elindydotcom
commented
2 years ago Two things with this.
- Did we get all the tab files? I counted 23 in the tabs folder and 19 in the tabs-server folder. So 42 files total. The PR is only showing 29 changed files.
- Some of the files missed running array_map around the $args array for sanitization. Even though it might seem as if some of the array elements aren't being referenced in the tabs, they might still end up being passed to the script that merges them into the commands that get run on the server. And, programmers can extend the forms to add new fields and add new command line arguments without directly modifying the tab files. Which is why in most cases we tried to sanitize the whole array whether it was being directly used or not. A quick perusal of the PR show that the backup tabs and the domain/change-domain are some of the tabs that missed sanitization.
Once those two items are resolved I think we can test and merge.
vladolaru
This all started from using a AWS S3 secret key with '+' and '/' in it. This key didn't get saved properly and hence everything failed with relation to S3. It turned out this is a general issue with WPCD forms that pass their values through AJAX to be saved/deployed, etc.
I've applied URIEncode in JS to make sure the values are safe to be sent through URL queries. But this led to the necessity of proper decoding and sanitization on the PHP side since
sanitize_text_field()applied beforewp_parse_args()would strip away those URI encodings. The proper order is to:wp_unslash(), just to be safewp_parse_args()to split the query string into individual arguments (using the PHP coreparse_str()behind the scene)sanitize_text_field())