Skip to content

Commit ff57ca4

Browse files
kodinkatkodinkat
committed
Sanitize input parameters and enhance file upload handling in dt-posts-endpoints.php. Improved security by sanitizing post type, ID, and meta key values. Added normalization for uploaded file metadata to prevent potential issues with file names and types. Updated file download headers to ensure safe handling of file names.
1 parent 1660d75 commit ff57ca4

1 file changed

Lines changed: 29 additions & 21 deletions

File tree

dt-posts/dt-posts-endpoints.php

Lines changed: 29 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -905,10 +905,10 @@ public function storage_upload( WP_REST_Request $request ) {
905905
return new WP_Error( __METHOD__, 'DT_Storage_API Unavailable.' );
906906
}
907907

908-
$post_type = $params['post_type'];
909-
$post_id = $params['id'];
910-
$meta_key = $params['meta_key'];
911-
$key_prefix = $params['key_prefix'] ?? '';
908+
$post_type = sanitize_text_field( wp_unslash( $params['post_type'] ) );
909+
$post_id = absint( $params['id'] );
910+
$meta_key = sanitize_text_field( wp_unslash( $params['meta_key'] ) );
911+
$key_prefix = isset( $params['key_prefix'] ) ? sanitize_text_field( wp_unslash( $params['key_prefix'] ) ) : '';
912912
$files = dt_recursive_sanitize_array( $_FILES['storage_upload_files'] ); //phpcs:ignore WordPress.Security.NonceVerification.Missing
913913

914914
// Determine storage upload requester type.
@@ -954,14 +954,21 @@ public function storage_upload( WP_REST_Request $request ) {
954954

955955
for ( $i = 0; $i < $file_count; $i++ ) {
956956
$uploaded_file = [
957-
'name' => $files['name'][$i],
958-
'full_path' => $files['full_path'][$i] ?? '',
959-
'type' => $files['type'][$i],
960-
'tmp_name' => $files['tmp_name'][$i],
961-
'error' => $files['error'][$i],
962-
'size' => $files['size'][$i]
957+
'name' => $files['name'][ $i ],
958+
'full_path' => $files['full_path'][ $i ] ?? '',
959+
'type' => $files['type'][ $i ],
960+
'tmp_name' => $files['tmp_name'][ $i ],
961+
'error' => $files['error'][ $i ],
962+
'size' => $files['size'][ $i ],
963963
];
964964

965+
// Normalize basic metadata for safety.
966+
$safe_file_name = str_replace( [ "\r", "\n" ], '', (string) $uploaded_file['name'] );
967+
$safe_file_type = sanitize_mime_type( (string) $uploaded_file['type'] );
968+
if ( $safe_file_type === '' ) {
969+
$safe_file_type = (string) $uploaded_file['type'];
970+
}
971+
965972
// For multi-file fields, don't reuse keys (always create new)
966973
$existing_key = $is_multi_file ? '' : $meta_key_value;
967974

@@ -987,10 +994,10 @@ public function storage_upload( WP_REST_Request $request ) {
987994

988995
// Build file object with metadata
989996
$file_object = [
990-
'key' => $uploaded_key,
991-
'name' => $uploaded_file['name'],
992-
'type' => $uploaded_file['type'],
993-
'size' => $uploaded_file['size'],
997+
'key' => $uploaded_key,
998+
'name' => $safe_file_name,
999+
'type' => $safe_file_type,
1000+
'size' => $uploaded_file['size'],
9941001
'uploaded_at' => current_time( 'mysql' ),
9951002
];
9961003

@@ -1014,10 +1021,10 @@ public function storage_upload( WP_REST_Request $request ) {
10141021
}
10151022

10161023
$uploaded_files[] = [
1017-
'uploaded' => true,
1024+
'uploaded' => true,
10181025
'uploaded_key' => $uploaded_key,
1019-
'file' => $file_object,
1020-
'uploaded_msg' => null
1026+
'file' => $file_object,
1027+
'uploaded_msg' => null,
10211028
];
10221029
}
10231030
}
@@ -1155,9 +1162,9 @@ public function storage_delete_single( WP_REST_Request $request ) {
11551162
return new WP_Error( __METHOD__, 'DT_Storage_API Delete Function Unavailable.' );
11561163
}
11571164

1158-
$post_type = $params['post_type'];
1159-
$post_id = $params['id'];
1160-
$meta_key = $params['meta_key'];
1165+
$post_type = sanitize_text_field( wp_unslash( $params['post_type'] ) );
1166+
$post_id = absint( $params['id'] );
1167+
$meta_key = sanitize_text_field( wp_unslash( $params['meta_key'] ) );
11611168
$file_key_to_delete = sanitize_text_field( wp_unslash( $params['file_key'] ) );
11621169

11631170
// Fetch existing meta key value (should be an array for multi-file fields).
@@ -1512,7 +1519,8 @@ public function storage_download( WP_REST_Request $request ) {
15121519

15131520
// Set headers for file download
15141521
header( 'Content-Type: ' . $content_type );
1515-
header( 'Content-Disposition: attachment; filename="' . esc_attr( $file_name ) . '"' );
1522+
$download_name = str_replace( [ "\r", "\n" ], '', (string) $file_name );
1523+
header( 'Content-Disposition: attachment; filename="' . $download_name . '"' );
15161524
header( 'Content-Length: ' . strlen( $file_content ) );
15171525
header( 'Cache-Control: no-cache, must-revalidate' );
15181526
header( 'Pragma: no-cache' );

0 commit comments

Comments
 (0)