From 21a52175bc2647aad32d42c2e93b15051bbdd859 Mon Sep 17 00:00:00 2001 From: Utsav-Ladani <201901076@daiict.ac.in> Date: Wed, 18 Oct 2023 16:52:20 +0530 Subject: [PATCH 1/2] fix(app): 275 Fix PHP@8.1 deprecation errors and enhance security checks Replace FILTER_SANITIZE_STRING with FILTER_SANITIZE_FULL_SPECIAL_CHARS. Change escaping functions. Correct 'user is admin1' check. Closes: 275 --- .../partials/rt-transcoder-admin-display.php | 2 +- admin/rt-retranscode-admin.php | 35 +++++++--------- admin/rt-transcoder-admin.php | 4 +- admin/rt-transcoder-functions.php | 17 +++----- admin/rt-transcoder-handler.php | 40 +++++++++---------- inc/helpers/custom-functions.php | 2 +- 6 files changed, 45 insertions(+), 55 deletions(-) diff --git a/admin/partials/rt-transcoder-admin-display.php b/admin/partials/rt-transcoder-admin-display.php index 3a333c31..5af85baa 100755 --- a/admin/partials/rt-transcoder-admin-display.php +++ b/admin/partials/rt-transcoder-admin-display.php @@ -8,7 +8,7 @@ * @subpackage Transcoder/Admin/Partials */ -$current_page = transcoder_filter_input( INPUT_GET, 'page', FILTER_SANITIZE_STRING ); +$current_page = transcoder_filter_input( INPUT_GET, 'page', FILTER_SANITIZE_FULL_SPECIAL_CHARS ); ?>

diff --git a/admin/rt-retranscode-admin.php b/admin/rt-retranscode-admin.php index 461b844a..5173c309 100644 --- a/admin/rt-retranscode-admin.php +++ b/admin/rt-retranscode-admin.php @@ -122,7 +122,6 @@ public function add_admin_menu() { 'rt-retranscoder', array( $this, 'retranscode_interface' ) ); - } /** @@ -230,7 +229,7 @@ public function add_bulk_actions_via_javascript() { ?> ?> - + - + @@ -422,7 +421,7 @@ public function retranscode_interface() {

-

+

@@ -594,7 +593,7 @@ function RetranscodeMedia( id ) {

-

+

@@ -717,10 +716,10 @@ public function die_json_error_msg( $id, $message ) { /** * Helper function to escape quotes in strings for use in Javascript * - * @param string $string String to escape quotes from. + * @param string $str String to escape quotes from. */ - public function esc_quotes( $string ) { - return str_replace( '"', '\"', $string ); + public function esc_quotes( $str ) { + return str_replace( '"', '\"', $str ); } /** @@ -744,7 +743,7 @@ private function retranscode_admin_error_notice() { * @param number $media_id Post ID of the media. * @param array $post_request Post request coming for the transcoder API. */ - public function rtt_before_thumbnail_store( $media_id = '', $post_request = '' ) { + public function rtt_before_thumbnail_store( $media_id = '', $post_request = '' ) { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.FoundAfterLastUsed if ( empty( $media_id ) ) { return; } @@ -767,7 +766,6 @@ public function rtt_before_thumbnail_store( $media_id = '', $post_request = '' ) rtt_delete_transcoded_files( $previous_thumbs ); } delete_post_meta( $media_id, '_rt_media_thumbnails' ); - } /** @@ -776,7 +774,7 @@ public function rtt_before_thumbnail_store( $media_id = '', $post_request = '' ) * @param number $media_id Post ID of the media. * @param array $transcoded_files Post request coming for the transcoder API. */ - public function rtt_before_transcoded_media_store( $media_id = '', $transcoded_files = '' ) { + public function rtt_before_transcoded_media_store( $media_id = '', $transcoded_files = '' ) { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.FoundAfterLastUsed if ( empty( $media_id ) ) { return; } @@ -791,7 +789,6 @@ public function rtt_before_transcoded_media_store( $media_id = '', $transcoded_f } } delete_post_meta( $media_id, '_rt_media_transcoded_files' ); - } /** @@ -872,7 +869,7 @@ public function transcoded_thumbnails_added( $media_id = '' ) { * @param number $attachment_id Post ID of the media. * @param string $job_id Unique job ID of the transcoding request. */ - public function rtt_handle_callback_finished( $attachment_id = '', $job_id = '' ) { + public function rtt_handle_callback_finished( $attachment_id = '', $job_id = '' ) { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.FoundAfterLastUsed if ( empty( $attachment_id ) ) { return; } @@ -884,7 +881,6 @@ public function rtt_handle_callback_finished( $attachment_id = '', $job_id = '' delete_post_meta( $attachment_id, '_rt_retranscoding_sent' ); } - } /** @@ -1015,7 +1011,6 @@ public function add_search_mime_types( $where ) { $where .= " AND post_mime_type LIKE 'audio/%' OR post_mime_type LIKE 'video/%'"; return $where; } - } // Start up this plugin. @@ -1024,7 +1019,7 @@ public function add_search_mime_types( $where ) { /** * Execute RetranscodeMedia constructor. */ -function retranscode_media() { +function retranscode_media() { // phpcs:ignore Universal.Files.SeparateFunctionsFromOO.Mixed global $RetranscodeMedia; // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase diff --git a/admin/rt-transcoder-admin.php b/admin/rt-transcoder-admin.php index b216a397..7e8d718d 100755 --- a/admin/rt-transcoder-admin.php +++ b/admin/rt-transcoder-admin.php @@ -185,7 +185,7 @@ public function disable_encoding() { public function enqueue_scripts_styles() { global $pagenow; - $page = transcoder_filter_input( INPUT_GET, 'page', FILTER_SANITIZE_STRING ); + $page = transcoder_filter_input( INPUT_GET, 'page', FILTER_SANITIZE_FULL_SPECIAL_CHARS ); if ( 'admin.php' !== $pagenow || 'rt-transcoder' !== $page ) { return; @@ -377,7 +377,7 @@ public function edit_video_thumbnail_( $form_fields, $post ) { */ public function save_video_thumbnail( $post ) { - $rtmedia_thumbnail = transcoder_filter_input( INPUT_POST, 'rtmedia-thumbnail', FILTER_SANITIZE_STRING ); + $rtmedia_thumbnail = transcoder_filter_input( INPUT_POST, 'rtmedia-thumbnail', FILTER_SANITIZE_FULL_SPECIAL_CHARS ); $id = ( ! empty( $post['ID'] ) && 0 < intval( $post['ID'] ) ) ? intval( $post['ID'] ) : 0; if ( isset( $rtmedia_thumbnail ) ) { diff --git a/admin/rt-transcoder-functions.php b/admin/rt-transcoder-functions.php index 80fb2ee7..92f72915 100755 --- a/admin/rt-transcoder-functions.php +++ b/admin/rt-transcoder-functions.php @@ -165,7 +165,6 @@ function rt_media_get_video_thumbnail( $attachment_id ) { } return false; - } /** @@ -204,7 +203,6 @@ function rtt_get_media_url( $attachment_id, $media_type = 'mp4' ) { } return $final_file_url; - } if ( ! function_exists( 'rtt_update_activity_after_thumb_set' ) ) { @@ -460,7 +458,7 @@ function rtt_bp_get_activity_content( $content, $activity = null ) { } // If media is sent to the transcoder then show the message. if ( is_file_being_transcoded( $media->media_id ) ) { - if ( current_user_can( 'administrator' ) && '1' === get_option( 'rtt_client_check_status_button', false ) ) { + if ( current_user_can( 'manage_options' ) && '1' === get_option( 'rtt_client_check_status_button', false ) ) { $check_button_text = __( 'Check Status', 'transcoder' ); @@ -706,7 +704,6 @@ function rtt_add_status_columns_head( $defaults ) { $defaults['convert_status'] = __( 'Transcode Status', 'transcoder' ); return $defaults; - } add_filter( 'manage_media_columns', 'rtt_add_status_columns_head' ); @@ -765,7 +762,6 @@ function rtt_status_column_register_sortable( $columns ) { $columns['convert_status'] = 'convert_status'; return $columns; - } add_filter( 'manage_upload_sortable_columns', 'rtt_status_column_register_sortable' ); @@ -778,11 +774,11 @@ function rtt_status_column_register_sortable( $columns ) { */ function rtt_enqueue_scripts() { - if ( current_user_can( 'administrator' ) ) { + if ( current_user_can( 'manage_options' ) ) { wp_register_script( 'rt_transcoder_js', plugins_url( 'js/rt-transcoder.min.js', __FILE__ ), array(), RT_TRANSCODER_VERSION, false ); $translation_array = array( - 'load_flag' => current_user_can( 'administrator' ), + 'load_flag' => true, 'security_nonce' => esc_js( wp_create_nonce( 'check-transcoding-status-ajax-nonce' ) ), ); @@ -859,7 +855,6 @@ function rtt_ajax_process_check_status_request() { } wp_die(); - } // Action added to handle check_status onclick request. @@ -916,7 +911,7 @@ function rtt_add_transcoding_process_status_button_single_media_page( $rtmedia_i if ( is_file_being_transcoded( $post_id ) ) { - if ( current_user_can( 'administrator' ) && '1' === get_option( 'rtt_client_check_status_button', false ) ) { + if ( current_user_can( 'manage_options' ) && '1' === get_option( 'rtt_client_check_status_button', false ) ) { $message = sprintf( '
%3$s
', esc_attr( $post_id ), @@ -988,7 +983,7 @@ function rtt_filter_single_media_page_video_markup( $html, $rtmedia_media ) { * @param int $attachment_id ID of attachment. * @param string $autoformat If true then generating thumbs only else trancode video. */ -function rtt_media_update_usage( $wp_metadata, $attachment_id, $autoformat = true ) { +function rtt_media_update_usage( $wp_metadata, $attachment_id, $autoformat = true ) { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.FoundAfterLastUsed $stored_key = get_site_option( 'rt-transcoding-api-key' ); $transient_flag = get_transient( 'rtt_usage_update_flag' ); @@ -1018,7 +1013,7 @@ function rtt_media_update_usage( $wp_metadata, $attachment_id, $autoformat = tru * * @return string Filtered value if supports. */ -function get_server_var( $server_key, $filter_type = FILTER_SANITIZE_STRING ) { +function get_server_var( $server_key, $filter_type = FILTER_SANITIZE_FULL_SPECIAL_CHARS ) { $server_val = ''; if ( function_exists( 'filter_input' ) && filter_has_var( INPUT_SERVER, $server_key ) ) { $server_val = transcoder_filter_input( INPUT_SERVER, $server_key, $filter_type ); diff --git a/admin/rt-transcoder-handler.php b/admin/rt-transcoder-handler.php index be2a8cea..27bed378 100755 --- a/admin/rt-transcoder-handler.php +++ b/admin/rt-transcoder-handler.php @@ -464,9 +464,9 @@ public function usage_quota_over() { * @since 1.0.0 */ public function save_api_key() { - $is_api_key_updated = transcoder_filter_input( INPUT_GET, 'api-key-updated', FILTER_SANITIZE_STRING ); - $is_invalid_license_key = transcoder_filter_input( INPUT_GET, 'invalid-license-key', FILTER_SANITIZE_STRING ); - $is_localhost = transcoder_filter_input( INPUT_GET, 'need-public-host', FILTER_SANITIZE_STRING ); + $is_api_key_updated = transcoder_filter_input( INPUT_GET, 'api-key-updated', FILTER_SANITIZE_FULL_SPECIAL_CHARS ); + $is_invalid_license_key = transcoder_filter_input( INPUT_GET, 'invalid-license-key', FILTER_SANITIZE_FULL_SPECIAL_CHARS ); + $is_localhost = transcoder_filter_input( INPUT_GET, 'need-public-host', FILTER_SANITIZE_FULL_SPECIAL_CHARS ); if ( $is_api_key_updated ) { if ( is_multisite() ) { @@ -588,7 +588,7 @@ public function successfully_subscribed_notice() {

nofity_transcoding_failed( $job_id, $error_msg ); @@ -1183,7 +1183,7 @@ public function handle_callback() { } else { // To check if request is sumitted from the WP Job Manager plugin ( https://wordpress.org/plugins/wp-job-manager/ ). - $job_manager_form = transcoder_filter_input( INPUT_POST, 'job_manager_form', FILTER_SANITIZE_STRING ); + $job_manager_form = transcoder_filter_input( INPUT_POST, 'job_manager_form', FILTER_SANITIZE_FULL_SPECIAL_CHARS ); if ( isset( $job_id ) && ! empty( $job_id ) && class_exists( 'RTDBModel' ) && empty( $job_manager_form ) ) { @@ -1281,7 +1281,7 @@ public function hide_transcoding_notice() { * @since 1.0 */ public function enter_api_key() { - $apikey = transcoder_filter_input( INPUT_GET, 'apikey', FILTER_SANITIZE_STRING ); + $apikey = transcoder_filter_input( INPUT_GET, 'apikey', FILTER_SANITIZE_FULL_SPECIAL_CHARS ); if ( ! empty( $apikey ) ) { echo wp_json_encode( array( 'apikey' => $apikey ) ); } else { @@ -1641,16 +1641,16 @@ private function filter_transcoder_response() { $post_var = $_POST; // phpcs:ignore WordPress.Security.NonceVerification.Missing $filter_post_args = array( - 'job_id' => FILTER_SANITIZE_STRING, - 'job_type' => FILTER_SANITIZE_STRING, - 'job_for' => FILTER_SANITIZE_STRING, - 'format' => FILTER_SANITIZE_STRING, + 'job_id' => FILTER_SANITIZE_FULL_SPECIAL_CHARS, + 'job_type' => FILTER_SANITIZE_FULL_SPECIAL_CHARS, + 'job_for' => FILTER_SANITIZE_FULL_SPECIAL_CHARS, + 'format' => FILTER_SANITIZE_FULL_SPECIAL_CHARS, 'download_url' => FILTER_SANITIZE_URL, - 'file_name' => FILTER_SANITIZE_STRING, + 'file_name' => FILTER_SANITIZE_FULL_SPECIAL_CHARS, 'thumb_count' => FILTER_SANITIZE_NUMBER_INT, - 'status' => FILTER_SANITIZE_STRING, - 'error_msg' => FILTER_SANITIZE_STRING, - 'error_code' => FILTER_SANITIZE_STRING, + 'status' => FILTER_SANITIZE_FULL_SPECIAL_CHARS, + 'error_msg' => FILTER_SANITIZE_FULL_SPECIAL_CHARS, + 'error_code' => FILTER_SANITIZE_FULL_SPECIAL_CHARS, ); $post_array = filter_input_array( INPUT_POST, $filter_post_args ); diff --git a/inc/helpers/custom-functions.php b/inc/helpers/custom-functions.php index 36f1c885..27a547b6 100644 --- a/inc/helpers/custom-functions.php +++ b/inc/helpers/custom-functions.php @@ -38,7 +38,7 @@ function transcoder_filter_input( $type, $variable_name, $filter = FILTER_DEFAUL * Code is not running on PHP Cli and we are in clear. * Use the PHP method and bail out. */ - if ( ! empty( $sanitized_variable ) && FILTER_SANITIZE_STRING === $filter ) { + if ( ! empty( $sanitized_variable ) && FILTER_SANITIZE_FULL_SPECIAL_CHARS === $filter ) { $sanitized_variable = sanitize_text_field( $sanitized_variable ); } From 42680e908c752884152be7b081d5fd49b2c97752 Mon Sep 17 00:00:00 2001 From: Utsav-Ladani <201901076@daiict.ac.in> Date: Wed, 18 Oct 2023 17:31:58 +0530 Subject: [PATCH 2/2] fix(app): 275 Remove trailing php ending tag from end of the file --- admin/rt-retranscode-admin.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/admin/rt-retranscode-admin.php b/admin/rt-retranscode-admin.php index 5173c309..45fcccf9 100644 --- a/admin/rt-retranscode-admin.php +++ b/admin/rt-retranscode-admin.php @@ -1025,5 +1025,3 @@ function retranscode_media() { // phpcs:ignore Universal.Files.SeparateFunctions $RetranscodeMedia = new RetranscodeMedia(); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase } - -?>