Skip to content

Add verification checks against $_SERVER header/env reads. #2217

Description

@sybrew

Is your feature request related to a problem?

Following the widespread vulnerability of WooCommerce Payments, I tried testing the vulnerable code against WPCS -- but WPCS reported nothing.

if ( ! isset( $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'] ) || ! is_numeric( $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'] ) ) {
	return null;
}

return (int) $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'];

Describe the solution you'd like

I suggest adding a similar check that exists for $_POST: WordPress.Security.NonceVerification.Missing.

Additional context (optional)

  1. https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/
  2. I have a HackerOne report (ID 1906271) involving Automattic's software on this.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions