diff --git a/.travis.yml b/.travis.yml index 4765b37..7b7cefb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,6 +13,10 @@ cache: - vendor - $HOME/phpunit-bin +services: + - mysql + - memcached + addons: apt: packages: diff --git a/composer.json b/composer.json index cddfb26..58b5c19 100644 --- a/composer.json +++ b/composer.json @@ -10,13 +10,13 @@ }, "require-dev": { "brainmaestro/composer-git-hooks": "^2.6.0", - "dealerdirect/phpcodesniffer-composer-installer": "^0.5.0", + "dealerdirect/phpcodesniffer-composer-installer": "^0.7.0", "firebase/php-jwt": "^5.0", "phpcompatibility/phpcompatibility-wp": "*", - "php-coveralls/php-coveralls": "^2.1", + "php-coveralls/php-coveralls": "^2.4.2", "slowprog/composer-copy-file": "0.2.1", "wp-coding-standards/wpcs": "*", - "xwp/wp-dev-lib": "^1.1.1" + "xwp/wp-dev-lib": "^1.6.5" }, "scripts": { "phpcs": [ diff --git a/phpunit.xml.dist b/phpunit.xml.dist index 1265cd7..51a34b9 100644 --- a/phpunit.xml.dist +++ b/phpunit.xml.dist @@ -7,7 +7,7 @@ convertWarningsToExceptions="true" > - + ./tests/ ./tests/ diff --git a/wp-admin/includes/class-wp-key-pair-list-table.php b/wp-admin/includes/class-wp-key-pair-list-table.php index ecb563c..27b69bb 100644 --- a/wp-admin/includes/class-wp-key-pair-list-table.php +++ b/wp-admin/includes/class-wp-key-pair-list-table.php @@ -73,12 +73,12 @@ protected function column_default( $item, $column_name ) { if ( empty( $item['created'] ) ) { return '—'; } - return date( 'F j, Y g:i a', $item['created'] ); + return gmdate( 'F j, Y g:i a', $item['created'] ); case 'last_used': if ( empty( $item['last_used'] ) ) { return '—'; } - return date( 'F j, Y g:i a', $item['last_used'] ); + return gmdate( 'F j, Y g:i a', $item['last_used'] ); case 'last_ip': if ( empty( $item['last_ip'] ) ) { return '—'; diff --git a/wp-includes/rest-api/auth/class-wp-rest-key-pair.php b/wp-includes/rest-api/auth/class-wp-rest-key-pair.php index df47258..aa7f4a6 100644 --- a/wp-includes/rest-api/auth/class-wp-rest-key-pair.php +++ b/wp-includes/rest-api/auth/class-wp-rest-key-pair.php @@ -92,9 +92,10 @@ public static function get_rest_uri() { */ public function register_routes() { $args = array( - 'methods' => WP_REST_Server::CREATABLE, - 'callback' => array( $this, 'generate_key_pair' ), - 'args' => array( + 'methods' => WP_REST_Server::CREATABLE, + 'callback' => array( $this, 'generate_key_pair' ), + 'permission_callback' => '__return_true', + 'args' => array( 'name' => array( 'description' => esc_html__( 'The name of the key-pair.', 'jwt-auth' ), 'type' => 'string', @@ -110,14 +111,15 @@ public function register_routes() { 'validate_callback' => 'rest_validate_request_arg', ), ), - 'schema' => array( $this, 'get_item_schema' ), + 'schema' => array( $this, 'get_item_schema' ), ); register_rest_route( self::_NAMESPACE_, '/' . self::_REST_BASE_ . '/(?P[\d]+)', $args ); $args = array( - 'methods' => WP_REST_Server::DELETABLE, - 'callback' => array( $this, 'delete_all_key_pairs' ), - 'args' => array( + 'methods' => WP_REST_Server::DELETABLE, + 'callback' => array( $this, 'delete_all_key_pairs' ), + 'permission_callback' => '__return_true', + 'args' => array( 'user_id' => array( 'description' => esc_html__( 'The ID of the user.', 'jwt-auth' ), 'type' => 'integer', @@ -130,9 +132,10 @@ public function register_routes() { register_rest_route( self::_NAMESPACE_, '/' . self::_REST_BASE_ . '/(?P[\d]+)/revoke-all', $args ); $args = array( - 'methods' => WP_REST_Server::DELETABLE, - 'callback' => array( $this, 'delete_key_pair' ), - 'args' => array( + 'methods' => WP_REST_Server::DELETABLE, + 'callback' => array( $this, 'delete_key_pair' ), + 'permission_callback' => '__return_true', + 'args' => array( 'user_id' => array( 'description' => esc_html__( 'The ID of the user.', 'jwt-auth' ), 'type' => 'integer', @@ -514,7 +517,7 @@ public function generate_key_pair( WP_REST_Request $request ) { $keypairs[] = $new_item; $this->set_user_key_pairs( $user_id, $keypairs ); - $new_item['created'] = date( 'F j, Y g:i a', $new_item['created'] ); + $new_item['created'] = gmdate( 'F j, Y g:i a', $new_item['created'] ); $new_item['last_used'] = '—'; $new_item['last_ip'] = '—'; diff --git a/wp-includes/rest-api/auth/class-wp-rest-token.php b/wp-includes/rest-api/auth/class-wp-rest-token.php index b51ecb6..518ea7c 100644 --- a/wp-includes/rest-api/auth/class-wp-rest-token.php +++ b/wp-includes/rest-api/auth/class-wp-rest-token.php @@ -98,15 +98,17 @@ public static function get_rest_uri() { */ public function register_routes() { $args = array( - 'methods' => WP_REST_Server::READABLE, - 'callback' => array( $this, 'validate' ), + 'methods' => WP_REST_Server::READABLE, + 'callback' => array( $this, 'validate' ), + 'permission_callback' => '__return_true', ); register_rest_route( self::_NAMESPACE_, '/' . self::_REST_BASE_ . '/validate', $args ); $args = array( - 'methods' => WP_REST_Server::CREATABLE, - 'callback' => array( $this, 'generate_token' ), - 'args' => array( + 'methods' => WP_REST_Server::CREATABLE, + 'callback' => array( $this, 'generate_token' ), + 'permission_callback' => '__return_true', + 'args' => array( 'api_key' => array( 'description' => __( 'The API key of the user; requires also setting the api_secret.', 'jwt-auth' ), 'type' => 'string', @@ -120,7 +122,7 @@ public function register_routes() { 'validate_callback' => 'rest_validate_request_arg', ), ), - 'schema' => array( $this, 'get_item_schema' ), + 'schema' => array( $this, 'get_item_schema' ), ); register_rest_route( self::_NAMESPACE_, '/' . self::_REST_BASE_, $args ); } @@ -380,8 +382,8 @@ public function authenticate_refresh_token( $user, WP_REST_Request $request ) { */ public function require_token() { $require_token = true; - $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( $_SERVER['REQUEST_URI'] ) : false; - $request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? sanitize_text_field( $_SERVER['REQUEST_METHOD'] ) : false; + $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : false; + $request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_METHOD'] ) ) : false; // User is already authenticated. $user = wp_get_current_user(); @@ -775,11 +777,11 @@ public function validate_token() { public function get_auth_header() { // Get HTTP Authorization Header. - $header = isset( $_SERVER['HTTP_AUTHORIZATION'] ) ? sanitize_text_field( $_SERVER['HTTP_AUTHORIZATION'] ) : false; + $header = isset( $_SERVER['HTTP_AUTHORIZATION'] ) ? sanitize_text_field( wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] ) ) : false; // Check for alternative header. if ( ! $header && isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) { - $header = sanitize_text_field( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ); + $header = sanitize_text_field( wp_unslash( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ); } // The HTTP Authorization Header is missing, return an error.