stklcode/statify-blacklist
stklcode/statify-blacklist
1
0
Fork 0
Code Issues Actions Releases 21 Activity

adjust sanitization of settings and warning messages

Browse Source
This commit is contained in:
Stefan Kalscheuer 2019-03-06 17:23:06 +01:00
parent c511dcb517
commit b691f2c618
2 changed files with 105 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
inc/class-statifyblacklist-admin.php
View File

@ -20,6 +20,9 @@ if ( ! defined( 'ABSPATH' ) ) {
* @since 1.0.0 * @since 1.0.0
*/ */
class StatifyBlacklist_Admin extends StatifyBlacklist { class StatifyBlacklist_Admin extends StatifyBlacklist {
const MODE_NORMAL = 0;
const MODE_REGEX = 1;
const MODE_REGEX_CI = 2;
/** /**
* Initialize admin-only components of the plugin. * Initialize admin-only components of the plugin.
@ -61,27 +64,51 @@ class StatifyBlacklist_Admin extends StatifyBlacklist {
*/ */
public static function update_options( $options = null ) { public static function update_options( $options = null ) {
if ( isset( $options ) && current_user_can( 'manage_options' ) ) { if ( isset( $options ) && current_user_can( 'manage_options' ) ) {
// Sanitize URLs and remove empty inputs.
// Sanitize referer list.
$given_referer = $options['referer']['blacklist']; $given_referer = $options['referer']['blacklist'];
if ( 0 === $options['referer']['regexp'] ) { if ( self::MODE_NORMAL === $options['referer']['regexp'] ) {
// Sanitize URLs and remove empty inputs.
$sanitized_referer = self::sanitizeURLs( $given_referer ); $sanitized_referer = self::sanitizeURLs( $given_referer );
} elseif ( self::MODE_REGEX === $options['referer']['regexp'] || self::MODE_REGEX_CI === $options['referer']['regexp'] ) {
// TODO Check regular expressions.
$sanitized_referer = $given_referer;
} else { } else {
$sanitized_referer = $given_referer; $sanitized_referer = $given_referer;
} }
// Sanitize IPs and Subnets and remove empty inputs. // Sanitize target list.
$given_target = $options['target']['blacklist'];
if ( self::MODE_REGEX === $options['target']['regexp'] || self::MODE_REGEX_CI === $options['target']['regexp'] ) {
// TODO Check regular expressions.
$sanitized_target = $given_target;
} else {
$sanitized_target = $given_target;
}
// Sanitize IPs and subnets and remove empty inputs.
$given_ip = $options['ip']['blacklist']; $given_ip = $options['ip']['blacklist'];
$sanitized_ip = self::sanitizeIPs( $given_ip ); $sanitized_ip = self::sanitizeIPs( $given_ip );
// Abort on errors. // Abort on errors.
if ( ! empty( array_diff( array_keys( $given_referer ), array_keys( $sanitized_referer ) ) ) ) { $errors = [
return array( 'referer' => [
'referer' => $sanitized_referer, 'sanitized' => $sanitized_referer,
); 'diff' => array_diff( $given_referer, $sanitized_referer ),
} elseif ( ! empty( array_diff( $given_ip, $sanitized_ip ) ) ) { ],
return array( 'target' => [
'ip' => array_diff( $given_ip, $sanitized_ip ), 'sanitized' => $sanitized_target,
); 'diff' => array_diff( $given_target, $sanitized_target ),
],
'ip' => [
'sanitized' => $sanitized_ip,
'diff' => array_diff( $given_ip, $sanitized_ip ),
],
];
if ( ! empty( $errors['referer']['diff'] )
|| ! empty( $errors['target']['diff'] )
|| ! empty( $errors['ip']['diff'] ) ) {
return $errors;
} }
// Update database on success. // Update database on success.
@ -300,10 +327,10 @@ class StatifyBlacklist_Admin extends StatifyBlacklist {
'/^((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])(\/([0-9]|[1-2][0-9]|3[0-2]))?$/', '/^((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])(\/([0-9]|[1-2][0-9]|3[0-2]))?$/',
$ip $ip
) || ) ||
preg_match( preg_match(
'/^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$/', '/^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$/',
$ip $ip
); );
} }
); );
} }

95
views/settings-page.php
View File

@ -29,31 +29,61 @@ if ( ! empty( $_POST['statifyblacklist'] ) ) {
// Extract referer array. // Extract referer array.
$referer_str = sanitize_textarea_field( wp_unslash( $_POST['statifyblacklist']['referer']['blacklist'] ) ); $referer_str = sanitize_textarea_field( wp_unslash( $_POST['statifyblacklist']['referer']['blacklist'] ) );
if ( empty( trim( $referer_str ) ) ) { if ( empty( trim( $referer_str ) ) ) {
$referer = array(); $referer = [];
} else { } else {
$referer = explode( "\r\n", $referer_str ); $referer = array_filter(
array_map(
function ( $a ) {
return trim( $a );
},
explode( "\r\n", $referer_str )
),
function ( $a ) {
return ! empty( $a );
}
);
} }
// Extract target array. // Extract target array.
$target_str = sanitize_textarea_field( wp_unslash( $_POST['statifyblacklist']['target']['blacklist'] ) ); $target_str = sanitize_textarea_field( wp_unslash( $_POST['statifyblacklist']['target']['blacklist'] ) );
if ( empty( trim( $target_str ) ) ) { if ( empty( trim( $target_str ) ) ) {
$target = array(); $target = [];
} else { } else {
$target = explode( "\r\n", str_replace( '\\\\', '\\', $target_str ) ); $target = array_filter(
array_map(
function ( $a ) {
return trim( $a );
},
explode( "\r\n", str_replace( '\\\\', '\\', $target_str ) )
),
function ( $a ) {
return ! empty( $a );
}
);
} }
// Extract IP array. // Extract IP array.
$ip_str = sanitize_textarea_field( wp_unslash( $_POST['statifyblacklist']['ip']['blacklist'] ) ); $ip_str = sanitize_textarea_field( wp_unslash( $_POST['statifyblacklist']['ip']['blacklist'] ) );
if ( empty( trim( $ip_str ) ) ) { if ( empty( trim( $ip_str ) ) ) {
$ip = array(); $ip = [];
} else { } else {
$ip = explode( "\r\n", $ip_str ); $ip = array_filter(
array_map(
function ( $a ) {
return trim( $a );
},
explode( "\r\n", $ip_str )
),
function ( $a ) {
return ! empty( $a );
}
);
} }
// Update options (data will be sanitized). // Update options (data will be sanitized).
$statifyblacklist_update_result = StatifyBlacklist_Admin::update_options( $statifyblacklist_update_result = StatifyBlacklist_Admin::update_options(
array( [
'referer' => array( 'referer' => [
'active' => isset( $_POST['statifyblacklist']['referer']['active'] ) 'active' => isset( $_POST['statifyblacklist']['referer']['active'] )
? (int) $_POST['statifyblacklist']['referer']['active'] : 0, ? (int) $_POST['statifyblacklist']['referer']['active'] : 0,
'cron' => isset( $_POST['statifyblacklist']['referer']['cron'] ) 'cron' => isset( $_POST['statifyblacklist']['referer']['cron'] )
@ -61,8 +91,8 @@ if ( ! empty( $_POST['statifyblacklist'] ) ) {
'regexp' => isset( $_POST['statifyblacklist']['referer']['regexp'] ) 'regexp' => isset( $_POST['statifyblacklist']['referer']['regexp'] )
? (int) $_POST['statifyblacklist']['referer']['regexp'] : 0, ? (int) $_POST['statifyblacklist']['referer']['regexp'] : 0,
'blacklist' => array_flip( $referer ), 'blacklist' => array_flip( $referer ),
), ],
'target' => array( 'target' => [
'active' => isset( $_POST['statifyblacklist']['target']['active'] ) 'active' => isset( $_POST['statifyblacklist']['target']['active'] )
? (int) $_POST['statifyblacklist']['target']['active'] : 0, ? (int) $_POST['statifyblacklist']['target']['active'] : 0,
'cron' => isset( $_POST['statifyblacklist']['target']['cron'] ) 'cron' => isset( $_POST['statifyblacklist']['target']['cron'] )
@ -70,23 +100,25 @@ if ( ! empty( $_POST['statifyblacklist'] ) ) {
'regexp' => isset( $_POST['statifyblacklist']['target']['regexp'] ) 'regexp' => isset( $_POST['statifyblacklist']['target']['regexp'] )
? (int) $_POST['statifyblacklist']['target']['regexp'] : 0, ? (int) $_POST['statifyblacklist']['target']['regexp'] : 0,
'blacklist' => array_flip( $target ), 'blacklist' => array_flip( $target ),
), ],
'ip' => array( 'ip' => [
'active' => isset( $_POST['statifyblacklist']['ip']['active'] ) 'active' => isset( $_POST['statifyblacklist']['ip']['active'] )
? (int) $_POST['statifyblacklist']['ip']['active'] : 0, ? (int) $_POST['statifyblacklist']['ip']['active'] : 0,
'blacklist' => $ip, 'blacklist' => $ip,
), ],
'version' => StatifyBlacklist::VERSION_MAIN, 'version' => StatifyBlacklist::VERSION_MAIN,
) ]
); );
// Generate messages. // Generate messages.
if ( false !== $statifyblacklist_update_result ) { if ( false !== $statifyblacklist_update_result ) {
if ( array_key_exists( 'referer', $statifyblacklist_update_result ) ) { $statifyblacklist_post_warning = [];
$statifyblacklist_post_warning = __( 'Some URLs are invalid and have been sanitized.', 'statify-blacklist' ); if ( ! empty( $statifyblacklist_update_result['referer']['diff'] ) ) {
} elseif ( array_key_exists( 'ip', $statifyblacklist_update_result ) ) { $statifyblacklist_post_warning[] = __( 'Some URLs are invalid and have been sanitized.', 'statify-blacklist' );
}
if ( ! empty( $statifyblacklist_update_result['ip']['diff'] ) ) {
// translators: List of invalid IP addresses (comma separated). // translators: List of invalid IP addresses (comma separated).
$statifyblacklist_post_warning = sprintf( __( 'Some IPs are invalid : %s', 'statify-blacklist' ), implode( ', ', $statifyblacklist_update_result['ip'] ) ); $statifyblacklist_post_warning[] = sprintf( __( 'Some IPs are invalid: %s', 'statify-blacklist' ), implode( ', ', $statifyblacklist_update_result['ip']['diff'] ) );
} }
} else { } else {
$statifyblacklist_post_success = __( 'Settings updated successfully.', 'statify-blacklist' ); $statifyblacklist_post_success = __( 'Settings updated successfully.', 'statify-blacklist' );
@ -111,11 +143,10 @@ if ( ! empty( $_POST['statifyblacklist'] ) ) {
print '</p></div>'; print '</p></div>';
} }
if ( isset( $statifyblacklist_post_warning ) ) { if ( isset( $statifyblacklist_post_warning ) ) {
print '<div class="notice notice-warning"><p>' . foreach ( $statifyblacklist_post_warning as $w ) {
esc_html( $statifyblacklist_post_warning ); print '<div class="notice notice-warning"><p>' . esc_html( $w ) . '</p></div>';
print '<br>'; }
esc_html_e( 'Settings have not been saved yet.', 'statify-blacklist' ); print '<div class="notice notice-warning"><p>' . esc_html( 'Settings have not been saved yet.', 'statify-blacklist' ) . '</p></div>';
print '</p></div>';
} }
if ( isset( $statifyblacklist_post_success ) ) { if ( isset( $statifyblacklist_post_success ) ) {
print '<div class="notice notice-success"><p>' . print '<div class="notice notice-success"><p>' .
@ -187,10 +218,10 @@ if ( ! empty( $_POST['statifyblacklist'] ) ) {
</th> </th>
<td> <td>
<textarea cols="40" rows="5" name="statifyblacklist[referer][blacklist]" id="statify-blacklist_referer"><?php <textarea cols="40" rows="5" name="statifyblacklist[referer][blacklist]" id="statify-blacklist_referer"><?php
if ( isset( $statifyblacklist_update_result['referer'] ) ) { if ( empty( $statifyblacklist_update_result['referer'] ) ) {
print esc_html( implode( "\r\n", array_keys( $statifyblacklist_update_result['referer'] ) ) );
} else {
print esc_html( implode( "\r\n", array_keys( StatifyBlacklist::$_options['referer']['blacklist'] ) ) ); print esc_html( implode( "\r\n", array_keys( StatifyBlacklist::$_options['referer']['blacklist'] ) ) );
} else {
print esc_html( implode( "\r\n", array_keys( $statifyblacklist_update_result['referer']['sanitized'] ) ) );
} }
?></textarea> ?></textarea>
<p class="description"> <p class="description">
@ -270,10 +301,10 @@ if ( ! empty( $_POST['statifyblacklist'] ) ) {
</th> </th>
<td> <td>
<textarea cols="40" rows="5" name="statifyblacklist[target][blacklist]" id="statify-blacklist_target"><?php <textarea cols="40" rows="5" name="statifyblacklist[target][blacklist]" id="statify-blacklist_target"><?php
if ( isset( $statifyblacklist_update_result['target'] ) ) { if ( empty( $statifyblacklist_update_result['target'] ) ) {
print esc_html( implode( "\r\n", array_keys( $statifyblacklist_update_result['target'] ) ) );
} else {
print esc_html( implode( "\r\n", array_keys( StatifyBlacklist::$_options['target']['blacklist'] ) ) ); print esc_html( implode( "\r\n", array_keys( StatifyBlacklist::$_options['target']['blacklist'] ) ) );
} else {
print esc_html( implode( "\r\n", array_keys( $statifyblacklist_update_result['target']['sanitized'] ) ) );
} }
?></textarea> ?></textarea>
@ -311,10 +342,10 @@ if ( ! empty( $_POST['statifyblacklist'] ) ) {
</th> </th>
<td> <td>
<textarea cols="40" rows="5" name="statifyblacklist[ip][blacklist]" id="statify-blacklist_ip"><?php <textarea cols="40" rows="5" name="statifyblacklist[ip][blacklist]" id="statify-blacklist_ip"><?php
if ( isset( $statifyblacklist_update_result['ip'] ) ) { if ( empty( $statifyblacklist_update_result['ip'] ) ) {
print esc_html( implode( "\r\n", $statifyblacklist_update_result['ip'] ) );
} else {
print esc_html( implode( "\r\n", StatifyBlacklist::$_options['ip']['blacklist'] ) ); print esc_html( implode( "\r\n", StatifyBlacklist::$_options['ip']['blacklist'] ) );
} else {
print esc_html( implode( "\r\n", $statifyblacklist_update_result['ip']['sanitized'] ) );
} }
?></textarea> ?></textarea>