From d21d41000edfd6f2e2c361b02ca9ff1d9cfd3166 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Krzemin=CC=81ski?= Date: Fri, 20 Dec 2024 16:03:01 +0100 Subject: [PATCH 1/8] Update argument type --- classes/class-connector.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/classes/class-connector.php b/classes/class-connector.php index 066baf9e3..a1584f667 100644 --- a/classes/class-connector.php +++ b/classes/class-connector.php @@ -146,12 +146,12 @@ public function action_links( $links, $record ) { /** * Log handler * - * @param string $message sprintf-ready error message string. - * @param array $args sprintf (and extra) arguments to use. - * @param int $object_id Target object id. - * @param string $context Context of the event. - * @param string $action Action of the event. - * @param int $user_id User responsible for the event. + * @param string $message sprintf-ready error message string. + * @param array $args sprintf (and extra) arguments to use. + * @param int|null $object_id Target object id (if any). + * @param string $context Context of the event. + * @param string $action Action of the event. + * @param int $user_id User responsible for the event. * * @return bool */ From cbbf216ca699d7d1c374f30334ec3f84378ece1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Krzemin=CC=81ski?= Date: Fri, 20 Dec 2024 16:07:03 +0100 Subject: [PATCH 2/8] Use different hook to track theme and plugin files changes --- connectors/class-connector-editor.php | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/connectors/class-connector-editor.php b/connectors/class-connector-editor.php index 8a1fd12e2..9a7df70cb 100644 --- a/connectors/class-connector-editor.php +++ b/connectors/class-connector-editor.php @@ -46,8 +46,8 @@ class Connector_Editor extends Connector { */ public function register() { parent::register(); - add_action( 'load-theme-editor.php', array( $this, 'get_edition_data' ) ); - add_action( 'load-plugin-editor.php', array( $this, 'get_edition_data' ) ); + + add_action( 'wp_ajax_edit-theme-plugin-file', array( $this, 'get_edition_data' ), 1 ); add_filter( 'wp_redirect', array( $this, 'log_changes' ) ); } @@ -187,31 +187,30 @@ public function action_links( $links, $record ) { } /** - * Retrieves data submitted on the screen, and prepares it for the appropriate context type + * Retrieves data submitted on the screen, prepares it for the appropriate context type and logs the changes * - * @action load-theme-editor.php - * @action load-plugin-editor.php + * @action wp_ajax_edit-theme-plugin-file */ public function get_edition_data() { - if ( - ( - isset( $_SERVER['REQUEST_METHOD'] ) - && - 'POST' !== sanitize_text_field( $_SERVER['REQUEST_METHOD'] ) - ) - || - 'update' !== wp_stream_filter_input( INPUT_POST, 'action' ) - ) { + $action = wp_stream_filter_input( INPUT_POST, 'action' ); + $request_method = wp_stream_filter_input( INPUT_SERVER, 'REQUEST_METHOD' ); + + if ( ( isset( $request_method ) && 'POST' !== $request_method ) || ( 'edit-theme-plugin-file' !== $action ) ) { return; } + $location = null; $theme_slug = wp_stream_filter_input( INPUT_POST, 'theme' ); + if ( $theme_slug ) { + $location = 'theme-editor.php'; $this->edited_file = $this->get_theme_data( $theme_slug ); } $plugin_slug = wp_stream_filter_input( INPUT_POST, 'plugin' ); + if ( $plugin_slug ) { + $location = 'plugin-editor.php'; $this->edited_file = $this->get_plugin_data( $plugin_slug ); } } From ae010250bc14e4ef389f893e8de6f08fae1958c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Krzemin=CC=81ski?= Date: Fri, 20 Dec 2024 16:07:49 +0100 Subject: [PATCH 3/8] Log changes directly instead via hook --- connectors/class-connector-editor.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/connectors/class-connector-editor.php b/connectors/class-connector-editor.php index 9a7df70cb..1d8f9d89a 100644 --- a/connectors/class-connector-editor.php +++ b/connectors/class-connector-editor.php @@ -48,7 +48,6 @@ public function register() { parent::register(); add_action( 'wp_ajax_edit-theme-plugin-file', array( $this, 'get_edition_data' ), 1 ); - add_filter( 'wp_redirect', array( $this, 'log_changes' ) ); } /** @@ -213,6 +212,8 @@ public function get_edition_data() { $location = 'plugin-editor.php'; $this->edited_file = $this->get_plugin_data( $plugin_slug ); } + + $this->log_changes( $location ); } /** @@ -297,14 +298,12 @@ public function get_plugin_data( $slug ) { /** * Logs changes * - * @filter wp_redirect - * * @param string $location Location. */ public function log_changes( $location ) { if ( ! empty( $this->edited_file ) ) { // TODO: phpcs fix. - if ( md5_file( $this->edited_file['file_path'] ) !== $this->edited_file['file_md5'] ) { + if ( md5_file( $this->edited_file['file_path'] ) === $this->edited_file['file_md5'] ) { $context = $this->get_context( $location ); switch ( $context ) { From 066cb81cbd92cf74584583feaa49fb4000f88eb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Krzemin=CC=81ski?= Date: Fri, 20 Dec 2024 16:08:21 +0100 Subject: [PATCH 4/8] Remove obsolete todo --- connectors/class-connector-editor.php | 1 - 1 file changed, 1 deletion(-) diff --git a/connectors/class-connector-editor.php b/connectors/class-connector-editor.php index 1d8f9d89a..022d38a56 100644 --- a/connectors/class-connector-editor.php +++ b/connectors/class-connector-editor.php @@ -302,7 +302,6 @@ public function get_plugin_data( $slug ) { */ public function log_changes( $location ) { if ( ! empty( $this->edited_file ) ) { - // TODO: phpcs fix. if ( md5_file( $this->edited_file['file_path'] ) === $this->edited_file['file_md5'] ) { $context = $this->get_context( $location ); From a21ad93b65470a42ec1ac78eca036d21ea0cc7f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Krzemin=CC=81ski?= Date: Fri, 20 Dec 2024 16:09:09 +0100 Subject: [PATCH 5/8] Add missing types for log method --- connectors/class-connector-editor.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/connectors/class-connector-editor.php b/connectors/class-connector-editor.php index 022d38a56..ff6bc2c2a 100644 --- a/connectors/class-connector-editor.php +++ b/connectors/class-connector-editor.php @@ -300,7 +300,7 @@ public function get_plugin_data( $slug ) { * * @param string $location Location. */ - public function log_changes( $location ) { + public function log_changes( string $location ): string { if ( ! empty( $this->edited_file ) ) { if ( md5_file( $this->edited_file['file_path'] ) === $this->edited_file['file_md5'] ) { $context = $this->get_context( $location ); From f41e89ae4f49558abbac7e7c72bfac657026359f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Krzemin=CC=81ski?= Date: Mon, 23 Dec 2024 21:10:37 +0100 Subject: [PATCH 6/8] Don't log if location empty --- connectors/class-connector-editor.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/connectors/class-connector-editor.php b/connectors/class-connector-editor.php index ff6bc2c2a..615361529 100644 --- a/connectors/class-connector-editor.php +++ b/connectors/class-connector-editor.php @@ -213,6 +213,10 @@ public function get_edition_data() { $this->edited_file = $this->get_plugin_data( $plugin_slug ); } + if ( ! $location ) { + return; + } + $this->log_changes( $location ); } From c76e5b2b3f5f9f6eeb6cce1043f2ece157fb83f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Krzemin=CC=81ski?= Date: Mon, 23 Dec 2024 21:36:36 +0100 Subject: [PATCH 7/8] Check user capabilities first --- connectors/class-connector-editor.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/connectors/class-connector-editor.php b/connectors/class-connector-editor.php index 615361529..4e67e93d9 100644 --- a/connectors/class-connector-editor.php +++ b/connectors/class-connector-editor.php @@ -191,6 +191,10 @@ public function action_links( $links, $record ) { * @action wp_ajax_edit-theme-plugin-file */ public function get_edition_data() { + if ( ! current_user_can( 'edit_theme_options' ) ) { + return; + } + $action = wp_stream_filter_input( INPUT_POST, 'action' ); $request_method = wp_stream_filter_input( INPUT_SERVER, 'REQUEST_METHOD' ); From 697b10ed20a813119899dac3b7e6537230ceb7d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Krzemin=CC=81ski?= Date: Mon, 23 Dec 2024 21:36:54 +0100 Subject: [PATCH 8/8] Verify nonce for theme and plugin edits --- connectors/class-connector-editor.php | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/connectors/class-connector-editor.php b/connectors/class-connector-editor.php index 4e67e93d9..a85ca7437 100644 --- a/connectors/class-connector-editor.php +++ b/connectors/class-connector-editor.php @@ -197,21 +197,29 @@ public function get_edition_data() { $action = wp_stream_filter_input( INPUT_POST, 'action' ); $request_method = wp_stream_filter_input( INPUT_SERVER, 'REQUEST_METHOD' ); + $theme_slug = wp_stream_filter_input( INPUT_POST, 'theme' ); + $plugin_slug = wp_stream_filter_input( INPUT_POST, 'plugin' ); + $relative_file = wp_stream_filter_input( INPUT_POST, 'file' ); + + if ( ! empty( $theme_slug ) && ! check_admin_referer( 'edit-theme_' . $theme_slug . '_' . $relative_file, 'nonce' ) ) { + return; + } + + if ( ! empty( $plugin_slug ) && ! check_admin_referer( 'edit-plugin_' . $relative_file, 'nonce' ) ) { + return; + } if ( ( isset( $request_method ) && 'POST' !== $request_method ) || ( 'edit-theme-plugin-file' !== $action ) ) { return; } $location = null; - $theme_slug = wp_stream_filter_input( INPUT_POST, 'theme' ); if ( $theme_slug ) { $location = 'theme-editor.php'; $this->edited_file = $this->get_theme_data( $theme_slug ); } - $plugin_slug = wp_stream_filter_input( INPUT_POST, 'plugin' ); - if ( $plugin_slug ) { $location = 'plugin-editor.php'; $this->edited_file = $this->get_plugin_data( $plugin_slug );