woocommerce/woocommerce-paypal-payments
2
0
Fork 0
mirror of https://github.com/woocommerce/woocommerce-paypal-payments.git synced 2025-09-06 18:16:38 +08:00
Code Issues Projects Packages Wiki Activity Actions

Check nonces

Browse source
This commit is contained in:
dinamiko 2022-10-20 15:48:29 +02:00
parent a18832371e
commit 2cc0f2378c
7 changed files with 10 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/ppcp-subscription/src/SubscriptionModule.php
View file

@ -100,7 +100,7 @@ class SubscriptionModule implements ModuleInterface {
add_filter( add_filter(
'ppcp_create_order_request_body_data', 'ppcp_create_order_request_body_data',
function( array $data ) use ( $c ) { function( array $data ) use ( $c ) {
// phpcs:ignore WordPress.Security.NonceVerification.Missing) // phpcs:ignore WordPress.Security.NonceVerification.Missing
$wc_order_action = wc_clean( wp_unslash( $_POST['wc_order_action'] ?? '' ) ); $wc_order_action = wc_clean( wp_unslash( $_POST['wc_order_action'] ?? '' ) );
if ( if (
$wc_order_action === 'wcs_process_renewal' $wc_order_action === 'wcs_process_renewal'

1
modules/ppcp-vaulting/src/CustomerApprovalListener.php
View file

@ -53,6 +53,7 @@ class CustomerApprovalListener {
* @return void * @return void
*/ */
public function listen(): void { public function listen(): void {
// phpcs:ignore WordPress.Security.NonceVerification.Recommended
$token = wc_clean( wp_unslash( $_GET['approval_token_id'] ?? '' ) ); $token = wc_clean( wp_unslash( $_GET['approval_token_id'] ?? '' ) );
if ( ! $token ) { if ( ! $token ) {
return; return;

1
modules/ppcp-vaulting/src/VaultedCreditCardHandler.php
View file

@ -144,6 +144,7 @@ class VaultedCreditCardHandler {
WC_Order $wc_order WC_Order $wc_order
): WC_Order { ): WC_Order {
if ( if (
// phpcs:ignore WordPress.Security.NonceVerification.Missing
isset( $_POST['woocommerce_change_payment'] ) isset( $_POST['woocommerce_change_payment'] )
&& $this->subscription_helper->has_subscription( $wc_order->get_id() ) && $this->subscription_helper->has_subscription( $wc_order->get_id() )
&& $this->subscription_helper->is_subscription_change_payment() && $this->subscription_helper->is_subscription_change_payment()

1
modules/ppcp-wc-gateway/src/Gateway/PayUponInvoice/FraudNetSessionId.php
View file

@ -33,6 +33,7 @@ class FraudNetSessionId {
// phpcs:ignore WordPress.Security.NonceVerification.Recommended // phpcs:ignore WordPress.Security.NonceVerification.Recommended
if ( isset( $_GET['pay_for_order'] ) && 'true' === $_GET['pay_for_order'] ) { if ( isset( $_GET['pay_for_order'] ) && 'true' === $_GET['pay_for_order'] ) {
// phpcs:ignore WordPress.Security.NonceVerification.Missing
$pui_pay_for_order_session_id = wc_clean( wp_unslash( $_POST['pui_pay_for_order_session_id'] ?? '' ) ); $pui_pay_for_order_session_id = wc_clean( wp_unslash( $_POST['pui_pay_for_order_session_id'] ?? '' ) );
if ( $pui_pay_for_order_session_id && '' !== $pui_pay_for_order_session_id ) { if ( $pui_pay_for_order_session_id && '' !== $pui_pay_for_order_session_id ) {
return $pui_pay_for_order_session_id; return $pui_pay_for_order_session_id;

3
modules/ppcp-wc-gateway/src/Gateway/PayUponInvoice/PayUponInvoice.php
View file

@ -425,6 +425,7 @@ class PayUponInvoice {
$errors->add( 'validation', __( 'Invalid birth date.', 'woocommerce-paypal-payments' ) ); $errors->add( 'validation', __( 'Invalid birth date.', 'woocommerce-paypal-payments' ) );
} }
// phpcs:ignore WordPress.Security.NonceVerification.Missing
$national_number = wc_clean( wp_unslash( $_POST['billing_phone'] ?? 0 ) ); $national_number = wc_clean( wp_unslash( $_POST['billing_phone'] ?? 0 ) );
if ( ! $national_number ) { if ( ! $national_number ) {
$errors->add( 'validation', __( 'Phone field cannot be empty.', 'woocommerce-paypal-payments' ) ); $errors->add( 'validation', __( 'Phone field cannot be empty.', 'woocommerce-paypal-payments' ) );
@ -530,7 +531,7 @@ class PayUponInvoice {
'add_meta_boxes', 'add_meta_boxes',
function( string $post_type ) { function( string $post_type ) {
if ( $post_type === 'shop_order' ) { if ( $post_type === 'shop_order' ) {
// phpcs:ignore WordPress.Security.NonceVerification.Missing // phpcs:ignore WordPress.Security.NonceVerification.Recommended
$post_id = wc_clean( wp_unslash( $_GET['post'] ?? 0 ) ); $post_id = wc_clean( wp_unslash( $_GET['post'] ?? 0 ) );
$order = wc_get_order( $post_id ); $order = wc_get_order( $post_id );
if ( is_a( $order, WC_Order::class ) && $order->get_payment_method() === PayUponInvoiceGateway::ID ) { if ( is_a( $order, WC_Order::class ) && $order->get_payment_method() === PayUponInvoiceGateway::ID ) {

3
modules/ppcp-wc-gateway/src/Gateway/PayUponInvoice/PayUponInvoiceGateway.php
View file

@ -204,7 +204,8 @@ class PayUponInvoiceGateway extends WC_Payment_Gateway {
public function process_payment( $order_id ) { public function process_payment( $order_id ) {
$wc_order = wc_get_order( $order_id ); $wc_order = wc_get_order( $order_id );
// phpcs:disable WordPress.Security.NonceVerification.Missing // phpcs:disable WordPress.Security.NonceVerification.Missing
$birth_date = wc_clean( wp_unslash( $_POST['billing_birth_date'] ?? '' ) ); $birth_date = wc_clean( wp_unslash( $_POST['billing_birth_date'] ?? '' ) );
// phpcs:disable WordPress.Security.NonceVerification.Recommended
$pay_for_order = wc_clean( wp_unslash( $_GET['pay_for_order'] ?? '' ) ); $pay_for_order = wc_clean( wp_unslash( $_GET['pay_for_order'] ?? '' ) );
if ( 'true' === $pay_for_order ) { if ( 'true' === $pay_for_order ) {
if ( ! $this->checkout_helper->validate_birth_date( $birth_date ) ) { if ( ! $this->checkout_helper->validate_birth_date( $birth_date ) ) {

3
modules/ppcp-wc-gateway/src/Gateway/PayUponInvoice/PaymentSourceFactory.php
View file

@ -24,7 +24,8 @@ class PaymentSourceFactory {
* @return PaymentSource * @return PaymentSource
*/ */
public function from_wc_order( WC_Order $order, string $birth_date ) { public function from_wc_order( WC_Order $order, string $birth_date ) {
$address = $order->get_address(); $address = $order->get_address();
// phpcs:ignore WordPress.Security.NonceVerification.Missing
$phone = wc_clean( wp_unslash( $_POST['billing_phone'] ?? '' ) ) ?? $address['phone'] ?? ''; $phone = wc_clean( wp_unslash( $_POST['billing_phone'] ?? '' ) ) ?? $address['phone'] ?? '';
$phone_country_code = WC()->countries->get_country_calling_code( $address['country'] ); $phone_country_code = WC()->countries->get_country_calling_code( $address['country'] );
$phone_country_code = is_array( $phone_country_code ) && ! empty( $phone_country_code ) ? $phone_country_code[0] : $phone_country_code; $phone_country_code = is_array( $phone_country_code ) && ! empty( $phone_country_code ) ? $phone_country_code[0] : $phone_country_code;