VIP-Coding-Standards/WordPressVIPMinimum/Tests/Variables/ServerVariablesUnitTest.inc at 67bba5713ac09a29cec19fc52e55b7918e2c3def · Automattic/VIP-Coding-Standards · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
<?php

/*
 * Not the sniff target.
 */
$otherVar = 'ignored';
$notSERVER['PHP_AUTH_USER'];
$_server['PHP_AUTH_USER']; // Variable names are case-sensitive.


/*
 * This is okay.
 */
var_dump($_SERVER); // No key access.
$_SERVER[] = 10;
$_SERVER['SOME_OTHER_INDEX'];
$_SERVER['php_auth_user']; // Array indices are case-sensitive.

// PHP 7.4+ spread in array.
$a = [...$_SERVER]; // No key access.

// Ignore as undetermined.
$_SERVER[ $name ];
$_SERVER["HTTP_X_{$a}"];
$_SERVER['HTTP_X_' . $a];


/*
 * Bad variables. Should never happen.
 */
$_SERVER['PHP_AUTH_USER'];
$_SERVER[  'PHP_AUTH_PW'  ];
$_SERVER  [
    'HTTP_X_IP_TRAIL'
];
$_SERVER /*comment*/ [ /*comment*/ 'HTTP_X_FORWARDED_FOR'  /*comment*/ ];
$_SERVER["REMOTE_ADDR"]; // Let's test one with double quotes too.


/*
 * Prevent various false positives.
 */
// These look like "forbidden" indices, but aren't.
$_SERVER['PHP_"AUTH"_PW'];
$_SERVER["PHP_'AUTH'_PW"];

// Sniff should not get confused over static OO property access.
class PeopleDoSillyThings extends AllowedByPHP {
	public static $_SERVER = [];

	public function show() {
		var_export(self::$_SERVER['PHP_AUTH_USER']);
		var_export(parent  ::  $_SERVER['PHP_AUTH_PW']);
		var_export(static::$_SERVER['HTTP_X_FORWARDED_FOR']);
		var_export(OtherClass::$_SERVER['HTTP_X_IP_TRAIL']);
	}
}

// Safeguard the sniff looks at the access key for the $_SERVER variable only and doesn't walk too far.
echo $_SERVER[$other_key] . $NOT_SERVER['PHP_AUTH_PW'];

// Safeguard the sniff doesn't get confused over partially dynamic keys.
echo $_SERVER[$other_key . 'PHP_AUTH_PW'];

// Access of the array indices via the $GLOBALS superglobal should also be recognized.
$GLOBALS['NOT_SERVER']['PHP_AUTH_USER']; // OK.
$GLOBALS[$a]['PHP_AUTH_USER']; // OK.
$GLOBALS['_SERVER']['SOME_OTHER_KEY']; // OK.
$GLOBALS['_SERVER'][$a]; // OK.

$GLOBALS['_SERVER']['PHP_AUTH_USER'];
$GLOBALS['_SERVER']['PHP_AUTH_PW'];
$GLOBALS["_SERVER"]['HTTP_X_IP_TRAIL'];
$GLOBALS['_SERVER']['HTTP_X_FORWARDED_FOR'];
$GLOBALS['_SERVER']["REMOTE_ADDR"];