +141,12 @@ function groups_action_create_group() {
 				$group_enable_forum = 0;
 			}
 
-			// phpcs:disable WordPress.Security.ValidatedSanitizedInput
 			if ( isset( $_POST['group-status'] ) ) {
-				if ( 'private' === wp_unslash( $_POST['group-status'] ) ) {
-					$group_status = 'private';
-				} elseif ( 'hidden' === wp_unslash( $_POST['group-status'] ) ) {
-					$group_status = 'hidden';
+				$posted_group_status = sanitize_text_field( wp_unslash( $_POST['group-status'] ) );
+				if ( 'private' === $posted_group_status || 'hidden' === $posted_group_status ) {
+					$group_status = $posted_group_status;
 				}
 			}
-			// phpcs:enable WordPress.Security.ValidatedSanitizedInput
 
 			$bp->groups->new_group_id = groups_create_group(
 				array(
@@ -362,13 +357,11 @@ function groups_action_create_group() {
 				'object'        => 'group',
 				'avatar_dir'    => 'group-avatars',
 				'item_id'       => $bp->groups->current_group->id,
-				// phpcs:disable WordPress.Security.ValidatedSanitizedInput
-				'original_file' => wp_unslash( $_POST['image_src'] ),
-				'crop_x'        => wp_unslash( $_POST['x'] ),
-				'crop_y'        => wp_unslash( $_POST['y'] ),
-				'crop_w'        => wp_unslash( $_POST['w'] ),
-				'crop_h'        => wp_unslash( $_POST['h'] ),
-				// phpcs:enable WordPress.Security.ValidatedSanitizedInput
+				'original_file' => esc_url_raw( wp_unslash( $_POST['image_src'] ) ),
+				'crop_x'        => ! isset( $_POST['x'] ) ? 0 : sanitize_text_field( wp_unslash( $_POST['x'] ) ),
+				'crop_y'        => ! isset( $_POST['y'] ) ? 0 : sanitize_text_field( wp_unslash( $_POST['y'] ) ),
+				'crop_w'        => ! isset( $_POST['w'] ) ? bp_core_avatar_full_width() : sanitize_text_field( wp_unslash( $_POST['w'] ) ),
+				'crop_h'        => ! isset( $_POST['h'] ) ? bp_core_avatar_full_height() : sanitize_text_field( wp_unslash( $_POST['h'] ) ),
 			);
 
 			$cropped_avatar = bp_core_avatar_handle_crop( $args, 'array' );

diff --git a/src/bp-groups/classes/class-bp-group-extension.php b/src/bp-groups/classes/class-bp-group-extension.php
@@ -549,9 +549,11 @@ public static function get_group_id() {
 			 * $_POST array
 			 * @todo Figure out why this is happening during group creation.
 			 */
-			if ( empty( $group_id ) && isset( $_POST['group_id'] ) ) { // phpcs:ignore
-				$group_id = (int) $_POST['group_id']; // phpcs:ignore
+			// phpcs:disable WordPress.Security.NonceVerification
+			if ( empty( $group_id ) && isset( $_POST['group_id'] ) ) {
+				$group_id = (int) sanitize_text_field( wp_unslash( $_POST['group_id'] ) );
 			}
+			// phpcs:enable WordPress.Security.NonceVerification
 
 			return $group_id;
 		}
@@ -1138,9 +1140,11 @@ public function call_edit_screen() {
 		 * @since 1.8.0
 		 */
 		public function call_edit_screen_save() {
-			if ( empty( $_POST ) ) { // phpcs:ignore
+			// phpcs:disable WordPress.Security.NonceVerification
+			if ( empty( $_POST ) ) {
 				return;
 			}
+			// phpcs:enable WordPress.Security.NonceVerification
 
 			/*
 			 * When DOING_AJAX, the POST global will be populated, but we