Making WordPress.org


Ignore:
Timestamp:
12/16/2021 04:21:13 AM (2 years ago)
Author:
dd32
Message:

Plugin Directory: Readme Validator: Protect inputs against vulnerability scanners sending junk inputs.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-readme-validator.php

    r10796 r11381  
    1818            }
    1919
    20             $readme_url      = $_REQUEST['readme'] ?? '';
    21             $readme_contents = $_POST['readme_contents'] ?? '';
    22             $readme_contents = base64_decode( wp_unslash( $readme_contents ) );
     20            $readme_url      = '';
     21            $readme_contents = '';
     22            if ( ! empty( $_REQUEST['readme'] ) && is_string( $_REQUEST['readme'] ) ) {
     23                $readme_url = $_REQUEST['readme'];
     24            }
     25            if ( ! empty( $_POST['readme_contents'] ) && is_string( $_POST['readme_contents'] ) ) {
     26                $readme_contents = base64_decode( wp_unslash( $_POST['readme_contents'] ) );
     27            }
    2328            ?>
    2429
     
    5964     */
    6065    protected static function validate_readme() {
    61         if ( ! empty( $_REQUEST['readme'] ) ) {
     66        if ( ! empty( $_REQUEST['readme'] ) && is_string( $_REQUEST['readme'] ) ) {
    6267            $errors = Validator::instance()->validate_url( wp_unslash( $_REQUEST['readme'] ) );
    6368
    64         } elseif ( ! empty( $_POST['readme_contents'] ) ) {
     69        } elseif ( ! empty( $_POST['readme_contents'] ) && is_string( $_POST['readme_contents'] ) ) {
    6570            $errors = Validator::instance()->validate_content( base64_decode( wp_unslash( $_REQUEST['readme_contents'] ) ) );
    6671
Note: See TracChangeset for help on using the changeset viewer.