Merge pull request #1148 from angelleye/PFW-151

Sanitize, Escape, and Validate POST Calls, PFW-151
angelleye · Jun 20, 2018 · 8905c06 · 8905c06
2 parents 8d13ac1 + 607d389
commit 8905c06
Show file tree

Hide file tree

Showing 12 changed files with 53 additions and 218 deletions.
diff --git a/angelleye-includes/angelleye-utility.php b/angelleye-includes/angelleye-utility.php
@@ -393,7 +393,7 @@ public function pfw_do_capture($order, $transaction_id = null, $capture_total =
         $this->ec_add_log('DoCapture API call');
         $order_id = version_compare(WC_VERSION, '3.0', '<') ? $order->id : $order->get_id();
         if( !empty($_POST['_regular_price'])) {
-            $AMT = self::number_format($_POST['_regular_price']);
+            $AMT = self::number_format(wc_clean( wp_unslash( $_POST['_regular_price'] ) ) );
         } elseif ($capture_total == null) {
             $AMT = $this->get_amount_by_transaction_id($transaction_id);
         } else {
@@ -494,7 +494,7 @@ public function call_do_void($order) {
         $this->ec_add_log('DoVoid API call');
         $order_id = version_compare(WC_VERSION, '3.0', '<') ? $order->id : $order->get_id();
         if (isset($_POST['angelleye_paypal_dovoid_transaction_dropdown']) && !empty($_POST['angelleye_paypal_dovoid_transaction_dropdown'])) {
-            $transaction_id = $_POST['angelleye_paypal_dovoid_transaction_dropdown'];
+            $transaction_id = wc_clean($_POST['angelleye_paypal_dovoid_transaction_dropdown']);
         } else {
             $old_wc = version_compare(WC_VERSION, '3.0', '<');
             $transaction_id = $old_wc ? get_post_meta($order_id, '_first_transaction_id', true) : get_post_meta($order->get_id(), '_first_transaction_id', true);
@@ -561,7 +561,7 @@ public function call_do_reauthorization($order) {
         $this->ec_add_log('DoReauthorization API call');
         $order_id = version_compare(WC_VERSION, '3.0', '<') ? $order->id : $order->get_id();
         if (isset($_POST['angelleye_paypal_doreauthorization_transaction_dropdown']) && !empty($_POST['angelleye_paypal_doreauthorization_transaction_dropdown'])) {
-            $transaction_id = $_POST['angelleye_paypal_doreauthorization_transaction_dropdown'];
+            $transaction_id = wc_clean($_POST['angelleye_paypal_doreauthorization_transaction_dropdown']);
         } else {
             $old_wc = version_compare(WC_VERSION, '3.0', '<');
             $transaction_id = $old_wc ? get_post_meta($order_id, '_first_transaction_id', true) : get_post_meta($order->get_id(), '_first_transaction_id', true);
@@ -654,7 +654,7 @@ public function call_do_authorization($order) {
         if (isset($transaction_id) && !empty($transaction_id)) {
             $DRFields = array(
                 'TRANSACTIONID' => $transaction_id, // Required. The value of a previously authorized transaction ID returned by PayPal.
-                'AMT' => self::number_format($_POST['_regular_price']), // Required. Must have two decimal places.  Decimal separator must be a period (.) and optional thousands separator must be a comma (,)
+                'AMT' => self::number_format(wc_clean( wp_unslash( $_POST['_regular_price']))), // Required. Must have two decimal places.  Decimal separator must be a period (.) and optional thousands separator must be a comma (,)
                 'CURRENCYCODE' => version_compare(WC_VERSION, '3.0', '<') ? $order->get_order_currency() : $order->get_currency()
             );
             $PayPalRequestData = array('DAFields' => $DRFields);
@@ -1705,7 +1705,7 @@ public function call_paypal_pro_payflow_docapture($order, $transaction_id, $capt
         $order_id = version_compare(WC_VERSION, '3.0', '<') ? $order->id : $order->get_id();
 
         if( !empty($_POST['_regular_price'])) {
-            $AMT = self::number_format($_POST['_regular_price']);
+            $AMT = self::number_format(wc_clean( wp_unslash( $_POST['_regular_price'])));
         } elseif ($capture_total == null) {
             $AMT = $this->get_amount_by_transaction_id($transaction_id);
         } else {
@@ -1757,7 +1757,7 @@ public function call_paypal_pro_payflow_do_void($order) {
         $this->ec_add_log('DoVoid API call');
         $order_id = version_compare(WC_VERSION, '3.0', '<') ? $order->id : $order->get_id();
         if (isset($_POST['angelleye_paypal_dovoid_transaction_dropdown']) && !empty($_POST['angelleye_paypal_dovoid_transaction_dropdown'])) {
-            $transaction_id = $_POST['angelleye_paypal_dovoid_transaction_dropdown'];
+            $transaction_id = wc_clean($_POST['angelleye_paypal_dovoid_transaction_dropdown']);
         } else {
             $old_wc = version_compare(WC_VERSION, '3.0', '<');
             $transaction_id = $old_wc ? get_post_meta($order_id, '_first_transaction_id', true) : get_post_meta($order->get_id(), '_first_transaction_id', true);

diff --git a/angelleye-includes/express-checkout/class-wc-gateway-paypal-express-helper-angelleye.php b/angelleye-includes/express-checkout/class-wc-gateway-paypal-express-helper-angelleye.php
@@ -230,7 +230,7 @@ public function angelleye_paypal_express_checkout_redirect_to_paypal($data, $err
         }
         if (empty($_POST['woocommerce_checkout_update_totals']) && 0 === $notice_count) {
             try {
-                WC()->session->set('post_data', $_POST);
+                WC()->session->set('post_data', wp_slash($_POST));
                 if (isset($_POST['payment_method']) && 'paypal_express' === $_POST['payment_method'] && $this->function_helper->ec_notice_count('error') == 0) {
                     $this->function_helper->ec_redirect_after_checkout();
                 }
@@ -308,7 +308,7 @@ public function ec_set_checkout_post_data() {
                 }
             }
             $post_data = WC()->session->get('post_data');
-            $_POST['order_comments'] = isset($post_data['order_comments']) ? $post_data['order_comments'] : '';
+            $_POST['order_comments'] = isset($post_data['order_comments']) ? wc_clean($post_data['order_comments']) : '';
             if (!empty($post_data)) {
                 foreach ($post_data as $key => $value) {
                     if (!empty($value)) {
@@ -319,11 +319,11 @@ public function ec_set_checkout_post_data() {
                 if ($this->angelleye_is_need_to_set_billing_address() == false) {
                     $shipping_details = $this->ec_get_session_data('shipping_details');
                     if (!empty($shipping_details)) {
-                        $_POST['billing_first_name'] = $shipping_details['first_name'];
-                        $_POST['billing_last_name'] = $shipping_details['last_name'];
+                        $_POST['billing_first_name'] = !empty($shipping_details['first_name']) ? wc_clean($shipping_details['first_name']) : '';
+                        $_POST['billing_last_name'] = !empty($shipping_details['last_name']) ? wc_clean($shipping_details['last_name']) : '';
                         $_POST['billing_company'] = !empty($shipping_details['company']) ? wc_clean(stripslashes($shipping_details['company'])) : '';
-                        $_POST['billing_email'] = $shipping_details['email'];
-                        $_POST['billing_phone'] = $shipping_details['phone'];
+                        $_POST['billing_email'] = !empty($shipping_details['email']) ? wc_clean($shipping_details['email']) : '';
+                        $_POST['billing_phone'] = !empty($shipping_details['phone']) ? wc_clean($shipping_details['phone']) : '';
                     }
                 }
             }
@@ -836,7 +836,7 @@ public function angelleye_ajax_generate_cart() {
             wp_die(__('Cheatin&#8217; huh?', 'paypal-for-woocommerce'));
         }
         WC()->shipping->reset_shipping();
-        $product_id = $_POST['product_id'];
+        $product_id = absint( wp_unslash( $_POST['product_id']));
         $url = esc_url_raw(add_query_arg('pp_action', 'set_express_checkout', add_query_arg('wc-api', 'WC_Gateway_PayPal_Express_AngellEYE', home_url('/'))));
         if (!empty($_POST['wc-paypal_express-new-payment-method']) && $_POST['wc-paypal_express-new-payment-method'] == 'true') {
             $url = add_query_arg('ec_save_to_account', 'true', $url);
@@ -854,7 +854,7 @@ public function angelleye_ajax_generate_cart() {
                 if ($product->is_type('variable')) {
                     $attributes = array_map('wc_clean', json_decode(stripslashes($_POST['attributes']), true));
                     if(!empty($_POST['variation_id'])) {
-                        $variation_id = $_POST['variation_id'];
+                        $variation_id = absint( wp_unslash( $_POST['variation_id'] ) );
                     } else {
                         if (version_compare(WC_VERSION, '3.0', '<')) {
                             $variation_id = $product->get_matching_variation($attributes);

diff --git a/angelleye-includes/express-checkout/class-wc-gateway-paypal-express-request-angelleye.php b/angelleye-includes/express-checkout/class-wc-gateway-paypal-express-request-angelleye.php
@@ -152,7 +152,7 @@ public function angelleye_redirect_action($url) {
                 $query_str = parse_url($url, PHP_URL_QUERY);
                 parse_str($query_str, $query_params);
                 wp_send_json(array(
-                    'token' => $query_params['token']
+                    'token' => wc_clean($query_params['token'])
                 ));
                 exit();
             }
@@ -241,7 +241,7 @@ public function angelleye_get_express_checkout_details() {
                 if ($this->angelleye_ec_force_to_display_checkout_page()) {
                     if ($this->angelleye_ec_force_to_display_checkout_page()) {
                         if (!empty($_GET['pay_for_order']) && $_GET['pay_for_order'] == true && !empty($_GET['key'])) {
-                            WC()->session->set('order_awaiting_payment', $_GET['order_id']);
+                            WC()->session->set('order_awaiting_payment', absint( wp_unslash( $_GET['order_id'] ) ) ) ;
                         } else {
                             $this->angelleye_wp_safe_redirect(wc_get_checkout_url(), 'get_express_checkout_details');
                         }
@@ -592,7 +592,7 @@ public function angelleye_set_express_checkout_request() {
                         'utm_nooverride' => 1
                                     ), WC()->api_request_url('WC_Gateway_PayPal_Express_AngellEYE')));
                 }
-                WC()->session->set('order_awaiting_payment', $order_id);
+                WC()->session->set('order_awaiting_payment', absint( wp_unslash( $order_id) ) );
             } else {
                 $this->cart_param = $this->gateway_calculation->cart_calculation();
                 $order_total = WC()->cart->total;
@@ -703,13 +703,13 @@ public function angelleye_set_express_checkout_request() {
                             $Payment['shiptoname'] = wc_clean(stripslashes($shiptoname));
                         }
 
-                        $Payment['shiptostreet'] = !empty($post_data['billing_address_1']) ? $post_data['billing_address_1'] : '';
-                        $Payment['shiptostreet2'] = !empty($post_data['billing_address_2']) ? $post_data['billing_address_2'] : '';
+                        $Payment['shiptostreet'] = !empty($post_data['billing_address_1']) ? wc_clean($post_data['billing_address_1']) : '';
+                        $Payment['shiptostreet2'] = !empty($post_data['billing_address_2']) ? wc_clean($post_data['billing_address_2']) : '';
                         $Payment['shiptocity'] = !empty($post_data['billing_city']) ? wc_clean(stripslashes($post_data['billing_city'])) : '';
-                        $Payment['shiptostate'] = !empty($post_data['billing_state']) ? $post_data['billing_state'] : '';
-                        $Payment['shiptozip'] = !empty($post_data['billing_postcode']) ? $post_data['billing_postcode'] : '';
-                        $Payment['shiptocountrycode'] = !empty($post_data['billing_country']) ? $post_data['billing_country'] : '';
-                        $Payment['shiptophonenum'] = !empty($post_data['billing_phone']) ? $post_data['billing_phone'] : '';
+                        $Payment['shiptostate'] = !empty($post_data['billing_state']) ? wc_clean($post_data['billing_state']) : '';
+                        $Payment['shiptozip'] = !empty($post_data['billing_postcode']) ? wc_clean($post_data['billing_postcode']) : '';
+                        $Payment['shiptocountrycode'] = !empty($post_data['billing_country']) ? wc_clean($post_data['billing_country']) : '';
+                        $Payment['shiptophonenum'] = !empty($post_data['billing_phone']) ? wc_clean($post_data['billing_phone']) : '';
                     }
                 } elseif (is_user_logged_in()) {
                     if (version_compare(WC_VERSION, '3.0', '<')) {
@@ -1272,7 +1272,7 @@ public function DoReferenceTransaction($order_id) {
         $PayPalRequestData = array();
         $referenceid = get_post_meta($order_id, '_payment_tokens_id', true);
         if (!empty($_POST['wc-paypal_express-payment-token'])) {
-            $token_id = $_POST['wc-paypal_express-payment-token'];
+            $token_id = wc_clean($_POST['wc-paypal_express-payment-token']);
             $token = WC_Payment_Tokens::get($token_id);
             $referenceid = $token->get_token();
         }

diff --git a/classes/lib/angelleye/paypal-php-library/includes/paypal.nvp.callback.php b/classes/lib/angelleye/paypal-php-library/includes/paypal.nvp.callback.php
diff --git a/classes/wc-gateway-braintree-angelleye.php b/classes/wc-gateway-braintree-angelleye.php
@@ -1244,7 +1244,7 @@ public function payment_scripts() {
     }
 
     public static function get_posted_variable($variable, $default = '') {
-        return ( isset($_POST[$variable]) ? $_POST[$variable] : $default );
+        return ( isset($_POST[$variable]) ? wc_clean($_POST[$variable]) : $default );
     }
 
     function get_transaction_url($order) {

diff --git a/classes/wc-gateway-calculations-angelleye.php b/classes/wc-gateway-calculations-angelleye.php
@@ -436,14 +436,4 @@ public function angelleye_disable_line_item() {
         }
 
     }
-
-
-
-
-
-
-
-
-
-
 endif;