From 21f0f79998efc673f5394b90f1a58e4fb9fabb88 Mon Sep 17 00:00:00 2001 From: Ofer Wald Date: Tue, 4 Oct 2022 23:59:36 +0300 Subject: [PATCH] Fix for filter_input input_server on fcgi bug --- core/logging.php | 2 +- core/utils.php | 16 ++++++- readme.txt | 3 +- transposh.php | 98 +++++++++++++++++++-------------------- wp/transposh_3rdparty.php | 14 +++--- wp/transposh_admin.php | 2 +- wp/transposh_db.php | 14 +++--- wp/transposh_editor.php | 12 +++-- wp/transposh_widget.php | 27 +++++------ 9 files changed, 103 insertions(+), 85 deletions(-) diff --git a/core/logging.php b/core/logging.php index 566b237..2c9fb08 100644 --- a/core/logging.php +++ b/core/logging.php @@ -100,7 +100,7 @@ function do_log($msg, $severity = 3, $do_backtrace = false, $nest = 0) { echo "$log_prefix:$msg"; echo ($this->eolprint) ? "\n" : "
"; } else { - if (!filter_input(INPUT_SERVER, 'REMOTE_ADDR') || $this->remoteip != filter_input(INPUT_SERVER, 'REMOTE_ADDR')) { + if (!transposh_utils::get_clean_server_var( 'REMOTE_ADDR') || $this->remoteip != transposh_utils::get_clean_server_var( 'REMOTE_ADDR')) { return; } if ((is_array($msg) || is_object($msg)) && $this->show_caller) { diff --git a/core/utils.php b/core/utils.php index 993a393..6841aa7 100644 --- a/core/utils.php +++ b/core/utils.php @@ -444,7 +444,7 @@ public static function display_flag($path, $flag, $language, $css = false) { public static function prefered_language($available_languages, $default_lang = "auto", $http_accept_language = "auto") { // if $http_accept_language was left out, read it from the HTTP-Header if ($http_accept_language == "auto") { - $http_accept_language = filter_input(INPUT_SERVER, 'HTTP_ACCEPT_LANGUAGE'); + $http_accept_language = transposh_utils::get_clean_server_var( 'HTTP_ACCEPT_LANGUAGE'); } // standard for HTTP_ACCEPT_LANGUAGE is defined under @@ -521,7 +521,7 @@ public static function language_from_country($available_languages, $country, $de } public static function is_bot() { - return preg_match("#(bot|yandex|validator|google|jeeves|spider|crawler|slurp)#si", filter_input(INPUT_SERVER, 'HTTP_USER_AGENT')); + return preg_match("#(bot|yandex|validator|google|jeeves|spider|crawler|slurp)#si", transposh_utils::get_clean_server_var( 'HTTP_USER_AGENT')); } public static function allow_cors() { @@ -552,5 +552,17 @@ public static function wordpress_user_by_by($by) { } return $by; } + /** + * Return a server var, because of the 15 years old filter_input bug. + * @param String $var + * @return type + */ + public static function get_clean_server_var($var) { + $ret = filter_input(INPUT_SERVER, $var); + if (!$ret && isset($_SERVER[$var])) { + $ret = $_SERVER[$var]; + } + return $ret; + } } diff --git a/readme.txt b/readme.txt index 24c1d55..47c9de5 100644 --- a/readme.txt +++ b/readme.txt @@ -3,7 +3,7 @@ Contributors: oferwald Donate link: http://transposh.org/donate/ Tags: translation, translate, i18n, widget, filter, buddypress, bilingual, multilingual, transposh, language, crowdsourcing, google translate, bing translate, context, wiki, RTL, Hebrew, Spanish, French, Russian, English, Arabic, Portuguese Requires at least: 5.8 -Tested up to: 5.9 +Tested up to: 6.0.2 Stable tag: %VERSION% Transposh adds best of breed translation support to wordpress, 117 languages are automatically translated and can be manually corrected with ease. @@ -122,6 +122,7 @@ This version allows sorting of languages within the widget * French - [Michel Chaussée](tajimoko.com) == Changelog == + * Fix for filter_input input_server fcgi bug = 2022/09/21 - 1.0.9.2 = * Fix for some bugs added by CSRF protection, including working translate all * Remove old references to non working places diff --git a/transposh.php b/transposh.php index c6b947a..db2f008 100644 --- a/transposh.php +++ b/transposh.php @@ -153,7 +153,7 @@ function __construct() { $this->transposh_plugin_dir = plugin_dir_path(__FILE__); if ($this->options->debug_enable) - tp_logger('Transposh object created: ' . filter_input(INPUT_SERVER, 'REQUEST_URI'), 3); + tp_logger('Transposh object created: ' . transposh_utils::get_clean_server_var('REQUEST_URI'), 3); $this->transposh_plugin_basename = plugin_basename(__FILE__); //Register some functions into wordpress @@ -256,7 +256,7 @@ function __construct() { // // FUTURE add_action('update-custom_transposh', array(&$this, 'update')); // CHECK TODO!!!!!!!!!!!! - $this->tgl = transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'REQUEST_URI'), $this->home_url); + $this->tgl = transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('REQUEST_URI'), $this->home_url); if (!$this->options->is_active_language($this->tgl)) { $this->tgl = ''; } @@ -320,7 +320,7 @@ function get_clean_url() { return $this->clean_url; } //remove any language identifier and find the "clean" url, used for posting and calculating urls if needed - $this->clean_url = transposh_utils::cleanup_url(filter_input(INPUT_SERVER, 'REQUEST_URI'), $this->home_url, true); + $this->clean_url = transposh_utils::cleanup_url(transposh_utils::get_clean_server_var('REQUEST_URI'), $this->home_url, true); // we need this if we are using url translations if ($this->options->enable_url_translate) { $this->clean_url = transposh_utils::get_original_url($this->clean_url, '', $this->target_language, array($this->database, 'fetch_original')); @@ -381,7 +381,7 @@ function process_page($buffer) { //php7? $start_time = microtime(TRUE); // Refrain from touching the administrative interface and important pages - if ($this->is_special_page(filter_input(INPUT_SERVER, 'REQUEST_URI')) && !$this->attempt_json) { + if ($this->is_special_page(transposh_utils::get_clean_server_var('REQUEST_URI')) && !$this->attempt_json) { tp_logger("Skipping translation for admin pages", 3); } elseif ($bad_content) { tp_logger("Seems like content we should not handle"); @@ -409,7 +409,7 @@ function process_page($buffer) { //php7? } } - tp_logger("Translating " . filter_input(INPUT_SERVER, 'REQUEST_URI') . " to: {$this->target_language} for: " . filter_input(INPUT_SERVER, 'REMOTE_ADDR'), 1); + tp_logger("Translating " . transposh_utils::get_clean_server_var('REQUEST_URI') . " to: {$this->target_language} for: " . transposh_utils::get_clean_server_var('REMOTE_ADDR'), 1); //translate the entire page $parse = new tp_parser(); @@ -427,7 +427,7 @@ function process_page($buffer) { //php7? $parse->allow_ad = $this->options->widget_remove_logo; //** FULLSTOP // TODO - check this! - if (stripos(filter_input(INPUT_SERVER, 'REQUEST_URI'), '/feed/') !== FALSE) { + if (stripos(transposh_utils::get_clean_server_var('REQUEST_URI'), '/feed/') !== FALSE) { tp_logger("in rss feed!", 2); $parse->is_auto_translate = false; $parse->is_edit_mode = false; @@ -452,7 +452,7 @@ function process_page($buffer) { //php7? * Once processing is completed the buffer will go into the translation process. */ function on_init() { - tp_logger('init ' . filter_input(INPUT_SERVER, 'REQUEST_URI'), 4); + tp_logger('init ' . transposh_utils::get_clean_server_var('REQUEST_URI'), 4); // the wp_rewrite is not available earlier so we can only set the enable_permalinks here if (is_object($GLOBALS['wp_rewrite'])) { @@ -464,47 +464,47 @@ function on_init() { // this is an ajax special case, currently crafted and tested on buddy press, lets hope this won't make hell break loose. // it basically sets language based on referred when accessing wp-load.php (which is the way bp does ajax) - tp_logger(substr(filter_input(INPUT_SERVER, 'SCRIPT_FILENAME'), -11), 5); - if (substr(filter_input(INPUT_SERVER, 'SCRIPT_FILENAME'), -11) == 'wp-load.php') { - $this->target_language = transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->home_url); + tp_logger(substr(transposh_utils::get_clean_server_var('SCRIPT_FILENAME'), -11), 5); + if (substr(transposh_utils::get_clean_server_var('SCRIPT_FILENAME'), -11) == 'wp-load.php') { + $this->target_language = transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->home_url); $this->attempt_json = true; } //buddypress old activity if (isset($_POST['action']) && $_POST['action'] == 'activity_get_older_updates') { - $this->target_language = transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->home_url); + $this->target_language = transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->home_url); $this->attempt_json = true; } //alm news if (isset($_GET['action']) && $_GET['action'] == 'alm_query_posts') { - $this->target_language = transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->home_url); + $this->target_language = transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->home_url); } //woocommerce_update_order_review if (isset($_POST['action']) && $_POST['action'] == 'woocommerce_update_order_review') { - $this->target_language = transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->home_url); + $this->target_language = transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->home_url); $this->attempt_json = true; } if (isset($_GET['wc-ajax']) && $_GET['wc-ajax'] == 'update_order_review') { - $this->target_language = transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->home_url); + $this->target_language = transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->home_url); $this->attempt_json = true; } //woocommerce_get_refreshed_fragments if (isset($_POST['action']) && $_POST['action'] == 'woocommerce_get_refreshed_fragments') { - $this->target_language = transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->home_url); + $this->target_language = transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->home_url); $this->attempt_json = true; } if (isset($_POST['action']) && $_POST['action'] == 'woocommerce_add_to_cart') { - $this->target_language = transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->home_url); + $this->target_language = transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->home_url); $this->attempt_json = true; } - tp_logger(filter_input(INPUT_SERVER, 'REQUEST_URI'), 5); - if (strpos(filter_input(INPUT_SERVER, 'REQUEST_URI'), '/wpv-ajax-pagination/') === true) { + tp_logger(transposh_utils::get_clean_server_var('REQUEST_URI'), 5); + if (strpos(transposh_utils::get_clean_server_var('REQUEST_URI'), '/wpv-ajax-pagination/') === true) { tp_logger('wpv pagination', 5); - $this->target_language = transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->home_url); + $this->target_language = transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->home_url); } // load translation files for transposh @@ -627,24 +627,24 @@ function on_parse_request($wp) { // and this is not a special page or one that is refered by our site // bots can skip this altogether if (($this->options->enable_detect_redirect || $this->options->widget_allow_set_deflang || $this->options->enable_geoip_redirect) && - !($this->is_special_page(filter_input(INPUT_SERVER, 'REQUEST_URI')) || (filter_input(INPUT_SERVER, 'HTTP_REFERER') != null && strpos(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->home_url) !== false)) && + !($this->is_special_page(transposh_utils::get_clean_server_var('REQUEST_URI')) || (transposh_utils::get_clean_server_var('HTTP_REFERER') != null && strpos(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->home_url) !== false)) && !(transposh_utils::is_bot())) { // we are starting a session if needed if (!session_id()) { session_start(); } // no redirections if we already redirected in this session or we suspect cyclic redirections - if (!isset($_SESSION['TR_REDIRECTED']) && !(filter_input(INPUT_SERVER, 'HTTP_REFERER') == filter_input(INPUT_SERVER, 'REQUEST_URI'))) { + if (!isset($_SESSION['TR_REDIRECTED']) && !(transposh_utils::get_clean_server_var('HTTP_REFERER') == transposh_utils::get_clean_server_var('REQUEST_URI'))) { tp_logger('session redirection never happened (yet)', 2); // we redirect once per session $_SESSION['TR_REDIRECTED'] = true; // redirect according to stored lng cookie, and than according to detection if (isset($_COOKIE['TR_LNG']) && $this->options->widget_allow_set_deflang) { if ($_COOKIE['TR_LNG'] != $this->target_language) { - $url = transposh_utils::rewrite_url_lang_param(filter_input(INPUT_SERVER, "REQUEST_URI"), $this->home_url, $this->enable_permalinks_rewrite, $_COOKIE['TR_LNG'], $this->edit_mode); + $url = transposh_utils::rewrite_url_lang_param(transposh_utils::get_clean_server_var("REQUEST_URI"), $this->home_url, $this->enable_permalinks_rewrite, $_COOKIE['TR_LNG'], $this->edit_mode); if ($this->options->is_default_language($_COOKIE['TR_LNG'])) //TODO - fix wrt translation - $url = transposh_utils::cleanup_url(filter_input(INPUT_SERVER, "REQUEST_URI"), $this->home_url); + $url = transposh_utils::cleanup_url(transposh_utils::get_clean_server_var("REQUEST_URI"), $this->home_url); tp_logger("redirected to $url because of cookie", 2); $this->tp_redirect($url); exit; @@ -659,10 +659,10 @@ function on_parse_request($wp) { $bestlang = transposh_utils::language_from_country(explode(',', $this->options->viewable_languages), $country, $this->options->default_language); } if ($bestlang && $bestlang != $this->target_language) { - $url = transposh_utils::rewrite_url_lang_param(filter_input(INPUT_SERVER, 'REQUEST_URI'), $this->home_url, $this->enable_permalinks_rewrite, $bestlang, $this->edit_mode); + $url = transposh_utils::rewrite_url_lang_param(transposh_utils::get_clean_server_var('REQUEST_URI'), $this->home_url, $this->enable_permalinks_rewrite, $bestlang, $this->edit_mode); if ($this->options->is_default_language($bestlang)) //TODO - fix wrt translation - $url = transposh_utils::cleanup_url(filter_input(INPUT_SERVER, 'REQUEST_URI'), $this->home_url); + $url = transposh_utils::cleanup_url(transposh_utils::get_clean_server_var('REQUEST_URI'), $this->home_url); tp_logger("redirected to $url because of bestlang", 2); $this->tp_redirect($url); exit; @@ -679,8 +679,8 @@ function on_parse_request($wp) { add_action('pre_get_posts', array(&$this, 'pre_post_search')); add_action('posts_where_request', array(&$this, 'posts_where_request')); } - if (transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->home_url) && !transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'REQUEST_URI'), $this->home_url)) { - $this->tp_redirect(transposh_utils::rewrite_url_lang_param(filter_input(INPUT_SERVER, "REQUEST_URI"), $this->home_url, $this->enable_permalinks_rewrite, transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->home_url), false)); //."&stop=y"); + if (transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->home_url) && !transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('REQUEST_URI'), $this->home_url)) { + $this->tp_redirect(transposh_utils::rewrite_url_lang_param(transposh_utils::get_clean_server_var("REQUEST_URI"), $this->home_url, $this->enable_permalinks_rewrite, transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->home_url), false)); //."&stop=y"); exit; } } @@ -688,7 +688,7 @@ function on_parse_request($wp) { $this->edit_mode = true; // redirect bots away from edit pages to avoid double indexing if (transposh_utils::is_bot()) { - $this->tp_redirect(transposh_utils::rewrite_url_lang_param(filter_input(INPUT_SERVER, "REQUEST_URI"), $this->home_url, $this->enable_permalinks_rewrite, transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, "REQUEST_URI"), $this->home_url), false), 301); + $this->tp_redirect(transposh_utils::rewrite_url_lang_param(transposh_utils::get_clean_server_var("REQUEST_URI"), $this->home_url, $this->enable_permalinks_rewrite, transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var("REQUEST_URI"), $this->home_url), false), 301); exit; } } else { @@ -938,7 +938,7 @@ function add_rel_alternate() { echo 'home_url); if ($lang && !$this->got_request) { tp_logger('Trying to find original url'); @@ -1334,7 +1334,7 @@ function request_filter($query) { * @return string */ function transposh_gettext_filter($translation, $orig, $domain) { - if ($this->is_special_page(filter_input(INPUT_SERVER, 'REQUEST_URI')) || ($this->options->is_default_language($this->tgl) && !$this->options->enable_default_translate)) { + if ($this->is_special_page(transposh_utils::get_clean_server_var('REQUEST_URI')) || ($this->options->is_default_language($this->tgl) && !$this->options->enable_default_translate)) { return $translation; } tp_logger("($translation, $orig, $domain)", 5); @@ -1356,7 +1356,7 @@ function transposh_gettext_filter($translation, $orig, $domain) { * @return string */ function transposh_ngettext_filter($translation, $single, $plural, $domain) { - if ($this->is_special_page(filter_input(INPUT_SERVER, 'REQUEST_URI')) || ($this->options->is_default_language($this->tgl) && !$this->options->enable_default_translate)) + if ($this->is_special_page(transposh_utils::get_clean_server_var('REQUEST_URI')) || ($this->options->is_default_language($this->tgl) && !$this->options->enable_default_translate)) return $translation; tp_logger("($translation, $single, $plural, $domain)", 4); if (in_array($domain, transposh_consts::$ignored_po_domains)) @@ -1374,7 +1374,7 @@ function transposh_ngettext_filter($translation, $single, $plural, $domain) { * @return string */ function transposh_locale_filter($locale) { - $lang = transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'REQUEST_URI'), $this->home_url); + $lang = transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('REQUEST_URI'), $this->home_url); if (!$this->options->is_active_language($lang)) { $lang = ''; } @@ -1473,8 +1473,8 @@ function on_ajax_nopriv_proxy() { // Check requester IP to be allowed $ips = json_decode($this->options->superproxy_ips); - if (!in_array(filter_input(INPUT_SERVER, 'REMOTE_ADDR'), $ips)) { - $errstr = "Error: 503: Unauthorized " . filter_input(INPUT_SERVER, 'REMOTE_ADDR'); + if (!in_array(transposh_utils::get_clean_server_var('REMOTE_ADDR'), $ips)) { + $errstr = "Error: 503: Unauthorized " . transposh_utils::get_clean_server_var('REMOTE_ADDR'); tp_logger($errstr); die($errstr); } @@ -1507,7 +1507,7 @@ function on_ajax_nopriv_proxy() { curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); // Handle POST method - if (filter_input(INPUT_SERVER, 'REQUEST_METHOD') === 'POST') { + if (transposh_utils::get_clean_server_var('REQUEST_METHOD') === 'POST') { //tp_logger($_POST); curl_setopt($ch, CURLOPT_POST, true); foreach ($_POST as $key => $value) { @@ -1682,7 +1682,7 @@ function get_yandex_translation($tl, $sl, $q) { curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); //must set agent for google to respond with utf-8 - $UA = filter_input(INPUT_SERVER, "HTTP_USER_AGENT", FILTER_DEFAULT); + $UA = transposh_utils::get_clean_server_var("HTTP_USER_AGENT", FILTER_DEFAULT); // tp_logger($UA,1); curl_setopt($ch, CURLOPT_USERAGENT, $UA); $output = curl_exec($ch); @@ -1888,7 +1888,7 @@ function get_google_translation($tl, $sl, $q) { curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); //must set agent for google to respond with utf-8 - $UA = filter_input(INPUT_SERVER, "HTTP_USER_AGENT", FILTER_DEFAULT); + $UA = transposh_utils::get_clean_server_var("HTTP_USER_AGENT"); tp_logger($UA, 1); curl_setopt($ch, CURLOPT_USERAGENT, $UA); curl_setopt($ch, CURLOPT_POST, true); @@ -1900,7 +1900,7 @@ function get_google_translation($tl, $sl, $q) { //if the attempt is 2 or more, we skip ipv6 and use an alternative user agent if ($attempt > 1) { curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4); - curl_setopt($ch, CURLOPT_USERAGENT, filter_input(INPUT_SERVER, 'HTTP_USER_AGENT')); + curl_setopt($ch, CURLOPT_USERAGENT, transposh_utils::get_clean_server_var('HTTP_USER_AGENT')); } $output = curl_exec($ch); $info = curl_getinfo($ch); @@ -2085,17 +2085,17 @@ function on_ajax_nopriv_tp_trans_alts() { // set the cookie with ajax, no redirect needed function on_ajax_nopriv_tp_cookie() { - setcookie('TR_LNG', transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->home_url), time() + 90 * 24 * 60 * 60, COOKIEPATH, COOKIE_DOMAIN); - tp_logger('Cookie ' . transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->home_url)); + setcookie('TR_LNG', transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->home_url), time() + 90 * 24 * 60 * 60, COOKIEPATH, COOKIE_DOMAIN); + tp_logger('Cookie ' . transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->home_url)); die(); } // Set our cookie and return (if no js works - or we are in the default language) function on_ajax_nopriv_tp_cookie_bck() { global $my_transposh_plugin; - setcookie('TR_LNG', transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->home_url), time() + 90 * 24 * 60 * 60, COOKIEPATH, COOKIE_DOMAIN); - if (filter_input(INPUT_SERVER, 'HTTP_REFERER')) { - $this->tp_redirect(filter_input(INPUT_SERVER, 'HTTP_REFERER')); + setcookie('TR_LNG', transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->home_url), time() + 90 * 24 * 60 * 60, COOKIEPATH, COOKIE_DOMAIN); + if (transposh_utils::get_clean_server_var('HTTP_REFERER')) { + $this->tp_redirect(transposh_utils::get_clean_server_var('HTTP_REFERER')); } else { $this->tp_redirect($my_transposh_plugin->home_url); } diff --git a/wp/transposh_3rdparty.php b/wp/transposh_3rdparty.php index 15735a8..b53220f 100644 --- a/wp/transposh_3rdparty.php +++ b/wp/transposh_3rdparty.php @@ -74,7 +74,7 @@ function add_analyticator_tracking() { function super_cache_invalidate() { //Now, we are actually using the referrer and not the request, with some precautions // check server[''] - $GLOBALS['wp_cache_request_uri'] = substr(filter_input(INPUT_SERVER, 'HTTP_REFERER'), stripos(filter_input(INPUT_SERVER, 'HTTP_REFERER'), filter_input(INPUT_SERVER, 'HTTP_HOST')) + strlen(filter_input(INPUT_SERVER, '') . filter_input(INPUT_SERVER, 'HTTP_HOST'))); + $GLOBALS['wp_cache_request_uri'] = substr(transposh_utils::get_clean_server_var('HTTP_REFERER'), stripos(transposh_utils::get_clean_server_var('HTTP_REFERER'), transposh_utils::get_clean_server_var('HTTP_HOST')) + strlen(transposh_utils::get_clean_server_var('HTTP_HOST'))); $GLOBALS['wp_cache_request_uri'] = preg_replace('/[ <>\'\"\r\n\t\(\)]/', '', str_replace('/index.php', '/', str_replace('..', '', preg_replace("/(\?.*)?$/", '', $GLOBALS['wp_cache_request_uri'])))); // get some supercache variables extract(wp_super_cache_init()); @@ -111,8 +111,8 @@ function super_cache_invalidate() { } function w3tc_invalidate() { - tp_logger("W3TC invalidate:" . filter_input(INPUT_SERVER, 'HTTP_REFERER')); - $id = url_to_postid(filter_input(INPUT_SERVER, 'HTTP_REFERER')); + tp_logger("W3TC invalidate:" . transposh_utils::get_clean_server_var('HTTP_REFERER')); + $id = url_to_postid(transposh_utils::get_clean_server_var('HTTP_REFERER')); if (is_numeric($id)) { tp_logger("W3TC invalidate post id: $id"); w3tc_pgcache_flush_post($id); @@ -141,7 +141,7 @@ function bp_uri_filter($uri) { * @param type $url */ function bbp_get_search_results_url($url) { - $lang = transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->home_url); + $lang = transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->home_url); $href = transposh_utils::rewrite_url_lang_param($url, $this->transposh->home_url, $this->transposh->enable_permalinks_rewrite, $lang, false); return $href; } @@ -154,8 +154,8 @@ function bp_activity_after_save($params) { // we don't need to modify our own activity stream if ($params->type == 'new_translation') return; - if (transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->transposh->home_url)) - bp_activity_update_meta($params->id, 'tp_language', transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->transposh->home_url)); + if (transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->transposh->home_url)) + bp_activity_update_meta($params->id, 'tp_language', transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->transposh->home_url)); } /** @@ -335,7 +335,7 @@ function add_yoast_transposh_urls($yoast_url) { } function woo_uri_filter($url) { - $lang = transposh_utils::get_language_from_url(filter_input(INPUT_SERVER, 'HTTP_REFERER'), $this->transposh->home_url); + $lang = transposh_utils::get_language_from_url(transposh_utils::get_clean_server_var('HTTP_REFERER'), $this->transposh->home_url); tp_logger('altering woo url to:' . transposh_utils::rewrite_url_lang_param($url, $this->transposh->home_url, $this->transposh->enable_permalinks_rewrite, $lang, $this->transposh->edit_mode)); return transposh_utils::rewrite_url_lang_param($url, $this->transposh->home_url, $this->transposh->enable_permalinks_rewrite, $lang, $this->transposh->edit_mode); } diff --git a/wp/transposh_admin.php b/wp/transposh_admin.php index 630c646..2ef69f4 100644 --- a/wp/transposh_admin.php +++ b/wp/transposh_admin.php @@ -770,7 +770,7 @@ function tp_advanced() { 4 => __('Information', TRANSPOSH_TEXT_DOMAIN), 5 => __('Debug', TRANSPOSH_TEXT_DOMAIN), )); - $this->textinput($this->transposh->options->debug_remoteip_o, '', sprintf(__('Remote debug IP (Your current IP is %s)', TRANSPOSH_TEXT_DOMAIN), filter_input(INPUT_SERVER, 'REMOTE_ADDR'))); + $this->textinput($this->transposh->options->debug_remoteip_o, '', sprintf(__('Remote debug IP (Your current IP is %s)', TRANSPOSH_TEXT_DOMAIN), transposh_utils::get_clean_server_var('REMOTE_ADDR'))); $this->sectionstop(); } diff --git a/wp/transposh_db.php b/wp/transposh_db.php index fab5990..727c4aa 100644 --- a/wp/transposh_db.php +++ b/wp/transposh_db.php @@ -373,7 +373,7 @@ function update_translation($by = "") { } if (!$by && !($all_editable && ($this->transposh->is_translator() || ($source > 0 && $this->transposh->options->enable_autotranslate)))) { - tp_logger("Unauthorized translation attempt " . filter_input(INPUT_SERVER,'REMOTE_ADDR'), 1); + tp_logger("Unauthorized translation attempt " . transposh_utils::get_clean_server_var('REMOTE_ADDR'), 1); header("HTTP/1.0 401 Unauthorized translation"); exit; } @@ -387,7 +387,7 @@ function update_translation($by = "") { $loguser = get_current_user_id(); } if (!$loguser) { - $loguser = filter_input(INPUT_SERVER,'REMOTE_ADDR'); + $loguser = transposh_utils::get_clean_server_var('REMOTE_ADDR'); } // reset values (for good code style) @@ -530,7 +530,7 @@ function get_translation_history($token, $lang) { // Check permissions, first the lanugage must be on the edit list. Then either the user // is a translator or automatic translation if it is enabled. if (!($this->transposh->options->is_active_language($lang) && $this->transposh->is_translator())) { - tp_logger("Unauthorized history request " . filter_input(INPUT_SERVER,'REMOTE_ADDR'), 1); + tp_logger("Unauthorized history request " . transposh_utils::get_clean_server_var('REMOTE_ADDR'), 1); header('HTTP/1.0 401 Unauthorized history'); exit; } @@ -557,7 +557,7 @@ function get_translation_history($token, $lang) { $rows = $GLOBALS['wpdb']->get_results($query); for ($i = 0; $i < count($rows); $i++) { - if (($rows[$i]->translated_by == filter_input(INPUT_SERVER,'REMOTE_ADDR') && $rows[$i]->source == '0') || (is_user_logged_in() && current_user_can(TRANSLATOR)) || current_user_can('manage_options')) { + if (($rows[$i]->translated_by == transposh_utils::get_clean_server_var('REMOTE_ADDR') && $rows[$i]->source == '0') || (is_user_logged_in() && current_user_can(TRANSLATOR)) || current_user_can('manage_options')) { $rows[$i]->can_delete = true; } } @@ -607,7 +607,7 @@ function del_translation_history($token, $langp, $timestampp) { tp_logger($query, 3); // We only delete if we found something to delete and it is allowed to delete it (user either did that - by ip, has the translator role or is an admin) - if (($inmaintable || $inlogtable) && (($rows[0]->translated_by == filter_input(INPUT_SERVER,'REMOTE_ADDR') && $rows[0]->source == '0') || (is_user_logged_in() && current_user_can(TRANSLATOR)) || current_user_can('manage_options'))) { + if (($inmaintable || $inlogtable) && (($rows[0]->translated_by == transposh_utils::get_clean_server_var('REMOTE_ADDR') && $rows[0]->source == '0') || (is_user_logged_in() && current_user_can(TRANSLATOR)) || current_user_can('manage_options'))) { // delete faulty record, if in log if ($inlogtable) { $query = "DELETE " . @@ -667,7 +667,7 @@ function get_translation_alt($token) { // Check permissions if (!($this->transposh->is_translator())) { - tp_logger("Unauthorized alt request " . filter_input(INPUT_SERVER,'REMOTE_ADDR'), 1); + tp_logger("Unauthorized alt request " . transposh_utils::get_clean_server_var('REMOTE_ADDR'), 1); header('HTTP/1.0 401 Unauthorized alt request'); exit; } @@ -1002,7 +1002,7 @@ function deduplicate_auto() { $update = "DELETE FROM " . $this->translation_table . " WHERE $delvalues"; tp_logger($update, 3); $GLOBALS['wpdb']->query($update); - $this->cache_delete($row->original, $row->lang); + $this->cache_delete($row->original, $row->lang); } } } diff --git a/wp/transposh_editor.php b/wp/transposh_editor.php index 145ab55..bd9c089 100644 --- a/wp/transposh_editor.php +++ b/wp/transposh_editor.php @@ -172,8 +172,12 @@ function prepare_items() { $orderby = (!empty(filter_input(INPUT_GET, 'orderby', FILTER_SANITIZE_SPECIAL_CHARS)) ) ? filter_input(INPUT_GET, 'orderby', FILTER_SANITIZE_SPECIAL_CHARS) : 'timestamp'; $order = (!empty(filter_input(INPUT_GET, 'order', FILTER_SANITIZE_SPECIAL_CHARS)) ) ? filter_input(INPUT_GET, 'order', FILTER_SANITIZE_SPECIAL_CHARS) : 'desc'; // FIX CVE-2022-25811 - if (!in_array($orderby,['timestamp','lang','original','translated','translated_by'] )) {$orderby = "timestamp";} - if (!in_array($order,['asc','desc'] )) {$order = "desc";} + if (!in_array($orderby, ['timestamp', 'lang', 'original', 'translated', 'translated_by'])) { + $orderby = "timestamp"; + } + if (!in_array($order, ['asc', 'desc'])) { + $order = "desc"; + } //$per_page = 5; $user = get_current_user_id(); @@ -204,7 +208,7 @@ function render_table() { echo '

' . __('Translations', TRANSPOSH_TEXT_DOMAIN) . '

'; $this->prepare_items(); if ($this->filter) { - $current_url = set_url_scheme('http://' . filter_input(INPUT_SERVER, 'HTTP_HOST') . filter_input(INPUT_SERVER, 'REQUEST_URI')); + $current_url = set_url_scheme('http://' . transposh_utils::get_clean_server_var('HTTP_HOST') . transposh_utils::get_clean_server_var('REQUEST_URI')); echo (sprintf("%s
", esc_url(remove_query_arg(['action', 'ftb', 'fts', 'fl', 'paged'], $current_url)), __('Remove all filters'))); } @@ -269,7 +273,7 @@ function perform_actions() { tp_logger($this->filter); } - $s = htmlspecialchars(filter_input(INPUT_POST, 's', FILTER_DEFAULT, FILTER_NULL_ON_FAILURE)); + $s = htmlspecialchars(filter_input(INPUT_POST, 's', FILTER_DEFAULT, FILTER_NULL_ON_FAILURE)); if ($s) { if ($this->filter) { $this->filter .= " AND "; diff --git a/wp/transposh_widget.php b/wp/transposh_widget.php index f22e4c6..5f33826 100644 --- a/wp/transposh_widget.php +++ b/wp/transposh_widget.php @@ -86,15 +86,14 @@ function __construct() { parent::__construct('transposh', __('Transposh'), $widget_ops, $control_ops); // PHP 5.3 and up... - add_action('widgets_init', function() { + add_action('widgets_init', function () { register_widget("transposh_plugin_widget"); }); // add_action('widgets_init', create_function('', 'register_widget("transposh_plugin_widget");')); - // We only need to add those actions once, makes life simpler if (is_active_widget(false, false, $this->id_base) && self::$first_init) { self::$first_init = false; - if (!is_admin()) { + if (!is_admin()) { // is admin page add_action('wp_print_styles', array(&$this, 'add_transposh_widget_css')); add_action('wp_print_scripts', array(&$this, 'add_transposh_widget_js')); } @@ -156,8 +155,9 @@ function form($instance) { * Make sure that this feature would not be used to include files in weird locations * No more then one "/" no more than one "." - Also sanitize nonsense by WP */ + function sanitize_file($file) { - $slashcount=substr_count($file, '/'); + $slashcount = substr_count($file, '/'); if ($slashcount > 1) { return ""; // We would not like more than one degree of recursion } @@ -165,13 +165,14 @@ function sanitize_file($file) { return ""; // One dot should be enough for everyone - Bill Gates } if ($slashcount == 1) { - list ($dir,$filename) = explode("/", $file); - $newfile = sanitize_file_name($dir)."/".sanitize_file_name($filename); + list ($dir, $filename) = explode("/", $file); + $newfile = sanitize_file_name($dir) . "/" . sanitize_file_name($filename); } else { $newfile = sanitize_file_name($file); } return $newfile; } + /** * Loads the subwidget class code */ @@ -181,7 +182,7 @@ function load_widget($file = "") { if ($file && $file[0] == '*') { $upload = wp_upload_dir(); $upload_dir = $upload['basedir'] . '/' . TRANSPOSH_DIR_UPLOAD . '/' . TRANSPOSH_DIR_WIDGETS; - $widget_src = $upload_dir . '/' . $this->sanitize_file (substr($file, 1)); + $widget_src = $upload_dir . '/' . $this->sanitize_file(substr($file, 1)); } else { $widget_src = $this->transposh->transposh_plugin_dir . TRANSPOSH_DIR_WIDGETS . '/' . $this->sanitize_file($file); } @@ -306,7 +307,7 @@ function widget($args, $instance, $extcall = false) { // we load the class needed and get its base name for later if (isset($instance['widget_file'])) { - $class = $this->load_widget($instance['widget_file']); + $class = $this->load_widget($instance['widget_file']); } else { $class = $this->load_widget(); } @@ -361,7 +362,7 @@ function widget($args, $instance, $extcall = false) { } // add the edit checkbox only for translators for languages marked as editable if ($this->transposh->is_editing_permitted()) { - $ref = transposh_utils::rewrite_url_lang_param(filter_input(INPUT_SERVER,'REQUEST_URI'), $this->transposh->home_url, $this->transposh->enable_permalinks_rewrite, ($this->transposh->options->is_default_language($this->transposh->target_language) ? "" : $this->transposh->target_language), !$this->transposh->edit_mode); + $ref = transposh_utils::rewrite_url_lang_param(transposh_utils::get_clean_server_var('REQUEST_URI'), $this->transposh->home_url, $this->transposh->enable_permalinks_rewrite, ($this->transposh->options->is_default_language($this->transposh->target_language) ? "" : $this->transposh->target_language), !$this->transposh->edit_mode); echo 'transposh->edit_mode ? 'checked="checked" ' : '') . ' onclick="document.location.href=\'' . $ref . '\';"/> Edit Translation'; @@ -445,9 +446,9 @@ function get_widgets($widget_folder = '') { } else { return $tp_widgets; } - + // There was a closedir once here, but turned out it just caused strange issues - + if (empty($widget_files)) return $tp_widgets; @@ -462,8 +463,8 @@ function get_widgets($widget_folder = '') { $tp_widgets[plugin_basename($widget_file)] = $widget_data; } - uasort($tp_widgets, function($a, $b) { - return strnatcasecmp( $a["Name"], $b["Name"] ); + uasort($tp_widgets, function ($a, $b) { + return strnatcasecmp($a["Name"], $b["Name"]); }); //uasort($tp_widgets, create_function('$a, $b', 'return strnatcasecmp( $a["Name"], $b["Name"] );'));