Skip to content

Security/NonceVerification: handle function names case correctly #2572

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
+44 −1
Open

Security/NonceVerification: handle function names case correctly #2572

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
61bbbd1
Security/NonceVerification: handle function names case correctly
rodrigoprimo Aug 12, 2025
f9c4005
Ensure sniff handles custom nonce verification functions case correctly
rodrigoprimo Sep 3, 2025
7ee8af7
Add tests safeguarding that non-ANSCII characters are handled correct…
rodrigoprimo Sep 3, 2025
c7b00e0
Normalize `nonceVerificationFunctions` instead of `customNonceVerific…
rodrigoprimo Sep 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion WordPress/Sniffs/Security/NonceVerificationSniff.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -309,8 +309,10 @@ private function has_nonce_check( $stackPtr, array $cache_keys, $allow_nonce_aft
continue;
}

$content_lc = \strtolower( $this->tokens[ $i ]['content'] );

// If this is one of the nonce verification functions, we can bail out.
if ( isset( $this->nonceVerificationFunctions[ $this->tokens[ $i ]['content'] ] ) ) {
if ( isset( $this->nonceVerificationFunctions[ $content_lc ] ) ) {
/*
* Now, make sure it is a call to a global function.
*/
Expand Down Expand Up @@ -411,6 +413,8 @@ private function set_cache( $filename, $start, $end, $nonce ) {
*/
protected function mergeFunctionLists() {
if ( $this->customNonceVerificationFunctions !== $this->addedCustomNonceFunctions ) {
$this->customNonceVerificationFunctions = array_map( 'strtolower', $this->customNonceVerificationFunctions );

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are you changing the user-provided value ? instead of changing the merge result $this->nonceVerificationFunctions ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had in my mind that the user-provided value is the only one that required change, and that is why I opted to change it. After seeing your question, I imagine you are suggesting changing $this->nonceVerificationFunctions to ensure the sniff behaves correctly if, in the future, a new function is added to this property without all lowercase letters, and also to ensure it behaves correctly for sniffs extending this one. Is that the case?

I went ahead and pushed a new commit changing $this->nonceVerificationFunctions instead of $this->customNonceVerificationFunctions.

$this->nonceVerificationFunctions = RulesetPropertyHelper::merge_custom_array(
$this->customNonceVerificationFunctions,
$this->nonceVerificationFunctions
Expand Down
38 changes: 38 additions & 0 deletions WordPress/Tests/Security/NonceVerificationUnitTest.1.inc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -486,3 +486,41 @@ enum MyEnum {
echo $_POST['foo']; // OK.
}
}

// Good, has a nonce check. Ensure the check is case-insensitive as function names are case-insensitive in PHP.
function ajax_process() {
CHECK_AJAX_REFERER( 'something' );

update_post_meta( (int) $_POST['id'], 'a_key', $_POST['a_value'] );
}

// phpcs:set WordPress.Security.NonceVerification customNonceVerificationFunctions[] MIXED_case_NAME
function non_ascii_characters() {
MIXED_case_NAME( $_POST['something'] ); // Passing $_POST to ensure the sniff bails correctly for variables inside the nonce verification function.

update_post_meta( (int) $_POST['id'], 'a_key', $_POST['a_value'] );
}
// phpcs:set WordPress.Security.NonceVerification customNonceVerificationFunctions[]

/*
* Test case handling of non-ASCII characters in function names.
*/
// phpcs:set WordPress.Security.NonceVerification customNonceVerificationFunctions[] déjà_vu
function same_function_same_case() {
déjà_vu( 'something' ); // Ok.

update_post_meta( (int) $_POST['id'], 'a_key', $_POST['a_value'] );
}

function same_function_different_case() {
DéJà_VU( 'something' ); // Ok.

update_post_meta( (int) $_POST['id'], 'a_key', $_POST['a_value'] );
}

function different_function_name() {
dÉjÀ_vu( 'something' ); // Bad, dÉjÀ_vu() and déjà_vu() are NOT the same function.

update_post_meta( (int) $_POST['id'], 'a_key', $_POST['a_value'] );
}
// phpcs:set WordPress.Security.NonceVerification customNonceVerificationFunctions[]
1 change: 1 addition & 0 deletions WordPress/Tests/Security/NonceVerificationUnitTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ public function getErrorList( $testFile = '' ) {
453 => 1,
470 => 1,
478 => 1,
524 => 2,
);

case 'NonceVerificationUnitTest.2.inc':
Expand Down
Loading