Skip to content

Commit

Permalink
Code Cleanup / sanitize input early and escape output late.
Browse files Browse the repository at this point in the history
  • Loading branch information
radgeek committed Feb 22, 2022
1 parent 41da179 commit a98028e
Show file tree
Hide file tree
Showing 4 changed files with 70 additions and 59 deletions.
84 changes: 41 additions & 43 deletions feedwordpress.php
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,11 @@
define ('DEFAULT_UPDATE_PERIOD', 60); // value in minutes
define ('FEEDWORDPRESS_DEFAULT_CHECKIN_INTERVAL', DEFAULT_UPDATE_PERIOD/10);

if (isset($_REQUEST['feedwordpress_debug'])) :
$feedwordpress_debug = sanitize_text_field($_REQUEST['feedwordpress_debug']);
else :
$feedwordpress_debug = get_option('feedwordpress_debug');
endif;
// Dependencies: modules packaged with FeedWordPress plugin
$dir = dirname( __FILE__ );
require_once("${dir}/externals/myphp/myphp.class.php");

$feedwordpress_debug = FeedWordPress::param( 'feedwordpress_debug', get_option('feedwordpress_debug') );

if (is_string($feedwordpress_debug)) :
$feedwordpress_debug = ($feedwordpress_debug == 'yes');
Expand Down Expand Up @@ -126,9 +126,8 @@
require_once(ABSPATH . WPINC . "/class-feed.php");
endif;

// Dependences: modules packaged with FeedWordPress plugin
$dir = dirname(__FILE__);
require_once("${dir}/externals/myphp/myphp.class.php");
// Dependencies: modules packaged with FeedWordPress plugin
$dir = dirname( __FILE__ );
require_once("${dir}/feedwordpressadminpage.class.php");
require_once("${dir}/feedwordpresssettingsui.class.php");
require_once("${dir}/feedwordpressdiagnostic.class.php");
Expand Down Expand Up @@ -692,11 +691,7 @@ public function check_debug () {
// This is a horrible fucking kludge that I have to do because the
// admin notice code is triggered before the code that updates the
// setting.
if (isset($_REQUEST['feedwordpress_debug'])) :
$feedwordpress_debug = sanitize_text_field($_REQUEST['feedwordpress_debug']);
else :
$feedwordpress_debug = get_option('feedwordpress_debug');
endif;
$feedwordpress_debug = FeedWordPress::param( 'feedwordpress_debug', get_option( 'feedwordpress_debug' ) );

FeedWordPressSettingsUI::get_template_part('notice-debug-mode', $feedwordpress_debug, 'html');
} /* function FeedWordPress::check_debug () */
Expand Down Expand Up @@ -954,16 +949,16 @@ public function automatic_update_hook ($params = array()) {

public function last_update_all () {
$last = get_option('feedwordpress_last_update_all');
if ($this->has_secret() and MyPHP::request('automatic_update')) :
if ( $this->has_secret() and FeedWordPress::param('automatic_update') ) :
$last = 1; // A long, long time ago.
elseif ($this->has_secret() and MyPHP::request('last_update_all')) :
$last = MyPHP::request('last_update_all');
elseif ( $this->has_secret() and FeedWordPress::param('last_update_all') ) :
$last = FeedWordPress::param( 'last_update_all' );
endif;
return $last;
} /* FeedWordPress::last_update_all () */

public function force_update_all () {
return ($this->has_secret() and MyPHP::request('force_update_feeds'));
return ($this->has_secret() and FeedWordPress::param( 'force_update_feeds' ));
} /* FeedWordPress::force_update_all () */

public function stale () {
Expand Down Expand Up @@ -1047,7 +1042,7 @@ static function admin_init () {
wp_die( sprintf( __( 'You cannot retire this item. %s is currently editing.' ), $user->display_name ) );
endif;

if (MyPHP::request('fwp_post_delete')=='zap') :
if (FeedWordPress::param( 'fwp_post_delete' ) == 'zap') :
FeedWordPress::diagnostic('syndicated_posts', 'Zapping existing post # '.$p->ID.' "'.$p->post_title.'" due to user request.');

$old_status = $post->post_status;
Expand Down Expand Up @@ -1088,11 +1083,11 @@ public function admin_api () {
// magic parameter is activated, the WordPress trashcan is
// temporarily de-activated.

if (MyPHP::request('fwp_post_delete')=='nuke') :
if (FeedWordPress::param( 'fwp_post_delete' ) == 'nuke') :
// Get post ID #
$post_id = MyPHP::request('post');
$post_id = FeedWordPress::param( 'post' );
if (!$post_id) :
$post_id = MyPHP::request('post_ID');
$post_id = FeedWordPress::param( 'post_ID' );
endif;

// Make sure we've got the right nonce and all that.
Expand All @@ -1101,11 +1096,11 @@ public function admin_api () {
// If so, disable the trashcan.
define('EMPTY_TRASH_DAYS', 0);

elseif (MyPHP::request('fwp_post_delete')=='zap' OR MyPHP::request('fwp_post_delete') == 'unzap') :
elseif ( FeedWordPress::param( 'fwp_post_delete' ) == 'zap' || FeedWordPress::param( 'fwp_post_delete' ) == 'unzap' ) :
// Get post ID #
$post_id = MyPHP::request('post');
$post_id = FeedWordPress::param( 'post' );
if (!$post_id) :
$post_id = MyPHP::request('post_ID');
$post_id = FeedWordPress::param( 'post_ID' );
endif;

// Make sure we've got the right nonce and all that
Expand All @@ -1121,15 +1116,15 @@ public function admin_api () {
} /* FeedWordPress::admin_api () */

public function all_admin_notices () {
if (MyPHP::request('zapped')) :
$n = intval(MyPHP::request('zapped'));
if (FeedWordPress::param( 'zapped' )) :
$n = intval( FeedWordPress::param( 'zapped' ) );
?>
<div id="message" class="updated"><p><?php print esc_html( $n ); ?> syndicated item<?php print esc_html( $n != 1 ? 's' : '' ); ?> zapped. <strong>These items will not be re-syndicated.</strong> If this was a mistake, you must <strong>immediately</strong> Un-Zap them in the Zapped items section to avoid losing the data.</p></div>
<?php
endif;

if (MyPHP::request('unzapped')) :
$n = intval(MyPHP::request('unzapped'));
if ( FeedWordPress::param( 'unzapped' ) ) :
$n = intval( FeedWordPress::param( 'unzapped' ) );
?>
<div id="message" class="updated"><p><?php print esc-html( $n ); ?> syndicated item<?php print esc_html( $n != 1 ? 's' : '' ) ?> un-zapped and restored to normal.</p></div>
<?php
Expand Down Expand Up @@ -1298,7 +1293,7 @@ public function fwp_feeds () {
} /* FeedWordPress::fwp_feeds () */

public function fwp_feedcontents () {
$feed_id = MyPHP::request('feed_id');
$feed_id = FeedWordPress::param( 'feed_id' );

// Let's load up some data from the feed . . .
$feed = $this->subscription($feed_id);
Expand Down Expand Up @@ -1331,9 +1326,9 @@ public function fwp_feedcontents () {
} /* FeedWordPress::fwp_feedcontents () */

public function fwp_xpathtest () {
$xpath = MyPHP::request('xpath');
$feed_id = MyPHP::request('feed_id');
$post_id = MyPHP::request('post_id');
$xpath = FeedWordPress::param( 'xpath' );
$feed_id = FeedWordPress::param( 'feed_id' );
$post_id = FeedWordPress::param( 'post_id' );

$expr = new FeedWordPressParsedPostMeta($xpath);

Expand Down Expand Up @@ -1539,7 +1534,7 @@ public function clear_cache_magic_url () {
} /* FeedWordPress::clear_cache_magic_url() */

public function clear_cache_requested () {
return MyPHP::request('clear_cache');
return FeedWordPress::param( 'clear_cache' );
} /* FeedWordPress::clear_cache_requested() */

public function update_magic_url () {
Expand All @@ -1549,7 +1544,7 @@ public function update_magic_url () {
if (self::update_requested()) :
/*DBG*/ header("Content-Type: text/plain");

$this->update_hooked = "Initiating a CRON JOB CHECK-IN ON UPDATE SCHEDULE due to URL parameter = ".trim($this->val($_REQUEST['update_feedwordpress']));
$this->update_hooked = "Initiating a CRON JOB CHECK-IN ON UPDATE SCHEDULE due to URL parameter = " . trim( $this->val( FeedWordPress::param('update_feedwordpress' ) ) );

$this->update($this->update_requested_url());

Expand Down Expand Up @@ -1581,15 +1576,18 @@ public function update_magic_url () {
} /* FeedWordPress::update_magic_url () */

public static function update_requested () {
return MyPHP::request('update_feedwordpress');
return FeedWordPress::param( 'update_feedwordpress' );
} /* FeedWordPress::update_requested() */

public function update_requested_url () {
$ret = null;

if (($_REQUEST['update_feedwordpress']=='*')
or (preg_match('|^[a-z]+://.*|i', $_REQUEST['update_feedwordpress']))) :
$ret = $_REQUEST['update_feedwordpress'];
$uf = FeedWordPress::update_requested();
if (
( '*' == $uf )
|| ( preg_match( '|^[a-z]+://.*|i', $uf ) )
) :
$ret = $uf;
endif;

return $ret;
Expand Down Expand Up @@ -2032,7 +2030,7 @@ static function diagnostic ($level, $out, $persist = null, $since = null, $mostR
$output = get_option('feedwordpress_diagnostics_output', array());
$dlog = get_option('feedwordpress_diagnostics_log', array());

$diagnostic_nesting = count(explode(":", $level));
$diagnostic_nesting = count( explode( ":", $level ) );

if (FeedWordPressDiagnostic::is_on($level)) :
foreach ($output as $method) :
Expand All @@ -2044,14 +2042,14 @@ static function diagnostic ($level, $out, $persist = null, $since = null, $mostR
break;
case 'echo_in_cronjob' :
if (self::update_requested()) :
echo self::log_prefix()." ".$out."\n";
echo self::log_prefix() . ' ' . esc_html( $out ) . "\n";
endif;
break;
case 'admin_footer' :
$feedwordpress_admin_footer[] = $out;
break;
case 'error_log' :
error_log(self::log_prefix().' '.$out);
error_log(self::log_prefix() . ' ' . $out);
break;
case 'email' :

Expand All @@ -2077,7 +2075,7 @@ static function diagnostic ($level, $out, $persist = null, $since = null, $mostR
} /* FeedWordPress::diagnostic () */

public function email_diagnostics_override () {
return ($this->has_secret() and isset($_REQUEST['feedwordpress_email_diagnostics']) and !!$_REQUEST['feedwordpress_email_diagnostics']);
return ( $this->has_secret() and ! ! FeedWordPress::param( 'feedwordpress_email_diagnostics' ) );
} /* FeedWordPress::email_diagnostics_override () */

public function has_emailed_diagnostics ($dlog) {
Expand Down Expand Up @@ -2235,7 +2233,7 @@ static function allow_html_mail () {
static function admin_footer () {
global $feedwordpress_admin_footer;
foreach ($feedwordpress_admin_footer as $line) :
echo '<div><pre>'.$line.'</pre></div>';
echo '<div><pre>' . esc_html( $line ) . '</pre></div>';
endforeach;
} /* FeedWordPress::admin_footer () */

Expand Down
22 changes: 14 additions & 8 deletions feedwordpress.wp-admin.post-edit.functions.php
Original file line number Diff line number Diff line change
Expand Up @@ -54,9 +54,12 @@ function feedwordpress_post_edit_controls () {
endif;
} /* function feedwordpress_post_edit_controls () */

function feedwordpress_save_post_edit_controls ( $post_id ) {
function feedwordpress_save_post_edit_controls( $post_id ) {
global $post;
if (!isset($_POST['feedwordpress_noncename']) or !wp_verify_nonce($_POST['feedwordpress_noncename'], plugin_basename(__FILE__))) :

$noncename = FeedWordPress::post( 'feedwordpress_noncename' );

if ( is_null( $noncename ) || ! wp_verify_nonce( $noncename, plugin_basename( __FILE__ ) ) ) :
return $post_id;
endif;

Expand All @@ -69,12 +72,15 @@ function feedwordpress_save_post_edit_controls ( $post_id ) {
// The data in $_POST is for applying only to the post actually
// in the edit window, i.e. $post
if ($post_id != $post->ID) :
return $post_id;
return $post_id;
endif;

// Check permissions
$cap[0] = 'edit_post';
$cap[1] = 'edit_' . $_POST['post_type'];

$post_type = FeedWordPress::post( 'post_type' );
$cap[1] = sanitize_key( 'edit_' . $post_type );

if (
!current_user_can( $cap[0], $post_id )
and !current_user_can( $cap[1], $post_id )
Expand All @@ -83,10 +89,10 @@ function feedwordpress_save_post_edit_controls ( $post_id ) {
endif;

// OK, we're golden. Now let's save some data.
if (isset($_POST['freeze_updates'])) :
$sFreezeUpdates = sanitize_text_field($_POST['freeze_updates']);
update_post_meta($post_id, '_syndication_freeze_updates', sanitize_meta('_syndication_freeze_updates', $sFreezeUpdates, 'post'));
$ret = $sFreezeUpdates;
$freeze_updates = FeedWordPress::post( 'freeze_updates' );
if ( ! is_null( $freeze_updates ) ) :
update_post_meta($post_id, '_syndication_freeze_updates', sanitize_meta('_syndication_freeze_updates', $freeze_updates, 'post'));
$ret = $freeze_updates;

// If you make manual edits through the WordPress editing
// UI then they should be run through normal WP formatting
Expand Down
13 changes: 7 additions & 6 deletions feedwordpressdiagnostic.class.php
Original file line number Diff line number Diff line change
Expand Up @@ -66,13 +66,14 @@ public static function critical_bug ($varname, $var, $line, $file = NULL) {
endif;

print '<p><strong>Critical error:</strong> There may be a bug in FeedWordPress. Please <a href="'.FEEDWORDPRESS_AUTHOR_CONTACT.'">contact the author</a> and paste the following information into your e-mail:</p>';
print "\n<plaintext>";
print "Triggered at ${location}\n";
print "FeedWordPress: ".FEEDWORDPRESS_VERSION."\n";
print "WordPress: {$wp_version}\n";
print "PHP: ".phpversion()."\n";
print "\n<pre>";
print "Triggered at " . esc_html($location) . "\n";
print "FeedWordPress: " . esc_html( FEEDWORDPRESS_VERSION ) . "\n";
print "WordPress: " . esc_html( $wp_version ) . "\n";
print "PHP: " . esc_html( phpversion() ) . "\n";
print "Error data: ";
print $varname.": "; var_dump($var); echo "\n";
print esc_html($varname) . ": " . esc_html( MyPHP::val( $var ) ) . "\n";
print "\n</pre>";
die;
} /* FeedWordPressDiagnostic::critical_bug () */

Expand Down
10 changes: 8 additions & 2 deletions feedwordpresssyndicationpage.class.php
Original file line number Diff line number Diff line change
Expand Up @@ -882,8 +882,14 @@ function multidelete_page () {
if (count($alter) > 0) :
echo "<div class=\"updated\">\n";
if (count($errs) > 0) :
echo "There were some problems processing your ";
echo "unsubscribe request. [SQL: ".implode('; ', $errs)."]";
echo "There were some problems processing your unsubscribe request. [SQL: ";
$sep = '';
foreach ( $errs as $err ) :
print esc_html($sep);
print esc_html($err);
$sep = '; ';
endforeach;
echo "]";
else :
echo "Your unsubscribe request(s) have been processed.";
endif;
Expand Down

0 comments on commit a98028e

Please sign in to comment.