From b691f2c618ed86993c071918691b07e0f2879e14 Mon Sep 17 00:00:00 2001 From: Stefan Kalscheuer Date: Wed, 6 Mar 2019 17:23:06 +0100 Subject: [PATCH] adjust sanitization of settings and warning messages --- inc/class-statifyblacklist-admin.php | 57 ++++++++++++----- views/settings-page.php | 95 ++++++++++++++++++---------- 2 files changed, 105 insertions(+), 47 deletions(-) diff --git a/inc/class-statifyblacklist-admin.php b/inc/class-statifyblacklist-admin.php index a148228..5fe6832 100644 --- a/inc/class-statifyblacklist-admin.php +++ b/inc/class-statifyblacklist-admin.php @@ -20,6 +20,9 @@ if ( ! defined( 'ABSPATH' ) ) { * @since 1.0.0 */ class StatifyBlacklist_Admin extends StatifyBlacklist { + const MODE_NORMAL = 0; + const MODE_REGEX = 1; + const MODE_REGEX_CI = 2; /** * Initialize admin-only components of the plugin. @@ -61,27 +64,51 @@ class StatifyBlacklist_Admin extends StatifyBlacklist { */ public static function update_options( $options = null ) { if ( isset( $options ) && current_user_can( 'manage_options' ) ) { - // Sanitize URLs and remove empty inputs. + + // Sanitize referer list. $given_referer = $options['referer']['blacklist']; - if ( 0 === $options['referer']['regexp'] ) { + if ( self::MODE_NORMAL === $options['referer']['regexp'] ) { + // Sanitize URLs and remove empty inputs. $sanitized_referer = self::sanitizeURLs( $given_referer ); + } elseif ( self::MODE_REGEX === $options['referer']['regexp'] || self::MODE_REGEX_CI === $options['referer']['regexp'] ) { + // TODO Check regular expressions. + $sanitized_referer = $given_referer; } else { $sanitized_referer = $given_referer; } - // Sanitize IPs and Subnets and remove empty inputs. + // Sanitize target list. + $given_target = $options['target']['blacklist']; + if ( self::MODE_REGEX === $options['target']['regexp'] || self::MODE_REGEX_CI === $options['target']['regexp'] ) { + // TODO Check regular expressions. + $sanitized_target = $given_target; + } else { + $sanitized_target = $given_target; + } + + // Sanitize IPs and subnets and remove empty inputs. $given_ip = $options['ip']['blacklist']; $sanitized_ip = self::sanitizeIPs( $given_ip ); // Abort on errors. - if ( ! empty( array_diff( array_keys( $given_referer ), array_keys( $sanitized_referer ) ) ) ) { - return array( - 'referer' => $sanitized_referer, - ); - } elseif ( ! empty( array_diff( $given_ip, $sanitized_ip ) ) ) { - return array( - 'ip' => array_diff( $given_ip, $sanitized_ip ), - ); + $errors = [ + 'referer' => [ + 'sanitized' => $sanitized_referer, + 'diff' => array_diff( $given_referer, $sanitized_referer ), + ], + 'target' => [ + 'sanitized' => $sanitized_target, + 'diff' => array_diff( $given_target, $sanitized_target ), + ], + 'ip' => [ + 'sanitized' => $sanitized_ip, + 'diff' => array_diff( $given_ip, $sanitized_ip ), + ], + ]; + if ( ! empty( $errors['referer']['diff'] ) + || ! empty( $errors['target']['diff'] ) + || ! empty( $errors['ip']['diff'] ) ) { + return $errors; } // Update database on success. @@ -300,10 +327,10 @@ class StatifyBlacklist_Admin extends StatifyBlacklist { '/^((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])(\/([0-9]|[1-2][0-9]|3[0-2]))?$/', $ip ) || - preg_match( - '/^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$/', - $ip - ); + preg_match( + '/^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$/', + $ip + ); } ); } diff --git a/views/settings-page.php b/views/settings-page.php index 27c0d93..42dcdb4 100755 --- a/views/settings-page.php +++ b/views/settings-page.php @@ -29,31 +29,61 @@ if ( ! empty( $_POST['statifyblacklist'] ) ) { // Extract referer array. $referer_str = sanitize_textarea_field( wp_unslash( $_POST['statifyblacklist']['referer']['blacklist'] ) ); if ( empty( trim( $referer_str ) ) ) { - $referer = array(); + $referer = []; } else { - $referer = explode( "\r\n", $referer_str ); + $referer = array_filter( + array_map( + function ( $a ) { + return trim( $a ); + }, + explode( "\r\n", $referer_str ) + ), + function ( $a ) { + return ! empty( $a ); + } + ); } // Extract target array. $target_str = sanitize_textarea_field( wp_unslash( $_POST['statifyblacklist']['target']['blacklist'] ) ); if ( empty( trim( $target_str ) ) ) { - $target = array(); + $target = []; } else { - $target = explode( "\r\n", str_replace( '\\\\', '\\', $target_str ) ); + $target = array_filter( + array_map( + function ( $a ) { + return trim( $a ); + }, + explode( "\r\n", str_replace( '\\\\', '\\', $target_str ) ) + ), + function ( $a ) { + return ! empty( $a ); + } + ); } // Extract IP array. $ip_str = sanitize_textarea_field( wp_unslash( $_POST['statifyblacklist']['ip']['blacklist'] ) ); if ( empty( trim( $ip_str ) ) ) { - $ip = array(); + $ip = []; } else { - $ip = explode( "\r\n", $ip_str ); + $ip = array_filter( + array_map( + function ( $a ) { + return trim( $a ); + }, + explode( "\r\n", $ip_str ) + ), + function ( $a ) { + return ! empty( $a ); + } + ); } // Update options (data will be sanitized). $statifyblacklist_update_result = StatifyBlacklist_Admin::update_options( - array( - 'referer' => array( + [ + 'referer' => [ 'active' => isset( $_POST['statifyblacklist']['referer']['active'] ) ? (int) $_POST['statifyblacklist']['referer']['active'] : 0, 'cron' => isset( $_POST['statifyblacklist']['referer']['cron'] ) @@ -61,8 +91,8 @@ if ( ! empty( $_POST['statifyblacklist'] ) ) { 'regexp' => isset( $_POST['statifyblacklist']['referer']['regexp'] ) ? (int) $_POST['statifyblacklist']['referer']['regexp'] : 0, 'blacklist' => array_flip( $referer ), - ), - 'target' => array( + ], + 'target' => [ 'active' => isset( $_POST['statifyblacklist']['target']['active'] ) ? (int) $_POST['statifyblacklist']['target']['active'] : 0, 'cron' => isset( $_POST['statifyblacklist']['target']['cron'] ) @@ -70,23 +100,25 @@ if ( ! empty( $_POST['statifyblacklist'] ) ) { 'regexp' => isset( $_POST['statifyblacklist']['target']['regexp'] ) ? (int) $_POST['statifyblacklist']['target']['regexp'] : 0, 'blacklist' => array_flip( $target ), - ), - 'ip' => array( + ], + 'ip' => [ 'active' => isset( $_POST['statifyblacklist']['ip']['active'] ) ? (int) $_POST['statifyblacklist']['ip']['active'] : 0, 'blacklist' => $ip, - ), + ], 'version' => StatifyBlacklist::VERSION_MAIN, - ) + ] ); // Generate messages. if ( false !== $statifyblacklist_update_result ) { - if ( array_key_exists( 'referer', $statifyblacklist_update_result ) ) { - $statifyblacklist_post_warning = __( 'Some URLs are invalid and have been sanitized.', 'statify-blacklist' ); - } elseif ( array_key_exists( 'ip', $statifyblacklist_update_result ) ) { + $statifyblacklist_post_warning = []; + if ( ! empty( $statifyblacklist_update_result['referer']['diff'] ) ) { + $statifyblacklist_post_warning[] = __( 'Some URLs are invalid and have been sanitized.', 'statify-blacklist' ); + } + if ( ! empty( $statifyblacklist_update_result['ip']['diff'] ) ) { // translators: List of invalid IP addresses (comma separated). - $statifyblacklist_post_warning = sprintf( __( 'Some IPs are invalid : %s', 'statify-blacklist' ), implode( ', ', $statifyblacklist_update_result['ip'] ) ); + $statifyblacklist_post_warning[] = sprintf( __( 'Some IPs are invalid: %s', 'statify-blacklist' ), implode( ', ', $statifyblacklist_update_result['ip']['diff'] ) ); } } else { $statifyblacklist_post_success = __( 'Settings updated successfully.', 'statify-blacklist' ); @@ -111,11 +143,10 @@ if ( ! empty( $_POST['statifyblacklist'] ) ) { print '

'; } if ( isset( $statifyblacklist_post_warning ) ) { - print '

' . - esc_html( $statifyblacklist_post_warning ); - print '
'; - esc_html_e( 'Settings have not been saved yet.', 'statify-blacklist' ); - print '

'; + foreach ( $statifyblacklist_post_warning as $w ) { + print '

' . esc_html( $w ) . '

'; + } + print '

' . esc_html( 'Settings have not been saved yet.', 'statify-blacklist' ) . '

'; } if ( isset( $statifyblacklist_post_success ) ) { print '

' . @@ -187,10 +218,10 @@ if ( ! empty( $_POST['statifyblacklist'] ) ) {

@@ -270,10 +301,10 @@ if ( ! empty( $_POST['statifyblacklist'] ) ) { @@ -311,10 +342,10 @@ if ( ! empty( $_POST['statifyblacklist'] ) ) {