diff --git a/WordPress/Sniffs/Security/NonceVerificationSniff.php b/WordPress/Sniffs/Security/NonceVerificationSniff.php index 024114732..06b941fc7 100644 --- a/WordPress/Sniffs/Security/NonceVerificationSniff.php +++ b/WordPress/Sniffs/Security/NonceVerificationSniff.php @@ -309,8 +309,10 @@ private function has_nonce_check( $stackPtr, array $cache_keys, $allow_nonce_aft continue; } + $content_lc = \strtolower( $this->tokens[ $i ]['content'] ); + // If this is one of the nonce verification functions, we can bail out. - if ( isset( $this->nonceVerificationFunctions[ $this->tokens[ $i ]['content'] ] ) ) { + if ( isset( $this->nonceVerificationFunctions[ $content_lc ] ) ) { /* * Now, make sure it is a call to a global function. */ @@ -416,6 +418,8 @@ protected function mergeFunctionLists() { $this->nonceVerificationFunctions ); + $this->nonceVerificationFunctions = array_change_key_case( $this->nonceVerificationFunctions ); + $this->addedCustomNonceFunctions = $this->customNonceVerificationFunctions; } } diff --git a/WordPress/Tests/Security/NonceVerificationUnitTest.1.inc b/WordPress/Tests/Security/NonceVerificationUnitTest.1.inc index f9f98799f..aee51ae39 100644 --- a/WordPress/Tests/Security/NonceVerificationUnitTest.1.inc +++ b/WordPress/Tests/Security/NonceVerificationUnitTest.1.inc @@ -486,3 +486,41 @@ enum MyEnum { echo $_POST['foo']; // OK. } } + +// Good, has a nonce check. Ensure the check is case-insensitive as function names are case-insensitive in PHP. +function ajax_process() { + CHECK_AJAX_REFERER( 'something' ); + + update_post_meta( (int) $_POST['id'], 'a_key', $_POST['a_value'] ); +} + +// phpcs:set WordPress.Security.NonceVerification customNonceVerificationFunctions[] MIXED_case_NAME +function non_ascii_characters() { + MIXED_case_NAME( $_POST['something'] ); // Passing $_POST to ensure the sniff bails correctly for variables inside the nonce verification function. + + update_post_meta( (int) $_POST['id'], 'a_key', $_POST['a_value'] ); +} +// phpcs:set WordPress.Security.NonceVerification customNonceVerificationFunctions[] + +/* + * Test case handling of non-ASCII characters in function names. + */ +// phpcs:set WordPress.Security.NonceVerification customNonceVerificationFunctions[] déjà_vu +function same_function_same_case() { + déjà_vu( 'something' ); // Ok. + + update_post_meta( (int) $_POST['id'], 'a_key', $_POST['a_value'] ); +} + +function same_function_different_case() { + DéJà_VU( 'something' ); // Ok. + + update_post_meta( (int) $_POST['id'], 'a_key', $_POST['a_value'] ); +} + +function different_function_name() { + dÉjÀ_vu( 'something' ); // Bad, dÉjÀ_vu() and déjà_vu() are NOT the same function. + + update_post_meta( (int) $_POST['id'], 'a_key', $_POST['a_value'] ); +} +// phpcs:set WordPress.Security.NonceVerification customNonceVerificationFunctions[] diff --git a/WordPress/Tests/Security/NonceVerificationUnitTest.php b/WordPress/Tests/Security/NonceVerificationUnitTest.php index edb18099c..aa5e832e8 100644 --- a/WordPress/Tests/Security/NonceVerificationUnitTest.php +++ b/WordPress/Tests/Security/NonceVerificationUnitTest.php @@ -74,6 +74,7 @@ public function getErrorList( $testFile = '' ) { 453 => 1, 470 => 1, 478 => 1, + 524 => 2, ); case 'NonceVerificationUnitTest.2.inc':