Skip to content

Commit 1efc0c6

Browse files
john-shafferjohn-shaffer
committed
Check and sanitize $_SERVER items
Required by WordPress.Security lints.
1 parent d828910 commit 1efc0c6

1 file changed

Lines changed: 22 additions & 6 deletions

File tree

src/URLHelper.php

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -50,23 +50,39 @@ public static function normalize(
5050
}
5151

5252
public static function isSecure(): bool {
53-
return ( ! empty( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] !== 'off' ) ||
54-
$_SERVER['SERVER_PORT'] === 443;
53+
if ( isset( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] !== 'off' ) {
54+
return true;
55+
}
56+
57+
if ( isset( $_SERVER['SERVER_PORT'] ) && $_SERVER['SERVER_PORT'] === 443 ) {
58+
return true;
59+
}
60+
61+
return false;
5562
}
5663

5764
/**
5865
* Returns the current full URL including querystring
5966
*/
6067
public static function getCurrent(): string {
68+
if ( ! isset( $_SERVER['HTTP_HOST'] ) ) {
69+
throw WsLog::ex( 'HTTP_HOST not set' );
70+
}
71+
6172
$scheme = self::isSecure() ? 'https' : 'http';
62-
$url = $scheme . '://' . $_SERVER['HTTP_HOST'];
73+
$url = $scheme . '://' . sanitize_text_field( wp_unslash( $_SERVER['HTTP_HOST'] ) );
6374

6475
// Only include port number if needed
65-
if ( ! in_array( $_SERVER['SERVER_PORT'], [ 80, 443 ], true ) ) {
66-
$url .= ':' . $_SERVER['SERVER_PORT'];
76+
if ( isset( $_SERVER['SERVER_PORT'] )
77+
&& ! in_array( $_SERVER['SERVER_PORT'], [ 80, 443 ], true ) ) {
78+
$url .= ':' . (int) $_SERVER['SERVER_PORT'];
79+
}
80+
81+
if ( isset( $_SERVER['REQUEST_URI'] ) ) {
82+
$url = $url . sanitize_url( wp_unslash( $_SERVER['REQUEST_URI'] ) );
6783
}
6884

69-
return $url . $_SERVER['REQUEST_URI'];
85+
return $url;
7086
}
7187

7288
/**

0 commit comments

Comments
 (0)