diff --git a/inc/functions.php b/inc/functions.php index 09c580c..57eb16d 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -416,8 +416,9 @@ function is_login_page() { if ( isset( $GLOBALS['pagenow'] ) && ( false !== strpos( $GLOBALS['pagenow'], 'wp-login.php' ) ) ) { $is_login = true; - } elseif ( isset( $_SERVER['SCRIPT_NAME'] ) && false !== strpos( $_SERVER['SCRIPT_NAME'], 'wp-login.php' ) ) { // phpcs:ignore - $is_login = true; + } elseif ( isset( $_SERVER['SCRIPT_NAME'] ) ) { + $script_name = esc_url_raw( wp_unslash( $_SERVER['SCRIPT_NAME'] ) ); + $is_login = false !== strpos( $script_name, 'wp-login.php' ); } return $is_login; diff --git a/src/bp-core/admin/bp-core-admin-rewrites.php b/src/bp-core/admin/bp-core-admin-rewrites.php index eb5f2e6..9fcbd3f 100644 --- a/src/bp-core/admin/bp-core-admin-rewrites.php +++ b/src/bp-core/admin/bp-core-admin-rewrites.php @@ -272,12 +272,14 @@ function bp_core_admin_rewrites_setup_handler() { wp_safe_redirect( add_query_arg( 'error', 'true', $base_url ) ); } - $directory_pages = bp_core_get_directory_pages(); + $directory_pages = (array) bp_core_get_directory_pages(); $current_page_slugs = wp_list_pluck( $directory_pages, 'slug', 'id' ); $current_page_titles = wp_list_pluck( $directory_pages, 'title', 'id' ); $reset_rewrites = false; - $components = wp_unslash( $_POST['components'] ); // phpcs:ignore + // Data is sanitized inside the foreach loop. + $components = wp_unslash( $_POST['components'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput + foreach ( $components as $page_id => $posted_data ) { $postarr = array(); @@ -287,13 +289,21 @@ function bp_core_admin_rewrites_setup_handler() { $postarr['ID'] = $page_id; - if ( $current_page_titles[ $page_id ] !== $posted_data['post_title'] ) { - $postarr['post_title'] = $posted_data['post_title']; + if ( isset( $posted_data['post_title'] ) ) { + $post_title = sanitize_text_field( $posted_data['post_title'] ); + + if ( $current_page_titles[ $page_id ] !== $post_title ) { + $postarr['post_title'] = $post_title; + } } - if ( $current_page_slugs[ $page_id ] !== $posted_data['post_name'] ) { - $reset_rewrites = true; - $postarr['post_name'] = $posted_data['post_name']; + if ( isset( $posted_data['post_name'] ) ) { + $post_name = sanitize_text_field( $posted_data['post_name'] ); + + if ( $current_page_slugs[ $page_id ] !== $post_name ) { + $reset_rewrites = true; + $postarr['post_name'] = $post_name; + } } if ( isset( $posted_data['_bp_component_slugs'] ) && is_array( $posted_data['_bp_component_slugs'] ) ) { @@ -301,7 +311,7 @@ function bp_core_admin_rewrites_setup_handler() { } if ( isset( $posted_data['_bp_component_slugs']['bp_group_create'] ) ) { - $new_current_group_create_slug = $posted_data['_bp_component_slugs']['bp_group_create']; + $new_current_group_create_slug = sanitize_text_field( $posted_data['_bp_component_slugs']['bp_group_create'] ); $current_group_create_custom_slug = ''; if ( isset( $directory_pages->groups->custom_slugs['bp_group_create'] ) ) { diff --git a/src/bp-core/bp-core-catchuri.php b/src/bp-core/bp-core-catchuri.php index bb81859..5d7b64f 100644 --- a/src/bp-core/bp-core-catchuri.php +++ b/src/bp-core/bp-core-catchuri.php @@ -61,7 +61,7 @@ function bp_core_get_from_uri( $bp_global = array() ) { // calculate the BuddyPress URI. } elseif ( isset( $_SERVER['REQUEST_URI'] ) ) { - $requested_uri = esc_url( wp_unslash( $_SERVER['REQUEST_URI'] ) ); // phpcs:ignore + $requested_uri = esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ); /** * Filters the BuddyPress global URI path. diff --git a/src/bp-core/bp-core-template-loader.php b/src/bp-core/bp-core-template-loader.php index f069352..b1388ed 100644 --- a/src/bp-core/bp-core-template-loader.php +++ b/src/bp-core/bp-core-template-loader.php @@ -79,7 +79,7 @@ function bp_reset_query( $bp_request = '', \WP_Query $query = null ) { // Back up request uri. $reset_server_request_uri = ''; if ( isset( $_SERVER['REQUEST_URI'] ) ) { - $reset_server_request_uri = wp_unslash( $_SERVER['REQUEST_URI'] ); // phpcs:ignore + $reset_server_request_uri = esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ); } // Temporarly override it. diff --git a/src/bp-core/bp-core-template.php b/src/bp-core/bp-core-template.php index ffc2c51..00c2a57 100644 --- a/src/bp-core/bp-core-template.php +++ b/src/bp-core/bp-core-template.php @@ -25,8 +25,13 @@ * @return mixed The BuddyPress global value set using the BP Legacy URL parser. */ function _was_called_too_early( $function, $bp_global ) { - $retval = null; - $request = wp_parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH ); // phpcs:ignore + $retval = null; + $request_uri = ''; + if ( isset( $_SERVER['REQUEST_URI'] ) ) { + $request_uri = esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ); + } + + $request = wp_parse_url( $request_uri, PHP_URL_PATH ); $is_admin = ( false !== strpos( $request, '/wp-admin' ) || is_admin() ) && ! wp_doing_ajax(); // The BP REST API needs more work. diff --git a/src/bp-core/classes/class-core-component.php b/src/bp-core/classes/class-core-component.php index aed4592..7bef541 100644 --- a/src/bp-core/classes/class-core-component.php +++ b/src/bp-core/classes/class-core-component.php @@ -18,14 +18,17 @@ class Core_Component extends \BP_Core { /** * Parse the WP_Query and eventually display the component's directory or single item. * + * Search doesn't have an associated page, so we check for it separately. + * * @since 1.0.0 * * @param WP_Query $query Required. See BP_Component::parse_query() for * description. */ public function parse_query( $query ) { - // Search doesn't have an associated page, so we check for it separately. - if ( isset( $_POST['search-terms'] ) && $query->get( 'pagename' ) === bp_get_search_slug() ) { // phpcs:ignore + // phpcs:disable WordPress.Security.NonceVerification + if ( isset( $_POST['search-terms'] ) && $query->get( 'pagename' ) === bp_get_search_slug() ) { + // phpcs:enable WordPress.Security.NonceVerification buddypress()->current_component = bp_get_search_slug(); } diff --git a/src/bp-groups/actions/create.php b/src/bp-groups/actions/create.php index 71bc03e..56f3a44 100644 --- a/src/bp-groups/actions/create.php +++ b/src/bp-groups/actions/create.php @@ -112,11 +112,9 @@ function groups_action_create_group() { $new_group_id = $bp->groups->new_group_id; } - // phpcs:disable WordPress.Security.ValidatedSanitizedInput - $new_group_name = wp_unslash( $_POST['group-name'] ); - $new_group_slug = sanitize_title( esc_attr( $new_group_name ) ); - $new_group_desc = wp_unslash( $_POST['group-desc'] ); - // phpcs:enable WordPress.Security.ValidatedSanitizedInput + $new_group_name = sanitize_text_field( wp_unslash( $_POST['group-name'] ) ); + $new_group_slug = sanitize_title( $new_group_name ); + $new_group_desc = sanitize_textarea_field( wp_unslash( $_POST['group-desc'] ) ); $bp->groups->new_group_id = groups_create_group( array( @@ -143,15 +141,12 @@ function groups_action_create_group() { $group_enable_forum = 0; } - // phpcs:disable WordPress.Security.ValidatedSanitizedInput if ( isset( $_POST['group-status'] ) ) { - if ( 'private' === wp_unslash( $_POST['group-status'] ) ) { - $group_status = 'private'; - } elseif ( 'hidden' === wp_unslash( $_POST['group-status'] ) ) { - $group_status = 'hidden'; + $posted_group_status = sanitize_text_field( wp_unslash( $_POST['group-status'] ) ); + if ( 'private' === $posted_group_status || 'hidden' === $posted_group_status ) { + $group_status = $posted_group_status; } } - // phpcs:enable WordPress.Security.ValidatedSanitizedInput $bp->groups->new_group_id = groups_create_group( array( @@ -362,13 +357,11 @@ function groups_action_create_group() { 'object' => 'group', 'avatar_dir' => 'group-avatars', 'item_id' => $bp->groups->current_group->id, - // phpcs:disable WordPress.Security.ValidatedSanitizedInput - 'original_file' => wp_unslash( $_POST['image_src'] ), - 'crop_x' => wp_unslash( $_POST['x'] ), - 'crop_y' => wp_unslash( $_POST['y'] ), - 'crop_w' => wp_unslash( $_POST['w'] ), - 'crop_h' => wp_unslash( $_POST['h'] ), - // phpcs:enable WordPress.Security.ValidatedSanitizedInput + 'original_file' => esc_url_raw( wp_unslash( $_POST['image_src'] ) ), + 'crop_x' => ! isset( $_POST['x'] ) ? 0 : sanitize_text_field( wp_unslash( $_POST['x'] ) ), + 'crop_y' => ! isset( $_POST['y'] ) ? 0 : sanitize_text_field( wp_unslash( $_POST['y'] ) ), + 'crop_w' => ! isset( $_POST['w'] ) ? bp_core_avatar_full_width() : sanitize_text_field( wp_unslash( $_POST['w'] ) ), + 'crop_h' => ! isset( $_POST['h'] ) ? bp_core_avatar_full_height() : sanitize_text_field( wp_unslash( $_POST['h'] ) ), ); $cropped_avatar = bp_core_avatar_handle_crop( $args, 'array' ); diff --git a/src/bp-groups/classes/class-bp-group-extension.php b/src/bp-groups/classes/class-bp-group-extension.php index d4cf7e4..638a459 100644 --- a/src/bp-groups/classes/class-bp-group-extension.php +++ b/src/bp-groups/classes/class-bp-group-extension.php @@ -549,9 +549,11 @@ public static function get_group_id() { * $_POST array * @todo Figure out why this is happening during group creation. */ - if ( empty( $group_id ) && isset( $_POST['group_id'] ) ) { // phpcs:ignore - $group_id = (int) $_POST['group_id']; // phpcs:ignore + // phpcs:disable WordPress.Security.NonceVerification + if ( empty( $group_id ) && isset( $_POST['group_id'] ) ) { + $group_id = (int) sanitize_text_field( wp_unslash( $_POST['group_id'] ) ); } + // phpcs:enable WordPress.Security.NonceVerification return $group_id; } @@ -1138,9 +1140,11 @@ public function call_edit_screen() { * @since 1.8.0 */ public function call_edit_screen_save() { - if ( empty( $_POST ) ) { // phpcs:ignore + // phpcs:disable WordPress.Security.NonceVerification + if ( empty( $_POST ) ) { return; } + // phpcs:enable WordPress.Security.NonceVerification /* * When DOING_AJAX, the POST global will be populated, but we