From 0ffd6046efb313aa5f6cd08755e5ed8b45d402ff Mon Sep 17 00:00:00 2001 From: jrfnl Date: Thu, 29 Jun 2023 20:43:07 +0200 Subject: [PATCH] SanitizingFunctionsTrait: make sure function names are checked case-insensitively These functions should be self-contained, so should not presume that the sniff has already lowercased the function name before passing it. This fixes a bug as, in this case, the sniffs didn't actually lowercase the name before passing it to the Helper class methods, so the sniffs would throw false positives for non-lowercase function calls. Tested by adjusting some pre-existing tests for the `ValidatedSanitizedInput` sniff. --- WordPress/Helpers/SanitizingFunctionsTrait.php | 4 ++-- .../Tests/Security/ValidatedSanitizedInputUnitTest.1.inc | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/WordPress/Helpers/SanitizingFunctionsTrait.php b/WordPress/Helpers/SanitizingFunctionsTrait.php index f51d3f4e09..87a81e03ca 100644 --- a/WordPress/Helpers/SanitizingFunctionsTrait.php +++ b/WordPress/Helpers/SanitizingFunctionsTrait.php @@ -220,7 +220,7 @@ public function get_sanitizing_and_unslashing_functions() { * @return bool */ public function is_sanitizing_function( $functionName ) { - return isset( $this->get_sanitizing_functions()[ $functionName ] ); + return isset( $this->get_sanitizing_functions()[ strtolower( $functionName ) ] ); } /** @@ -233,6 +233,6 @@ public function is_sanitizing_function( $functionName ) { * @return bool */ public function is_sanitizing_and_unslashing_function( $functionName ) { - return isset( $this->get_sanitizing_and_unslashing_functions()[ $functionName ] ); + return isset( $this->get_sanitizing_and_unslashing_functions()[ strtolower ( $functionName ) ] ); } } diff --git a/WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.1.inc b/WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.1.inc index 1fa22be333..90dfd3322b 100644 --- a/WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.1.inc +++ b/WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.1.inc @@ -94,7 +94,7 @@ switch ( do_something( wp_unslash( $_POST['foo'] ) ) ) {} // Bad. // Sanitization is required even when the value is being escaped. echo esc_html( wp_unslash( $_POST['foo'] ) ); // Bad. -echo esc_html( sanitize_text_field( wp_unslash( $_POST['foo'] ) ) ); // Ok. +echo esc_html( Sanitize_Text_Field( wp_unslash( $_POST['foo'] ) ) ); // Ok. $current_tax_slug = isset( $_GET['a'] ) ? sanitize_key( $_GET['a'] ) : false; // Ok. $current_tax_slug = isset( $_GET['a'] ) ? $_GET['a'] : false; // Bad x 2 @@ -105,7 +105,7 @@ echo sanitize_text_field( $_POST['foo545'] ); // Error for no validation, unslas echo array_map( 'sanitize_text_field', $_GET['test'] ); // Bad, no unslashing. echo Array_Map( 'sanitize_key', $_GET['test'] ); // Ok. -foo( absint( $_GET['foo'] ) ); // Ok. +foo( AbsINT( $_GET['foo'] ) ); // Ok. $ids = array_map( 'absint', $_GET['test'] ); // Ok. if ( is_array( $_GET['test'] ) ) {} // Ok.