diff options
Diffstat (limited to 'plugins/jetpack/modules/protect/shared-functions.php')
| -rw-r--r-- | plugins/jetpack/modules/protect/shared-functions.php | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/plugins/jetpack/modules/protect/shared-functions.php b/plugins/jetpack/modules/protect/shared-functions.php index 1091260f..1ce9ba0c 100644 --- a/plugins/jetpack/modules/protect/shared-functions.php +++ b/plugins/jetpack/modules/protect/shared-functions.php @@ -1,7 +1,10 @@ <?php /** * These functions are shared by the Protect module and its related json-endpoints + * + * @package automattic/jetpack */ + /** * Returns an array of IP objects that will never be blocked by the Protect module * @@ -12,7 +15,7 @@ */ function jetpack_protect_format_whitelist() { $local_whitelist = jetpack_protect_get_local_whitelist(); - $formatted = array( + $formatted = array( 'local' => array(), ); foreach ( $local_whitelist as $item ) { @@ -161,11 +164,11 @@ function jetpack_protect_save_whitelist( $whitelist, $global = false ) { function jetpack_protect_get_ip() { $trusted_header_data = get_site_option( 'trusted_ip_header' ); if ( isset( $trusted_header_data->trusted_header ) && isset( $_SERVER[ $trusted_header_data->trusted_header ] ) ) { - $ip = $_SERVER[ $trusted_header_data->trusted_header ]; + $ip = wp_unslash( $_SERVER[ $trusted_header_data->trusted_header ] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- jetpack_clean_ip does it below. $segments = $trusted_header_data->segments; $reverse_order = $trusted_header_data->reverse; } else { - $ip = $_SERVER['REMOTE_ADDR']; + $ip = isset( $_SERVER['REMOTE_ADDR'] ) ? wp_unslash( $_SERVER['REMOTE_ADDR'] ) : null; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- jetpack_clean_ip does it below. } if ( ! $ip ) { @@ -186,7 +189,7 @@ function jetpack_protect_get_ip() { $the_one = $ip_count - $segments; return jetpack_clean_ip( $ips[ $the_one ] ); } else { - return jetpack_clean_ip( $_SERVER['REMOTE_ADDR'] ); + return jetpack_clean_ip( isset( $_SERVER['REMOTE_ADDR'] ) ? wp_unslash( $_SERVER['REMOTE_ADDR'] ) : null ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- jetpack_clean_ip does it. } } @@ -201,7 +204,7 @@ function jetpack_clean_ip( $ip ) { // Some misconfigured servers give back extra info, which comes after "unless". $ips = explode( ' unless ', $ip ); - $ip = $ips[0]; + $ip = $ips[0]; $ip = strtolower( trim( $ip ) ); @@ -243,7 +246,7 @@ function jetpack_protect_ip_is_private( $ip ) { '169.254.0.0|169.254.255.255', // Link-local address also referred to as Automatic Private IP Addressing. '127.0.0.0|127.255.255.255', // localhost. ); - $long_ip = ip2long( $ip ); + $long_ip = ip2long( $ip ); if ( -1 !== $long_ip ) { foreach ( $private_ip4_addresses as $pri_addr ) { list ( $start, $end ) = explode( '|', $pri_addr ); |