Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix [email protected] deprecation errors and enhance security checks #277

Merged
merged 2 commits into from
Oct 18, 2023
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion admin/partials/rt-transcoder-admin-display.php
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
* @subpackage Transcoder/Admin/Partials
*/

$current_page = transcoder_filter_input( INPUT_GET, 'page', FILTER_SANITIZE_STRING );
$current_page = transcoder_filter_input( INPUT_GET, 'page', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
?>
<div class="wrap">
<h1 class="rtm-option-title">
Expand Down
35 changes: 15 additions & 20 deletions admin/rt-retranscode-admin.php
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,6 @@ public function add_admin_menu() {
'rt-retranscoder',
array( $this, 'retranscode_interface' )
);

}

/**
Expand Down Expand Up @@ -230,7 +229,7 @@ public function add_bulk_actions_via_javascript() {
?>
<script type="text/javascript">
jQuery(document).ready(function($){
$('select[name^="action"] option:last-child').before('<option value="bulk_retranscode_media"><?php echo esc_attr( __( 'Retranscode Media', 'transcoder' ) ); ?></option>');
$('select[name^="action"] option:last-child').before('<option value="bulk_retranscode_media"><?php esc_html_e( 'Retranscode Media', 'transcoder' ); ?></option>');
});
</script>
<?php
Expand All @@ -242,8 +241,8 @@ public function add_bulk_actions_via_javascript() {
* @return void
*/
public function bulk_action_handler() {
$action = transcoder_filter_input( INPUT_GET, 'action', FILTER_SANITIZE_STRING );
$action2 = transcoder_filter_input( INPUT_GET, 'action2', FILTER_SANITIZE_STRING );
$action = transcoder_filter_input( INPUT_GET, 'action', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
$action2 = transcoder_filter_input( INPUT_GET, 'action2', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
$media = transcoder_filter_input( INPUT_GET, 'media', FILTER_SANITIZE_NUMBER_INT, FILTER_REQUIRE_ARRAY );

if ( empty( $action ) || empty( $media ) || ! is_array( $media ) ||
Expand Down Expand Up @@ -300,7 +299,7 @@ public function retranscode_interface() {

// Create the list of image IDs.
$usage_info = get_site_option( 'rt-transcoding-usage' );
$ids = transcoder_filter_input( INPUT_GET, 'ids', FILTER_SANITIZE_STRING );
$ids = transcoder_filter_input( INPUT_GET, 'ids', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
if ( ! empty( $ids ) ) {
$media = array_map( 'intval', explode( ',', trim( $ids, ',' ) ) );
$ids = implode( ',', $media );
Expand Down Expand Up @@ -372,7 +371,7 @@ public function retranscode_interface() {
<table border=0>
?>
<tr>
<td><input type="submit" class="button button-primary button-small" value="<?php echo esc_html__( 'Proceed with retranscoding', 'transcoder' ); ?>"></td>
<td><input type="submit" class="button button-primary button-small" value="<?php esc_attr_e( 'Proceed with retranscoding', 'transcoder' ); ?>"></td>
<td></td>
</tr>
<?php
Expand All @@ -386,7 +385,7 @@ public function retranscode_interface() {
}
?>
<tr>
<td><input type="submit" class="button button-primary button-small" value="<?php esc_html_e( 'Proceed with retranscoding', 'transcoder' ); ?>" ></td>
<td><input type="submit" class="button button-primary button-small" value="<?php esc_attr_e( 'Proceed with retranscoding', 'transcoder' ); ?>" ></td>
<td></td>
</tr>
</table>
Expand Down Expand Up @@ -422,7 +421,7 @@ public function retranscode_interface() {
<div id="retranscodemedia-bar-percent" style="position:absolute;left:50%;top:50%;width:300px;margin-left:-150px;height:25px;margin-top:-9px;font-weight:bold;text-align:center;"></div>
</div>

<p><input type="button" class="button hide-if-no-js" name="retranscodemedia-stop" id="retranscodemedia-stop" value="<?php esc_html_e( 'Abort the Operation', 'transcoder' ); ?>" /></p>
<p><input type="button" class="button hide-if-no-js" name="retranscodemedia-stop" id="retranscodemedia-stop" value="<?php esc_attr_e( 'Abort the Operation', 'transcoder' ); ?>" /></p>

<h3 class="title"><?php esc_html_e( 'Debugging Information', 'transcoder' ); ?></h3>

Expand Down Expand Up @@ -594,7 +593,7 @@ function RetranscodeMedia( id ) {

<p><?php esc_html_e( 'To begin, just press the button below.', 'transcoder' ); ?></p>

<p><input type="submit" class="button hide-if-no-js button button-primary" name="rt-retranscoder" id="rt-retranscoder" value="<?php esc_html_e( 'Retranscode All Media', 'transcoder' ); ?>" /></p>
<p><input type="submit" class="button hide-if-no-js button button-primary" name="rt-retranscoder" id="rt-retranscoder" value="<?php esc_attr_e( 'Retranscode All Media', 'transcoder' ); ?>" /></p>

<noscript><p><em><?php esc_html_e( 'You must enable Javascript in order to proceed!', 'transcoder' ); ?></em></p></noscript>

Expand Down Expand Up @@ -717,10 +716,10 @@ public function die_json_error_msg( $id, $message ) {
/**
* Helper function to escape quotes in strings for use in Javascript
*
* @param string $string String to escape quotes from.
* @param string $str String to escape quotes from.
*/
public function esc_quotes( $string ) {
return str_replace( '"', '\"', $string );
public function esc_quotes( $str ) {
return str_replace( '"', '\"', $str );
}

/**
Expand All @@ -744,7 +743,7 @@ private function retranscode_admin_error_notice() {
* @param number $media_id Post ID of the media.
* @param array $post_request Post request coming for the transcoder API.
*/
public function rtt_before_thumbnail_store( $media_id = '', $post_request = '' ) {
public function rtt_before_thumbnail_store( $media_id = '', $post_request = '' ) { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.FoundAfterLastUsed
if ( empty( $media_id ) ) {
return;
}
Expand All @@ -767,7 +766,6 @@ public function rtt_before_thumbnail_store( $media_id = '', $post_request = '' )
rtt_delete_transcoded_files( $previous_thumbs );
}
delete_post_meta( $media_id, '_rt_media_thumbnails' );

}

/**
Expand All @@ -776,7 +774,7 @@ public function rtt_before_thumbnail_store( $media_id = '', $post_request = '' )
* @param number $media_id Post ID of the media.
* @param array $transcoded_files Post request coming for the transcoder API.
*/
public function rtt_before_transcoded_media_store( $media_id = '', $transcoded_files = '' ) {
public function rtt_before_transcoded_media_store( $media_id = '', $transcoded_files = '' ) { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.FoundAfterLastUsed
if ( empty( $media_id ) ) {
return;
}
Expand All @@ -791,7 +789,6 @@ public function rtt_before_transcoded_media_store( $media_id = '', $transcoded_f
}
}
delete_post_meta( $media_id, '_rt_media_transcoded_files' );

}

/**
Expand Down Expand Up @@ -872,7 +869,7 @@ public function transcoded_thumbnails_added( $media_id = '' ) {
* @param number $attachment_id Post ID of the media.
* @param string $job_id Unique job ID of the transcoding request.
*/
public function rtt_handle_callback_finished( $attachment_id = '', $job_id = '' ) {
public function rtt_handle_callback_finished( $attachment_id = '', $job_id = '' ) { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.FoundAfterLastUsed
if ( empty( $attachment_id ) ) {
return;
}
Expand All @@ -884,7 +881,6 @@ public function rtt_handle_callback_finished( $attachment_id = '', $job_id = ''
delete_post_meta( $attachment_id, '_rt_retranscoding_sent' );

}

}

/**
Expand Down Expand Up @@ -1015,7 +1011,6 @@ public function add_search_mime_types( $where ) {
$where .= " AND post_mime_type LIKE 'audio/%' OR post_mime_type LIKE 'video/%'";
return $where;
}

}

// Start up this plugin.
Expand All @@ -1024,7 +1019,7 @@ public function add_search_mime_types( $where ) {
/**
* Execute RetranscodeMedia constructor.
*/
function retranscode_media() {
function retranscode_media() { // phpcs:ignore Universal.Files.SeparateFunctionsFromOO.Mixed

global $RetranscodeMedia; // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase

Utsav-Ladani marked this conversation as resolved.
Show resolved Hide resolved
Expand Down
4 changes: 2 additions & 2 deletions admin/rt-transcoder-admin.php
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ public function disable_encoding() {
public function enqueue_scripts_styles() {
global $pagenow;

$page = transcoder_filter_input( INPUT_GET, 'page', FILTER_SANITIZE_STRING );
$page = transcoder_filter_input( INPUT_GET, 'page', FILTER_SANITIZE_FULL_SPECIAL_CHARS );

if ( 'admin.php' !== $pagenow || 'rt-transcoder' !== $page ) {
return;
Expand Down Expand Up @@ -377,7 +377,7 @@ public function edit_video_thumbnail_( $form_fields, $post ) {
*/
public function save_video_thumbnail( $post ) {

$rtmedia_thumbnail = transcoder_filter_input( INPUT_POST, 'rtmedia-thumbnail', FILTER_SANITIZE_STRING );
$rtmedia_thumbnail = transcoder_filter_input( INPUT_POST, 'rtmedia-thumbnail', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
$id = ( ! empty( $post['ID'] ) && 0 < intval( $post['ID'] ) ) ? intval( $post['ID'] ) : 0;

if ( isset( $rtmedia_thumbnail ) ) {
Expand Down
17 changes: 6 additions & 11 deletions admin/rt-transcoder-functions.php
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,6 @@ function rt_media_get_video_thumbnail( $attachment_id ) {
}

return false;

}

/**
Expand Down Expand Up @@ -204,7 +203,6 @@ function rtt_get_media_url( $attachment_id, $media_type = 'mp4' ) {
}

return $final_file_url;

}

if ( ! function_exists( 'rtt_update_activity_after_thumb_set' ) ) {
Expand Down Expand Up @@ -460,7 +458,7 @@ function rtt_bp_get_activity_content( $content, $activity = null ) {
}
// If media is sent to the transcoder then show the message.
if ( is_file_being_transcoded( $media->media_id ) ) {
if ( current_user_can( 'administrator' ) && '1' === get_option( 'rtt_client_check_status_button', false ) ) {
if ( current_user_can( 'manage_options' ) && '1' === get_option( 'rtt_client_check_status_button', false ) ) {

$check_button_text = __( 'Check Status', 'transcoder' );

Expand Down Expand Up @@ -706,7 +704,6 @@ function rtt_add_status_columns_head( $defaults ) {

$defaults['convert_status'] = __( 'Transcode Status', 'transcoder' );
return $defaults;

}

add_filter( 'manage_media_columns', 'rtt_add_status_columns_head' );
Expand Down Expand Up @@ -765,7 +762,6 @@ function rtt_status_column_register_sortable( $columns ) {

$columns['convert_status'] = 'convert_status';
return $columns;

}

add_filter( 'manage_upload_sortable_columns', 'rtt_status_column_register_sortable' );
Expand All @@ -778,11 +774,11 @@ function rtt_status_column_register_sortable( $columns ) {
*/
function rtt_enqueue_scripts() {

if ( current_user_can( 'administrator' ) ) {
if ( current_user_can( 'manage_options' ) ) {
wp_register_script( 'rt_transcoder_js', plugins_url( 'js/rt-transcoder.min.js', __FILE__ ), array(), RT_TRANSCODER_VERSION, false );

$translation_array = array(
'load_flag' => current_user_can( 'administrator' ),
'load_flag' => true,
'security_nonce' => esc_js( wp_create_nonce( 'check-transcoding-status-ajax-nonce' ) ),
);

Expand Down Expand Up @@ -859,7 +855,6 @@ function rtt_ajax_process_check_status_request() {
}

wp_die();

}

// Action added to handle check_status onclick request.
Expand Down Expand Up @@ -916,7 +911,7 @@ function rtt_add_transcoding_process_status_button_single_media_page( $rtmedia_i

if ( is_file_being_transcoded( $post_id ) ) {

if ( current_user_can( 'administrator' ) && '1' === get_option( 'rtt_client_check_status_button', false ) ) {
if ( current_user_can( 'manage_options' ) && '1' === get_option( 'rtt_client_check_status_button', false ) ) {
$message = sprintf(
'<div class="transcoding-in-progress"><button id="btn_check_status%1$s" class="btn_check_transcode_status" name="check_status_btn" data-value="%1$s">%2$s</button> <div class="transcode_status_box" id="span_status%1$s">%3$s</div></div>',
esc_attr( $post_id ),
Expand Down Expand Up @@ -988,7 +983,7 @@ function rtt_filter_single_media_page_video_markup( $html, $rtmedia_media ) {
* @param int $attachment_id ID of attachment.
* @param string $autoformat If true then generating thumbs only else trancode video.
*/
function rtt_media_update_usage( $wp_metadata, $attachment_id, $autoformat = true ) {
function rtt_media_update_usage( $wp_metadata, $attachment_id, $autoformat = true ) { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.FoundAfterLastUsed

$stored_key = get_site_option( 'rt-transcoding-api-key' );
$transient_flag = get_transient( 'rtt_usage_update_flag' );
Expand Down Expand Up @@ -1018,7 +1013,7 @@ function rtt_media_update_usage( $wp_metadata, $attachment_id, $autoformat = tru
*
* @return string Filtered value if supports.
*/
function get_server_var( $server_key, $filter_type = FILTER_SANITIZE_STRING ) {
function get_server_var( $server_key, $filter_type = FILTER_SANITIZE_FULL_SPECIAL_CHARS ) {
$server_val = '';
if ( function_exists( 'filter_input' ) && filter_has_var( INPUT_SERVER, $server_key ) ) {
$server_val = transcoder_filter_input( INPUT_SERVER, $server_key, $filter_type );
Expand Down
40 changes: 20 additions & 20 deletions admin/rt-transcoder-handler.php
Original file line number Diff line number Diff line change
Expand Up @@ -464,9 +464,9 @@ public function usage_quota_over() {
* @since 1.0.0
*/
public function save_api_key() {
$is_api_key_updated = transcoder_filter_input( INPUT_GET, 'api-key-updated', FILTER_SANITIZE_STRING );
$is_invalid_license_key = transcoder_filter_input( INPUT_GET, 'invalid-license-key', FILTER_SANITIZE_STRING );
$is_localhost = transcoder_filter_input( INPUT_GET, 'need-public-host', FILTER_SANITIZE_STRING );
$is_api_key_updated = transcoder_filter_input( INPUT_GET, 'api-key-updated', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
$is_invalid_license_key = transcoder_filter_input( INPUT_GET, 'invalid-license-key', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
$is_localhost = transcoder_filter_input( INPUT_GET, 'need-public-host', FILTER_SANITIZE_FULL_SPECIAL_CHARS );

if ( $is_api_key_updated ) {
if ( is_multisite() ) {
Expand Down Expand Up @@ -588,7 +588,7 @@ public function successfully_subscribed_notice() {
<div class="updated">
<p>
<?php
$api_key_updated = transcoder_filter_input( INPUT_GET, 'api-key-updated', FILTER_SANITIZE_STRING );
$api_key_updated = transcoder_filter_input( INPUT_GET, 'api-key-updated', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
printf(
wp_kses(
__( 'You have successfully subscribed.', 'transcoder' ),
Expand Down Expand Up @@ -1115,12 +1115,12 @@ public function get_post_id_by_meta_key_and_value( $key, $value ) {
public function handle_callback() {
require_once ABSPATH . 'wp-admin/includes/image.php';

$job_id = transcoder_filter_input( INPUT_POST, 'job_id', FILTER_SANITIZE_STRING );
$file_status = transcoder_filter_input( INPUT_POST, 'file_status', FILTER_SANITIZE_STRING );
$error_msg = transcoder_filter_input( INPUT_POST, 'error_msg', FILTER_SANITIZE_STRING );
$job_for = transcoder_filter_input( INPUT_POST, 'job_for', FILTER_SANITIZE_STRING );
$thumbnail = transcoder_filter_input( INPUT_POST, 'thumbnail', FILTER_SANITIZE_STRING );
$format = transcoder_filter_input( INPUT_POST, 'format', FILTER_SANITIZE_STRING );
$job_id = transcoder_filter_input( INPUT_POST, 'job_id', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
$file_status = transcoder_filter_input( INPUT_POST, 'file_status', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
$error_msg = transcoder_filter_input( INPUT_POST, 'error_msg', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
$job_for = transcoder_filter_input( INPUT_POST, 'job_for', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
$thumbnail = transcoder_filter_input( INPUT_POST, 'thumbnail', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
$format = transcoder_filter_input( INPUT_POST, 'format', FILTER_SANITIZE_FULL_SPECIAL_CHARS );

if ( ! empty( $job_id ) && ! empty( $file_status ) && ( 'error' === $file_status ) ) {
$this->nofity_transcoding_failed( $job_id, $error_msg );
Expand Down Expand Up @@ -1183,7 +1183,7 @@ public function handle_callback() {
} else {

// To check if request is sumitted from the WP Job Manager plugin ( https://wordpress.org/plugins/wp-job-manager/ ).
$job_manager_form = transcoder_filter_input( INPUT_POST, 'job_manager_form', FILTER_SANITIZE_STRING );
$job_manager_form = transcoder_filter_input( INPUT_POST, 'job_manager_form', FILTER_SANITIZE_FULL_SPECIAL_CHARS );

if ( isset( $job_id ) && ! empty( $job_id ) && class_exists( 'RTDBModel' ) && empty( $job_manager_form ) ) {

Expand Down Expand Up @@ -1281,7 +1281,7 @@ public function hide_transcoding_notice() {
* @since 1.0
*/
public function enter_api_key() {
$apikey = transcoder_filter_input( INPUT_GET, 'apikey', FILTER_SANITIZE_STRING );
$apikey = transcoder_filter_input( INPUT_GET, 'apikey', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
if ( ! empty( $apikey ) ) {
echo wp_json_encode( array( 'apikey' => $apikey ) );
} else {
Expand Down Expand Up @@ -1641,16 +1641,16 @@ private function filter_transcoder_response() {
$post_var = $_POST; // phpcs:ignore WordPress.Security.NonceVerification.Missing

$filter_post_args = array(
'job_id' => FILTER_SANITIZE_STRING,
'job_type' => FILTER_SANITIZE_STRING,
'job_for' => FILTER_SANITIZE_STRING,
'format' => FILTER_SANITIZE_STRING,
'job_id' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
'job_type' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
'job_for' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
'format' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
'download_url' => FILTER_SANITIZE_URL,
'file_name' => FILTER_SANITIZE_STRING,
'file_name' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
'thumb_count' => FILTER_SANITIZE_NUMBER_INT,
'status' => FILTER_SANITIZE_STRING,
'error_msg' => FILTER_SANITIZE_STRING,
'error_code' => FILTER_SANITIZE_STRING,
'status' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
'error_msg' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
'error_code' => FILTER_SANITIZE_FULL_SPECIAL_CHARS,
);

$post_array = filter_input_array( INPUT_POST, $filter_post_args );
Expand Down
2 changes: 1 addition & 1 deletion inc/helpers/custom-functions.php
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ function transcoder_filter_input( $type, $variable_name, $filter = FILTER_DEFAUL
* Code is not running on PHP Cli and we are in clear.
* Use the PHP method and bail out.
*/
if ( ! empty( $sanitized_variable ) && FILTER_SANITIZE_STRING === $filter ) {
if ( ! empty( $sanitized_variable ) && FILTER_SANITIZE_FULL_SPECIAL_CHARS === $filter ) {
$sanitized_variable = sanitize_text_field( $sanitized_variable );
}

Expand Down
Loading