Fix for filter_input input_server on fcgi bug

core/logging.php

@@ -100,7 +100,7 @@ function do_log($msg, $severity = 3, $do_backtrace = false, $nest = 0) {
                 echo "$log_prefix:$msg";
                 echo ($this->eolprint) ? "\n" : "<br/>";
             } else {
-                if (!filter_input(INPUT_SERVER, 'REMOTE_ADDR') || $this->remoteip != filter_input(INPUT_SERVER, 'REMOTE_ADDR')) {
+                if (!transposh_utils::get_clean_server_var( 'REMOTE_ADDR') || $this->remoteip != transposh_utils::get_clean_server_var( 'REMOTE_ADDR')) {
                     return;
                 }
                 if ((is_array($msg) || is_object($msg)) && $this->show_caller) {

core/utils.php

@@ -444,7 +444,7 @@ public static function display_flag($path, $flag, $language, $css = false) {
     public static function prefered_language($available_languages, $default_lang = "auto", $http_accept_language = "auto") {
         // if $http_accept_language was left out, read it from the HTTP-Header
         if ($http_accept_language == "auto") {
-            $http_accept_language = filter_input(INPUT_SERVER, 'HTTP_ACCEPT_LANGUAGE');
+            $http_accept_language = transposh_utils::get_clean_server_var( 'HTTP_ACCEPT_LANGUAGE');
         }
 
         // standard  for HTTP_ACCEPT_LANGUAGE is defined under
@@ -521,7 +521,7 @@ public static function language_from_country($available_languages, $country, $de
     }
 
     public static function is_bot() {
-        return preg_match("#(bot|yandex|validator|google|jeeves|spider|crawler|slurp)#si", filter_input(INPUT_SERVER, 'HTTP_USER_AGENT'));
+        return preg_match("#(bot|yandex|validator|google|jeeves|spider|crawler|slurp)#si", transposh_utils::get_clean_server_var( 'HTTP_USER_AGENT'));
     }
 
     public static function allow_cors() {
@@ -552,5 +552,17 @@ public static function wordpress_user_by_by($by) {
         }
         return $by;
     }
+    /**
+     * Return a server var, because of the 15 years old filter_input bug.
+     * @param String $var
+     * @return type
+     */
+    public static function get_clean_server_var($var) {
+        $ret = filter_input(INPUT_SERVER, $var);
+        if (!$ret && isset($_SERVER[$var])) {
+            $ret = $_SERVER[$var];
+        }
+        return $ret;
+    }
 
 }

readme.txt

@@ -3,7 +3,7 @@ Contributors: oferwald
 Donate link: http://transposh.org/donate/
 Tags: translation, translate, i18n, widget, filter, buddypress, bilingual, multilingual, transposh, language, crowdsourcing, google translate, bing translate, context, wiki, RTL, Hebrew, Spanish, French, Russian, English, Arabic, Portuguese
 Requires at least: 5.8
-Tested up to: 5.9
+Tested up to: 6.0.2
 Stable tag: %VERSION%
 
 Transposh adds best of breed translation support to wordpress, 117 languages are automatically translated and can be manually corrected with ease.
@@ -122,6 +122,7 @@ This version allows sorting of languages within the widget
  * French - [Michel Chaussée](tajimoko.com)
 
 == Changelog ==
+ * Fix for filter_input input_server fcgi bug
 = 2022/09/21 - 1.0.9.2 =
  * Fix for some bugs added by CSRF protection, including working translate all
  * Remove old references to non working places

wp/transposh_3rdparty.php

@@ -74,7 +74,7 @@ function add_analyticator_tracking() {
     function super_cache_invalidate() {
         //Now, we are actually using the referrer and not the request, with some precautions
         // check server['']
-        $GLOBALS['wp_cache_request_uri'] = substr(filter_input(INPUT_SERVER, 'HTTP_REFERER'), stripos(filter_input(INPUT_SERVER, 'HTTP_REFERER'), filter_input(INPUT_SERVER, 'HTTP_HOST')) + strlen(filter_input(INPUT_SERVER, '') . filter_input(INPUT_SERVER, 'HTTP_HOST')));
+        $GLOBALS['wp_cache_request_uri'] = substr(transposh_utils::get_clean_server_var('HTTP_REFERER'), stripos(transposh_utils::get_clean_server_var('HTTP_REFERER'), transposh_utils::get_clean_server_var('HTTP_HOST')) + strlen(transposh_utils::get_clean_server_var('HTTP_HOST')));
         $GLOBALS['wp_cache_request_uri'] = preg_replace('/[ <>\'\"\r\n\t\(\)]/', '', str_replace('/index.php', '/', str_replace('..', '', preg_replace("/(\?.*)?$/", '', $GLOBALS['wp_cache_request_uri']))));
         // get some supercache variables
         extract(wp_super_cache_init());
@@ -111,8 +111,8 @@ function super_cache_invalidate() {
     }
 
     function w3tc_invalidate() {
-        tp_logger("W3TC invalidate:" . filter_input(INPUT_SERVER, 'HTTP_REFERER'));
-        $id = url_to_postid(filter_input(INPUT_SERVER, 'HTTP_REFERER'));
+        tp_logger("W3TC invalidate:" . transposh_utils::get_clean_server_var('HTTP_REFERER'));
+        $id = url_to_postid(transposh_utils::get_clean_server_var('HTTP_REFERER'));
         if (is_numeric($id)) {
             tp_logger("W3TC invalidate post id: $id");
             w3tc_pgcache_flush_post($id);
@@ -141,7 +141,7 @@ function bp_uri_filter($uri) {
      * @param type $url
      */
     function bbp_get_search_results_url($url) {
-        $lang = transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->home_url);
+        $lang = transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->home_url);
         $href = transposh_utils::rewrite_url_lang_param($url, $this->transposh->home_url, $this->transposh->enable_permalinks_rewrite, $lang, false);
         return $href;
     }
@@ -154,8 +154,8 @@ function bp_activity_after_save($params) {
         // we don't need to modify our own activity stream
         if ($params->type == 'new_translation')
             return;
-        if (transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->transposh->home_url))
-            bp_activity_update_meta($params->id, 'tp_language', transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->transposh->home_url));
+        if (transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->transposh->home_url))
+            bp_activity_update_meta($params->id, 'tp_language', transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->transposh->home_url));
     }
 
     /**
@@ -335,7 +335,7 @@ function add_yoast_transposh_urls($yoast_url) {
     }
 
     function woo_uri_filter($url) {
-        $lang = transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->transposh->home_url);
+        $lang = transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->transposh->home_url);
         tp_logger('altering woo url to:' . transposh_utils::rewrite_url_lang_param($url, $this->transposh->home_url, $this->transposh->enable_permalinks_rewrite, $lang, $this->transposh->edit_mode));
         return transposh_utils::rewrite_url_lang_param($url, $this->transposh->home_url, $this->transposh->enable_permalinks_rewrite, $lang, $this->transposh->edit_mode);
     }

wp/transposh_admin.php

@@ -770,7 +770,7 @@ function tp_advanced() {
             4 => __('Information', TRANSPOSH_TEXT_DOMAIN),
             5 => __('Debug', TRANSPOSH_TEXT_DOMAIN),
         ));
-        $this->textinput($this->transposh->options->debug_remoteip_o, '', sprintf(__('Remote debug IP (Your current IP is %s)', TRANSPOSH_TEXT_DOMAIN), filter_input(INPUT_SERVER, 'REMOTE_ADDR')));
+        $this->textinput($this->transposh->options->debug_remoteip_o, '', sprintf(__('Remote debug IP (Your current IP is %s)', TRANSPOSH_TEXT_DOMAIN), transposh_utils::get_clean_server_var('REMOTE_ADDR')));
         $this->sectionstop();
     }
 

wp/transposh_db.php

@@ -373,7 +373,7 @@ function update_translation($by = "") {
         }
         if (!$by && !($all_editable &&
                 ($this->transposh->is_translator() || ($source > 0 && $this->transposh->options->enable_autotranslate)))) {
-            tp_logger("Unauthorized translation attempt " . filter_input(INPUT_SERVER,'REMOTE_ADDR'), 1);
+            tp_logger("Unauthorized translation attempt " . transposh_utils::get_clean_server_var('REMOTE_ADDR'), 1);
             header("HTTP/1.0 401 Unauthorized translation");
             exit;
         }
@@ -387,7 +387,7 @@ function update_translation($by = "") {
             $loguser = get_current_user_id();
         }
         if (!$loguser) {
-            $loguser = filter_input(INPUT_SERVER,'REMOTE_ADDR');
+            $loguser = transposh_utils::get_clean_server_var('REMOTE_ADDR');
         }
 
         // reset values (for good code style)
@@ -530,7 +530,7 @@ function get_translation_history($token, $lang) {
         // Check permissions, first the lanugage must be on the edit list. Then either the user
         // is a translator or automatic translation if it is enabled.
         if (!($this->transposh->options->is_active_language($lang) && $this->transposh->is_translator())) {
-            tp_logger("Unauthorized history request " . filter_input(INPUT_SERVER,'REMOTE_ADDR'), 1);
+            tp_logger("Unauthorized history request " . transposh_utils::get_clean_server_var('REMOTE_ADDR'), 1);
             header('HTTP/1.0 401 Unauthorized history');
             exit;
         }
@@ -557,7 +557,7 @@ function get_translation_history($token, $lang) {
 
         $rows = $GLOBALS['wpdb']->get_results($query);
         for ($i = 0; $i < count($rows); $i++) {
-            if (($rows[$i]->translated_by == filter_input(INPUT_SERVER,'REMOTE_ADDR') && $rows[$i]->source == '0') || (is_user_logged_in() && current_user_can(TRANSLATOR)) || current_user_can('manage_options')) {
+            if (($rows[$i]->translated_by == transposh_utils::get_clean_server_var('REMOTE_ADDR') && $rows[$i]->source == '0') || (is_user_logged_in() && current_user_can(TRANSLATOR)) || current_user_can('manage_options')) {
                 $rows[$i]->can_delete = true;
             }
         }
@@ -607,7 +607,7 @@ function del_translation_history($token, $langp, $timestampp) {
 
         tp_logger($query, 3);
         // We only delete if we found something to delete and it is allowed to delete it (user either did that - by ip, has the translator role or is an admin)
-        if (($inmaintable || $inlogtable) && (($rows[0]->translated_by == filter_input(INPUT_SERVER,'REMOTE_ADDR') && $rows[0]->source == '0') || (is_user_logged_in() && current_user_can(TRANSLATOR)) || current_user_can('manage_options'))) {
+        if (($inmaintable || $inlogtable) && (($rows[0]->translated_by == transposh_utils::get_clean_server_var('REMOTE_ADDR') && $rows[0]->source == '0') || (is_user_logged_in() && current_user_can(TRANSLATOR)) || current_user_can('manage_options'))) {
             // delete faulty record, if in log
             if ($inlogtable) {
                 $query = "DELETE " .
@@ -667,7 +667,7 @@ function get_translation_alt($token) {
 
         // Check permissions
         if (!($this->transposh->is_translator())) {
-            tp_logger("Unauthorized alt request " . filter_input(INPUT_SERVER,'REMOTE_ADDR'), 1);
+            tp_logger("Unauthorized alt request " . transposh_utils::get_clean_server_var('REMOTE_ADDR'), 1);
             header('HTTP/1.0 401 Unauthorized alt request');
             exit;
         }
@@ -1002,7 +1002,7 @@ function deduplicate_auto() {
                 $update = "DELETE FROM " . $this->translation_table . " WHERE $delvalues";
                 tp_logger($update, 3);
                 $GLOBALS['wpdb']->query($update);
-                $this->cache_delete($row->original, $row->lang); 
+                $this->cache_delete($row->original, $row->lang);
             }
         }
     }

wp/transposh_editor.php

@@ -172,8 +172,12 @@ function prepare_items() {
         $orderby = (!empty(filter_input(INPUT_GET, 'orderby', FILTER_SANITIZE_SPECIAL_CHARS)) ) ? filter_input(INPUT_GET, 'orderby', FILTER_SANITIZE_SPECIAL_CHARS) : 'timestamp';
         $order = (!empty(filter_input(INPUT_GET, 'order', FILTER_SANITIZE_SPECIAL_CHARS)) ) ? filter_input(INPUT_GET, 'order', FILTER_SANITIZE_SPECIAL_CHARS) : 'desc';
         // FIX CVE-2022-25811
-        if (!in_array($orderby,['timestamp','lang','original','translated','translated_by'] )) {$orderby = "timestamp";}
-        if (!in_array($order,['asc','desc'] )) {$order = "desc";}
+        if (!in_array($orderby, ['timestamp', 'lang', 'original', 'translated', 'translated_by'])) {
+            $orderby = "timestamp";
+        }
+        if (!in_array($order, ['asc', 'desc'])) {
+            $order = "desc";
+        }
 
         //$per_page = 5;
         $user = get_current_user_id();
@@ -204,7 +208,7 @@ function render_table() {
         echo '</pre><div class="wrap"><h2>' . __('Translations', TRANSPOSH_TEXT_DOMAIN) . '</h2>';
         $this->prepare_items();
         if ($this->filter) {
-            $current_url = set_url_scheme('http://' . filter_input(INPUT_SERVER, 'HTTP_HOST') . filter_input(INPUT_SERVER, 'REQUEST_URI'));
+            $current_url = set_url_scheme('http://' . transposh_utils::get_clean_server_var('HTTP_HOST') . transposh_utils::get_clean_server_var('REQUEST_URI'));
             echo (sprintf("<a href='%s'>%s</a></br>", esc_url(remove_query_arg(['action', 'ftb', 'fts', 'fl', 'paged'], $current_url)), __('Remove all filters')));
         }
 
@@ -269,7 +273,7 @@ function perform_actions() {
 
             tp_logger($this->filter);
         }
-        $s = htmlspecialchars(filter_input(INPUT_POST, 's', FILTER_DEFAULT, FILTER_NULL_ON_FAILURE));       
+        $s = htmlspecialchars(filter_input(INPUT_POST, 's', FILTER_DEFAULT, FILTER_NULL_ON_FAILURE));
         if ($s) {
             if ($this->filter) {
                 $this->filter .= " AND ";

wp/transposh_widget.php

@@ -86,15 +86,14 @@ function __construct() {
         parent::__construct('transposh', __('Transposh'), $widget_ops, $control_ops);
 
         // PHP 5.3 and up...
-        add_action('widgets_init', function() {
+        add_action('widgets_init', function () {
             register_widget("transposh_plugin_widget");
         });
 //        add_action('widgets_init', create_function('', 'register_widget("transposh_plugin_widget");'));
-
         // We only need to add those actions once, makes life simpler
         if (is_active_widget(false, false, $this->id_base) && self::$first_init) {
             self::$first_init = false;
-            if (!is_admin()) {
+            if (!is_admin()) { // is admin page
                 add_action('wp_print_styles', array(&$this, 'add_transposh_widget_css'));
                 add_action('wp_print_scripts', array(&$this, 'add_transposh_widget_js'));
             }
@@ -156,22 +155,24 @@ function form($instance) {
      * Make sure that this feature would not be used to include files in weird locations
      * No more then one "/" no more than one "." - Also sanitize nonsense by WP
      */
+
     function sanitize_file($file) {
-        $slashcount=substr_count($file, '/');
+        $slashcount = substr_count($file, '/');
         if ($slashcount > 1) {
             return ""; // We would not like more than one degree of recursion
         }
         if (substr_count($file, ".") > 1) {
             return ""; // One dot should be enough for everyone - Bill Gates
         }
         if ($slashcount == 1) {
-            list ($dir,$filename) = explode("/", $file);
-            $newfile = sanitize_file_name($dir)."/".sanitize_file_name($filename);
+            list ($dir, $filename) = explode("/", $file);
+            $newfile = sanitize_file_name($dir) . "/" . sanitize_file_name($filename);
         } else {
             $newfile = sanitize_file_name($file);
         }
         return $newfile;
     }
+
     /**
      * Loads the subwidget class code
      */
@@ -181,7 +182,7 @@ function load_widget($file = "") {
         if ($file && $file[0] == '*') {
             $upload = wp_upload_dir();
             $upload_dir = $upload['basedir'] . '/' . TRANSPOSH_DIR_UPLOAD . '/' . TRANSPOSH_DIR_WIDGETS;
-            $widget_src = $upload_dir . '/' . $this->sanitize_file (substr($file, 1));
+            $widget_src = $upload_dir . '/' . $this->sanitize_file(substr($file, 1));
         } else {
             $widget_src = $this->transposh->transposh_plugin_dir . TRANSPOSH_DIR_WIDGETS . '/' . $this->sanitize_file($file);
         }
@@ -306,7 +307,7 @@ function widget($args, $instance, $extcall = false) {
 
         // we load the class needed and get its base name for later
         if (isset($instance['widget_file'])) {
-            $class = $this->load_widget($instance['widget_file']);        
+            $class = $this->load_widget($instance['widget_file']);
         } else {
             $class = $this->load_widget();
         }
@@ -361,7 +362,7 @@ function widget($args, $instance, $extcall = false) {
             }
             // add the edit checkbox only for translators for languages marked as editable
             if ($this->transposh->is_editing_permitted()) {
-                $ref = transposh_utils::rewrite_url_lang_param(filter_input(INPUT_SERVER,'REQUEST_URI'), $this->transposh->home_url, $this->transposh->enable_permalinks_rewrite, ($this->transposh->options->is_default_language($this->transposh->target_language) ? "" : $this->transposh->target_language), !$this->transposh->edit_mode);
+                $ref = transposh_utils::rewrite_url_lang_param(transposh_utils::get_clean_server_var('REQUEST_URI'), $this->transposh->home_url, $this->transposh->enable_permalinks_rewrite, ($this->transposh->options->is_default_language($this->transposh->target_language) ? "" : $this->transposh->target_language), !$this->transposh->edit_mode);
                 echo '<input type="checkbox" name="' . EDIT_PARAM . '" value="1" ' .
                 ($this->transposh->edit_mode ? 'checked="checked" ' : '') .
                 ' onclick="document.location.href=\'' . $ref . '\';"/>&nbsp;Edit Translation';
@@ -445,9 +446,9 @@ function get_widgets($widget_folder = '') {
         } else {
             return $tp_widgets;
         }
-        
+
         // There was a closedir once here, but turned out it just caused strange issues 
-        
+
         if (empty($widget_files))
             return $tp_widgets;
 
@@ -462,8 +463,8 @@ function get_widgets($widget_folder = '') {
 
             $tp_widgets[plugin_basename($widget_file)] = $widget_data;
         }
-        uasort($tp_widgets, function($a, $b) {
-            return strnatcasecmp( $a["Name"], $b["Name"] );
+        uasort($tp_widgets, function ($a, $b) {
+            return strnatcasecmp($a["Name"], $b["Name"]);
         });
         //uasort($tp_widgets, create_function('$a, $b', 'return strnatcasecmp( $a["Name"], $b["Name"] );'));