PHPCS: Likes #24368
PHPCS: Likes #24368
Conversation
github-actions
bot
added
[Plugin] Jetpack
|
Thank you for your PR! When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:
This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖 The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available. Once your PR is ready for review, check one last time that all required checks (other than "Required review") appearing at the bottom of this PR are passing or skipped. Jetpack plugin:
|
| if ( ! isset( $_POST['wpl_enable_post_sharing'] ) ) { | ||
| if ( isset( $_POST['post_type'] ) && in_array( $_POST['post_type'], get_post_types( array( 'public' => true ) ), true ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- no site changes. | ||
| if ( ! isset( $_POST['wpl_enable_post_sharing'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- no site changes. | ||
| update_post_meta( $post_id, 'sharing_disabled', 1 ); |
There was a problem hiding this comment.
Err, isn't this a site change right here? And there are more below too.
| if ( true == $db_state && ! $this->in_jetpack ) { | ||
| $g_gif = file_get_contents( 'https://pixel.wp.com/g.gif?v=wpcom-no-pv&x_likes=disabled_likes' ); | ||
| } | ||
| update_option( 'disabled_likes', 1 ); |
There was a problem hiding this comment.
Again, site change right here, and more below.
| // WPCOM only: Comment Likes | ||
| if ( ! $this->in_jetpack ) { | ||
| $new_comments_state = ! empty( $_POST['jetpack_comment_likes_enabled'] ) ? $_POST['jetpack_comment_likes_enabled'] : false; | ||
| $new_comments_state = ! empty( $_POST['jetpack_comment_likes_enabled'] ) ? sanitize_option( wp_unslash( $_POST['jetpack_comment_likes_enabled'] ) ) : false; // phpcs:ignore WordPress.Security.NonceVerification.Missing -- no changes to the site, only enable or disabling comment likes. |
There was a problem hiding this comment.
only enable or disabling comment likes.
That's a change to the site though, isn't it?
kraftbj
added
[Status] Needs Author Reply
|
Okay, think I fixed up the nonces. Let me know if that looks okay. |
sdixon194
added
[Status] Needs Review
|
Spent some time testing this out to see if I could break anything but it all looks good. I see the nonce in the page source. I went down a rabbit hole too looking into whether or not the nonce fields are checked earlier, and the 'sharing-options' nonce is only checked if sharing is not enabled. Functionality-wise I'm not sure if I may be missing something when reviewing in terms of nonces but wanted to comment anyway with what I was looking at and what I found. Happy to approve based on that unless anyone else wants to take a look. |
kraftbj
added
[Status] Ready to Merge
|
Had to fix a merge conflict so this could use another approval 👍 |
|
Caution: This PR has changes that must be merged to WordPress.com |
|
Great news! One last step: head over to your WordPress.com diff, D81308-code, and deploy it. Thank you! |
github-actions
bot
removed
the
[Status] Ready to Merge
|
r246252-wpcom |
| if ( ! $this->in_jetpack ) { | ||
| if ( isset( $_POST['post_type'] ) && in_array( $_POST['post_type'], get_post_types( array( 'public' => true ) ), true ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- no site changes. | ||
| if ( ! isset( $_POST['wpl_enable_post_sharing'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- no site changes. | ||
| if ( ! isset( $_POST['wpl_enable_post_sharing'] ) && isset( $_POST['_likesharenonce'] ) && wp_verify_nonce( $_POST['_likesharenonce'], 'likes-and-shares' ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput -- WordPress core doesn't unslash or verify nonces either. |
There was a problem hiding this comment.
This nonce check seems to have been added incorrectly. As written, if wpl_enable_post_sharing is set but the nonce check fails, it'll still enable sharing. And the check here doesn't at all protect lines 162, 166, or 176.
I'd have added the nonce check at around line 139 instead. Offhand I don't know if I'd have had it wp_die() or just return $post_id if the check fails, that depends on whether it'd make more sense to abort or just ignore the attempt.
Then see how many of the phpcs:ignores can be removed.
| if ( ! empty( $_POST['wpl_default'] ) && isset( $_POST['_wpnonce'] ) && wp_verify_nonce( $_POST['_wpnonce'], 'sharing-options' ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput -- WordPress core doesn't unslash or verify nonces either. | ||
| $new_state = sanitize_text_field( wp_unslash( $_POST['wpl_default'] ) ); | ||
| } else { | ||
| $new_state = 'on'; |
There was a problem hiding this comment.
The logic here seems wrong. If the nonce check fails, we change the setting to "on"?
In practice it looks like an earlier nonce check will have already prevented this from being called so that won't actually happen. But if we're going to have a nonce check at all instead of relying on that earlier one, we should do the check separately and either return or or wp_die() depending on which behavior makes more sense.
| $new_state = 'on'; | ||
| } | ||
|
|
||
| if ( ! empty( $_POST['jetpack_reblogs_enabled'] ) && isset( $_POST['_wpnonce'] ) && wp_verify_nonce( $_POST['_wpnonce'], 'jetpack-reblog-option' ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput -- WordPress core doesn't unslash or verify nonces either. |
There was a problem hiding this comment.
Why are you checking the nonce again with a different action? That's never going to work.
And trying it on wpcom (I'm not sure how to get there clicking, maybe it's hidden in Calypso instead, but going directly to /wp-admin/options-general.php?page=sharing on my sandbox works) I find that I can no longer change this setting, it's always set to "on".
| if ( ! empty( $_POST['jetpack_comment_likes_enabled'] ) && isset( $_POST['_wpnonce'] ) && wp_verify_nonce( $_POST['_wpnonce'], 'sharing-options' ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput -- WordPress core doesn't unslash or verify nonces either. | ||
| $new_comments_state = sanitize_text_field( wp_unslash( $_POST['jetpack_comment_likes_enabled'] ) ); | ||
| } else { | ||
| $new_comments_state = false; |
|
@anomiex Would you recommend reverting this and the wpcom commit until this is sorted out, or is it just implemented in a poor way that it just doesn't work (as if the nonce checks weren't added before)? |
|
Depends how quickly someone can put together a fix. |
|
Tried to put the fixes together here: #24490 Just removed the second check altogether since that seems to be covered. |
Fixes #21985
Changes proposed in this Pull Request:
Jetpack product discussion
na
Does this pull request change what data or activity we track or use?
no
Testing instructions: