Validate callback URLs using a stored version

rmccue · rmccue · commit 7b32d2e527b8 · 2015-11-23T17:10:16.000+10:00
See #28
diff --git a/admin.php b/admin.php
@@ -105,6 +105,13 @@ function json_oauth_admin_validate_parameters( $params ) {
 	}
 	$valid['description'] = wp_filter_post_kses( $params['description'] );
 
+	if ( empty( $params['callback'] ) ) {
+		return new WP_Error( 'json_oauth_missing_description', __( 'Consumer callback is required and must be a valid URL.' ) );
+	}
+	if ( ! empty( $params['callback'] ) ) {
+		$valid['callback'] = $params['callback'];
+	}
+
 	return $valid;
 }
 
@@ -138,6 +145,9 @@ function json_oauth_admin_handle_edit_submit( $consumer ) {
 		$data = array(
 			'name' => $params['name'],
 			'description' => $params['description'],
+			'meta' => array(
+				'callback' => $params['callback'],
+			),
 		);
 		$consumer = $result = $authenticator->add_consumer( $data );
 	}
@@ -149,6 +159,7 @@ function json_oauth_admin_handle_edit_submit( $consumer ) {
 			'post_content' => $params['description'],
 		);
 		$result = wp_update_post( $data, true );
+		update_post_meta( $consumer->ID, 'callback', wp_slash( $params['callback'] ) );
 	}
 
 	if ( is_wp_error( $result ) ) {
@@ -201,13 +212,14 @@ function json_oauth_admin_edit_page() {
 	$data = array();
 
 	if ( empty( $consumer ) || ! empty( $_POST['_wpnonce'] ) ) {
-		foreach ( array( 'name', 'description' ) as $key ) {
+		foreach ( array( 'name', 'description', 'callback' ) as $key ) {
 			$data[ $key ] = empty( $_POST[ $key ] ) ? '' : wp_unslash( $_POST[ $key ] );
 		}
 	}
 	else {
 		$data['name'] = $consumer->post_title;
 		$data['description'] = $consumer->post_content;
+		$data['callback'] = $consumer->callback;
 	}
 
 	// Header time!
@@ -251,6 +263,17 @@ function json_oauth_admin_edit_page() {
 						cols="30" rows="5" style="width: 500px"><?php echo esc_textarea( $data['description'] ) ?></textarea>
 				</td>
 			</tr>
+			<tr>
+				<th scope="row">
+					<label for="oauth-callback"><?php echo esc_html_x( 'Callback', 'field name' ) ?></label>
+				</th>
+				<td>
+					<input type="text" class="regular-text"
+						name="callback" id="oauth-callback"
+						value="<?php echo esc_attr( $data['callback'] ) ?>" />
+					<p class="description"><?php echo esc_html( "Your application's callback URL. The callback passed with the request token must match the scheme, host, port, and path of this URL." ) ?></p>
+				</td>
+			</tr>
 
 			<?php if ( ! empty( $consumer ) ): ?>
 				<tr>
diff --git a/lib/class-wp-rest-oauth1-ui.php b/lib/class-wp-rest-oauth1-ui.php
@@ -152,8 +152,8 @@ public function handle_callback_redirect( $verifier ) {
 		$callback = $this->token['callback'];
 
 		// Ensure the URL is safe to access
-		$callback = wp_http_validate_url( $callback );
-		if ( empty( $callback ) ) {
+		$authenticator = new WP_REST_OAuth1();
+		if ( ! $authenticator->check_callback( $callback, $this->token['consumer'] ) ) {
 			return new WP_Error( 'json_oauth1_invalid_callback', __( 'The callback URL is invalid' ), array( 'status' => 400 ) );
 		}
 
diff --git a/lib/class-wp-rest-oauth1.php b/lib/class-wp-rest-oauth1.php
@@ -380,6 +380,12 @@ public function generate_request_token( $params ) {
 		);
 		$data = apply_filters( 'json_oauth1_request_token_data', $data );
 		add_option( 'oauth1_request_' . $key, $data, null, 'no' );
+		if ( ! empty( $params['oauth_callback'] ) ) {
+			$error = $this->set_request_token_callback( $key, $params['oauth_callback'] );
+			if ( $error ) {
+				return $error;
+			}
+		}
 
 		$data = array(
 			'oauth_token' => self::urlencode_rfc3986($key),
@@ -395,7 +401,8 @@ public function set_request_token_callback( $key, $callback ) {
 			return $token;
 		}
 
-		if ( esc_url_raw( $callback ) !== $callback ) {
+		$consumer = $token['consumer'];
+		if ( ! $this->validate_callback( $callback ) || ! $this->check_callback( $callback, $consumer ) ) {
 			return new WP_Error( 'json_oauth1_invalid_callback', __( 'Callback URL is invalid' ) );
 		}
 
@@ -404,6 +411,92 @@ public function set_request_token_callback( $key, $callback ) {
 		return $token['verifier'];
 	}
 
+	/**
+	 * Validate a callback URL.
+	 *
+	 * Based on {@see wp_http_validate_url}, but less restrictive around ports
+	 * and hosts. In particular, it allows any scheme, host or port rather than
+	 * just HTTP with standard ports.
+	 *
+	 * @param string $url URL for the callback.
+	 * @return bool True for a valid callback URL, false otherwise.
+	 */
+	protected function validate_callback( $url ) {
+		if ( strpos( $url, ':' ) === false ) {
+			return false;
+		}
+
+		$parsed_url = wp_parse_url( $url );
+		if ( ! $parsed_url || empty( $parsed_url['host'] ) )
+			return false;
+
+		if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) )
+			return false;
+
+		if ( false !== strpbrk( $parsed_url['host'], ':#?[]' ) )
+			return false;
+
+		return true;
+	}
+
+	/**
+	 * Check whether a callback is valid for a given consumer.
+	 *
+	 * @param string $url Supplied callback.
+	 * @param int|WP_Post $consumer_id Consumer post ID or object.
+	 * @return bool True if valid, false otherwise.
+	 */
+	public function check_callback( $url, $consumer_id ) {
+		$consumer = get_post( $consumer_id );
+		if ( empty( $consumer ) || $consumer->post_type !== 'json_consumer' || $consumer->type !== $this->type ) {
+			return false;
+		}
+
+		$registered = $consumer->callback;
+		if ( empty( $registered ) ) {
+			return false;
+		}
+
+		$registered = wp_parse_url( $registered );
+		$supplied = wp_parse_url( $url );
+
+		// Check all components except query and fragment
+		$parts = array( 'scheme', 'host', 'port', 'user', 'pass', 'path' );
+		$valid = true;
+		foreach ( $parts as $part ) {
+			if ( isset( $registered[ $part ] ) !== isset( $supplied[ $part ] ) ) {
+				$valid = false;
+				break;
+			}
+
+			if ( ! isset( $registered[ $part ] ) ) {
+				continue;
+			}
+
+			if ( $registered[ $part ] !== $supplied[ $part ] ) {
+				$valid = false;
+				break;
+			}
+		}
+
+		/**
+		 * Filter whether a callback is counted as valid.
+		 *
+		 * By default, the URLs must match scheme, host, port, user, pass, and
+		 * path. Query and fragment segments are allowed to be different.
+		 *
+		 * To change this behaviour, filter this value. Note that consumers must
+		 * have a callback registered, even if you relax this restruction. It is
+		 * highly recommended not to change this behaviour, as clients will
+		 * expect the same behaviour across all WP sites.
+		 *
+		 * @param boolean $valid True if the callback URL is valid, false otherwise.
+		 * @param string $url Supplied callback URL.
+		 * @param WP_Post $consumer Consumer post; stored callback saved as `consumer` meta value.
+		 */
+		return apply_filters( 'rest_oauth.check_callback', $valid, $url, $consumer );
+	}
+
 	/**
 	 * Authorize a request token
 	 *

Original file line number	Diff line number	Diff line change
`@@ -152,8 +152,8 @@ public function handle_callback_redirect( $verifier ) {`
`152`	`152`	`$callback = $this->token['callback'];`
`153`	`153`
`154`	`154`	`// Ensure the URL is safe to access`
`155`		`- $callback = wp_http_validate_url( $callback );`
`156`		`- if ( empty( $callback ) ) {`
	`155`	`+ $authenticator = new WP_REST_OAuth1();`
	`156`	`+ if ( ! $authenticator->check_callback( $callback, $this->token['consumer'] ) ) {`
`157`	`157`	`return new WP_Error( 'json_oauth1_invalid_callback', __( 'The callback URL is invalid' ), array( 'status' => 400 ) );`
`158`	`158`	`}`
`159`	`159`