Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion inc/sso/class-sso.php
Original file line number Diff line number Diff line change
Expand Up @@ -645,10 +645,26 @@ public function handle_already_logged_in_on_login_page(): void {
return;
}

// Check if this is an SSO flow (return_url param present)
// Check if this is an SSO flow (sso param or return_url param present)
$sso_action = $this->input('sso', '');

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Hardcoded 'sso' parameter name bypasses the wu_sso_get_url_path filter

Every other call site in this file retrieves the SSO URL path via $this->get_url_path(), which wraps apply_filters('wu_sso_get_url_path', 'sso', ...). Using a raw 'sso' literal here means that if wu_sso_get_url_path is filtered to a different value, $sso_action will always be empty and this branch of the SSO detection silently degrades to relying solely on return_url.

🐛 Proposed fix
-		$sso_action = $this->input('sso', '');
+		$sso_action = $this->input($this->get_url_path(), '');
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
$sso_action = $this->input('sso', '');
$sso_action = $this->input($this->get_url_path(), '');
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@inc/sso/class-sso.php` at line 649, The code uses a hardcoded 'sso' literal
when calling $this->input which bypasses the wu_sso_get_url_path filter; change
the call that sets $sso_action to use $this->get_url_path() instead of the
literal so the filtered URL path is respected (i.e. replace $this->input('sso',
'') with $this->input($this->get_url_path(), '')); ensure this change is applied
wherever $sso_action is set so apply_filters('wu_sso_get_url_path', 'sso', ...)
can take effect.

$return_url = $this->input('return_url', '');

// Also extract return_url from redirect_to if present
if ( empty($return_url) ) {
$redirect_to = $this->input('redirect_to', '');
if ( $redirect_to ) {
$parsed = wp_parse_url($redirect_to, PHP_URL_QUERY);
if ( $parsed ) {
parse_str($parsed, $query_params);
if ( ! empty($query_params['return_url']) ) {
$return_url = $query_params['return_url'];

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Missing URL sanitization on the extracted return_url

$query_params['return_url'] is derived from user-controlled redirect_to input via parse_str but is assigned without any sanitization. Per coding guidelines, wu_clean() or a WordPress sanitization function must be used. For a value treated as a URL, esc_url_raw() is the right choice.

🛡️ Proposed fix
-					$return_url = $query_params['return_url'];
+					$return_url = esc_url_raw($query_params['return_url']);

As per coding guidelines: "Use wu_clean() or WordPress sanitization functions for input sanitization".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
$return_url = $query_params['return_url'];
$return_url = esc_url_raw($query_params['return_url']);
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@inc/sso/class-sso.php` at line 660, The extracted $query_params['return_url']
is assigned to $return_url without sanitization; update the code in the SSO
handling (where parse_str populates $query_params) to sanitize the value before
assignment by running it through a URL sanitizer (use esc_url_raw() per
guidelines or wu_clean() as an alternative) and ensure you check
isset($query_params['return_url']) and provide a safe fallback if missing/empty.

}
}
}
}

// Check for SSO flow - either sso param or return_url pointing to different domain
if ( empty($sso_action) && empty($return_url) ) {
return;
}

Expand Down
Loading