Skip to content

Commit 5ca835e

Browse files
jameswburkejameswburke
authored
Merge pull request #4 from alleyinteractive/update-for-phpcs
Update standards and address some VIP errors and warnings
2 parents 75d38cc + b1ff22c commit 5ca835e

File tree

4 files changed

+19
-7
lines changed

4 files changed

+19
-7
lines changed

.phpcs.ruleset.xml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,12 @@
2424
https://github.com/PHPCompatibility/PHPCompatibilityWP -->
2525
<rule ref="PHPCompatibilityWP"/>
2626

27+
<!-- Use the VIP Go ruleset. -->
28+
<rule ref="WordPress-VIP-Go" />
29+
30+
<!-- Use the WordPress.com VIP ruleset. -->
31+
<rule ref="WordPressVIPMinimum" />
32+
2733
<!-- For help in understanding this testVersion:
2834
https://github.com/PHPCompatibility/PHPCompatibility#sniffing-your-code-for-compatibility-with-specific-php-versions -->
2935
<config name="testVersion" value="5.3-"/>

composer.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,8 @@
1616
"php-coveralls/php-coveralls": "^2.1",
1717
"slowprog/composer-copy-file": "0.2.1",
1818
"wp-coding-standards/wpcs": "*",
19-
"xwp/wp-dev-lib": "^1.1.1"
19+
"xwp/wp-dev-lib": "^1.1.1",
20+
"automattic/vipwpcs": "^2.0"
2021
},
2122
"scripts": {
2223
"phpcs": [

wp-includes/rest-api/auth/class-wp-rest-key-pair.php

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -356,11 +356,14 @@ public function authenticate( $user, WP_REST_Request $request ) {
356356

357357
$found = false;
358358
$keypairs = $this->get_user_key_pairs( $get_user->ID );
359+
360+
// Update the "Last IP" which accessed the keypair. This may not work
361+
// in some environments due to caching.
359362
foreach ( $keypairs as $_key => $item ) {
360363
if ( isset( $item['api_key'] ) && $item['api_key'] === $key ) {
361364
$keypairs[ $_key ]['last_used'] = time();
362365

363-
$ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null;
366+
$ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null; // phpcs:ignore WordPressVIPMinimum.Variables.ServerVariables.UserControlledHeaders, WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__REMOTE_ADDR__
364367
if ( $ip ) {
365368
$keypairs[ $_key ]['last_ip'] = $ip;
366369
}
@@ -705,6 +708,7 @@ public function template_new_key_pair() {
705708
* @since 0.1
706709
*/
707710
public function template_new_token_key_pair() {
711+
// phpcs:disable WordPressVIPMinimum.Security.Mustache.OutputNotation
708712
?>
709713
<script type="text/html" id="tmpl-new-token-key-pair">
710714
<div class="new-key-pair notification-dialog-wrap" data-api_key="{{ data.api_key }}" data-name="{{ data.name }}">
@@ -761,6 +765,7 @@ public function template_new_token_key_pair() {
761765
</div>
762766
</script>
763767
<?php
768+
// phpcs:enable WordPressVIPMinimum.Security.Mustache.OutputNotation
764769
}
765770

766771
/**

wp-includes/rest-api/auth/class-wp-rest-token.php

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -344,7 +344,7 @@ public function authenticate_refresh_token( $user, WP_REST_Request $request ) {
344344
if ( isset( $item['api_key'] ) && $item['api_key'] === $token->data->user->api_key ) {
345345
$keypairs[ $_key ]['last_used'] = time();
346346

347-
$ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null;
347+
$ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null; // phpcs:ignore WordPressVIPMinimum.Variables.ServerVariables.UserControlledHeaders, WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__REMOTE_ADDR__
348348
if ( $ip ) {
349349
$keypairs[ $_key ]['last_ip'] = $ip;
350350
}
@@ -380,8 +380,8 @@ public function authenticate_refresh_token( $user, WP_REST_Request $request ) {
380380
*/
381381
public function require_token() {
382382
$require_token = true;
383-
$request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( $_SERVER['REQUEST_URI'] ) : false;
384-
$request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? sanitize_text_field( $_SERVER['REQUEST_METHOD'] ) : false;
383+
$request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : false;
384+
$request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_METHOD'] ) ) : false;
385385

386386
// User is already authenticated.
387387
$user = wp_get_current_user();
@@ -775,11 +775,11 @@ public function validate_token() {
775775
public function get_auth_header() {
776776

777777
// Get HTTP Authorization Header.
778-
$header = isset( $_SERVER['HTTP_AUTHORIZATION'] ) ? sanitize_text_field( $_SERVER['HTTP_AUTHORIZATION'] ) : false;
778+
$header = isset( $_SERVER['HTTP_AUTHORIZATION'] ) ? sanitize_text_field( wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] ) ) : false;
779779

780780
// Check for alternative header.
781781
if ( ! $header && isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) {
782-
$header = sanitize_text_field( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] );
782+
$header = sanitize_text_field( wp_unslash( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) );
783783
}
784784

785785
// The HTTP Authorization Header is missing, return an error.

0 commit comments

Comments
 (0)