增加vaptcha对忘记密码页面和注册界面的支持,修复ip因为获取到x_forwarded_for多个代理ip而导致vaptcha不可用#1332
增加vaptcha对忘记密码页面和注册界面的支持,修复ip因为获取到x_forwarded_for多个代理ip而导致vaptcha不可用#1332xuanmou wants to merge 4 commits intomirai-mamori:previewfrom
Conversation
|
这个 PR 已经 45 天没有任何活动了,将被标记为过时 stale 。 删除 stale 的标签或评论,否则将在 10 天内关闭。 |
There was a problem hiding this comment.
Pull request overview
This PR extends Vaptcha CAPTCHA support to the forgot password and registration pages, and fixes an issue where the get_the_user_ip() function was failing with multiple proxy IPs in the X-Forwarded-For header.
Key changes:
- Added Vaptcha initialization hooks to registration and forgot password forms
- Implemented validation functions for Vaptcha on registration and password reset flows
- Modified IP extraction logic to handle comma-separated proxy IP lists
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.
| } | ||
| if ($response->success === 0) { | ||
| $errorcode = $response->msg; | ||
| return new WP_Error('prooffail', '<strong>错误</strong>:非法数据' . $errorcode); |
There was a problem hiding this comment.
Missing space before concatenation operator. The error message should be '<strong>错误</strong>:非法数据' . $errorcode with spaces around the . operator for better readability and consistency with PHP coding standards.
| } | ||
| add_filter('authenticate', 'checkVaptchaAction', 20, 3); | ||
|
|
||
| function Vaptcha_lostpassword_CHECK($errors) |
There was a problem hiding this comment.
Function name should follow the codebase naming convention. Change Vaptcha_lostpassword_CHECK to vaptcha_lostpassword_check to match the style used by similar functions like lostpassword_CHECK, turnstile_lostpassword_check, and other captcha verification functions in this file.
| function Vaptcha_lostpassword_CHECK($errors) | |
| function vaptcha_lostpassword_check($errors) |
| } | ||
| if (!(isset($_POST['vaptcha_server']) && isset($_POST['vaptcha_token']))) | ||
| { | ||
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:请先进行人机验证'); |
There was a problem hiding this comment.
Trailing space after error code identifier 'invalid_vaptcha '. Remove the trailing space to make it 'invalid_vaptcha' for consistency.
| } | ||
| if (!preg_match('/^https:\/\/([\w-]+\.)+[\w-]*([^<>=?\"\'])*$/', $_POST['vaptcha_server']) || !preg_match('/^[\w\-\$]+$/', $_POST['vaptcha_token'])) | ||
| { | ||
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:非法数据'); |
There was a problem hiding this comment.
Trailing space after error code identifier 'invalid_vaptcha '. Remove the trailing space to make it 'invalid_vaptcha' for consistency.
| $errorcode = $response->msg; | ||
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:非法数据' . $errorcode); | ||
| } | ||
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:人机验证失败'); |
There was a problem hiding this comment.
Trailing space after error code identifier 'invalid_vaptcha '. Remove the trailing space to make it 'invalid_vaptcha' for consistency.
| } | ||
| add_action('lostpassword_post', 'Vaptcha_lostpassword_CHECK'); | ||
|
|
||
| function Vaptcha_registration_CHECK($errors, $sanitized_user_login, $user_email) |
There was a problem hiding this comment.
Function name should follow the codebase naming convention. Change Vaptcha_registration_CHECK to vaptcha_registration_check to match the style used by similar functions like registration_CAPTCHA_CHECK, turnstile_registration_check, and other captcha verification functions in this file.
| function Vaptcha_registration_CHECK($errors, $sanitized_user_login, $user_email) | |
| function vaptcha_registration_check($errors, $sanitized_user_login, $user_email) |
| { | ||
| if (empty($_POST)) | ||
| { | ||
| return false; |
There was a problem hiding this comment.
The function returns false when $_POST is empty, but this is inconsistent with the expected return type. The lostpassword_post action expects an $errors object to be returned, not false. This should return $errors directly to maintain consistency with the Turnstile implementation (line 3524) which returns $errors for similar conditions.
| return false; | |
| return $errors; |
| } | ||
| if ($response->success === 0) { | ||
| $errorcode = $response->msg; | ||
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:非法数据' . $errorcode); |
There was a problem hiding this comment.
Trailing space after error code identifier 'invalid_vaptcha '. Remove the trailing space to make it 'invalid_vaptcha' for consistency.
| $ip2 = explode('|', str_replace(',', '|', $ip)); | ||
| return apply_filters('wpb_get_ip', trim($ip2[0])); //解决HTTP_X_FORWARDED_FOR获取到代理地址而导致人机验证不通过 |
There was a problem hiding this comment.
The delimiter handling uses pipe character | but HTTP_X_FORWARDED_FOR typically uses commas (,) as separators, not pipes. The str_replace(',', '|', $ip) converts commas to pipes and then explodes on pipes, which is unnecessarily convoluted. Consider simplifying to: $ip_array = explode(',', $ip); return apply_filters('wpb_get_ip', trim($ip_array[0]));
| $ip2 = explode('|', str_replace(',', '|', $ip)); | |
| return apply_filters('wpb_get_ip', trim($ip2[0])); //解决HTTP_X_FORWARDED_FOR获取到代理地址而导致人机验证不通过 | |
| $ip_array = explode(',', $ip); | |
| return apply_filters('wpb_get_ip', trim($ip_array[0])); //解决HTTP_X_FORWARDED_FOR获取到代理地址而导致人机验证不通过 |
| $ip = $_SERVER['HTTP_CLIENT_IP'] ?? $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']; | ||
| return apply_filters('wpb_get_ip', $ip); | ||
| $ip2 = explode('|', str_replace(',', '|', $ip)); | ||
| return apply_filters('wpb_get_ip', trim($ip2[0])); //解决HTTP_X_FORWARDED_FOR获取到代理地址而导致人机验证不通过 |
There was a problem hiding this comment.
The function assumes HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR always contain valid IP addresses, but these headers can be spoofed by clients. While this PR fixes the issue of multiple proxy IPs, consider adding validation to ensure the extracted IP is actually a valid IP address using filter_var($ip, FILTER_VALIDATE_IP) before returning it.
| return apply_filters('wpb_get_ip', trim($ip2[0])); //解决HTTP_X_FORWARDED_FOR获取到代理地址而导致人机验证不通过 | |
| $user_ip = trim($ip2[0]); | |
| if (!filter_var($user_ip, FILTER_VALIDATE_IP)) { | |
| $user_ip = ''; | |
| } | |
| return apply_filters('wpb_get_ip', $user_ip); //解决HTTP_X_FORWARDED_FOR获取到代理地址而导致人机验证不通过 |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 21 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (!preg_match('/^https:\/\/([\w-]+\.)+[\w-]*([^<>=?\"\'])*$/', $_POST['vaptcha_server']) || !preg_match('/^[\w\-\$]+$/', $_POST['vaptcha_token'])) | ||
| { |
There was a problem hiding this comment.
Inconsistent brace style: The opening brace is on a new line, which is inconsistent with the coding style used elsewhere in this file. The brace should be on the same line as the if statement for consistency.
| if (!preg_match('/^https:\/\/([\w-]+\.)+[\w-]*([^<>=?\"\'])*$/', $_POST['vaptcha_server']) || !preg_match('/^[\w\-\$]+$/', $_POST['vaptcha_token'])) | ||
| { |
There was a problem hiding this comment.
Inconsistent brace style: The opening brace is on a new line, which is inconsistent with the coding style used elsewhere in this file. The brace should be on the same line as the if statement for consistency.
| } | ||
| if ($response->success === 0) { | ||
| $errorcode = $response->msg; | ||
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:非法数据' . $errorcode); |
There was a problem hiding this comment.
Missing space after error message concatenation. There should be a space between '非法数据' and the error code to improve readability. Consider changing this to '错误:非法数据: ' . $errorcode to add proper spacing.
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:非法数据' . $errorcode); | |
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:非法数据: ' . $errorcode); |
| } | ||
| if (!(isset($_POST['vaptcha_server']) && isset($_POST['vaptcha_token']))) | ||
| { | ||
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:请先进行人机验证'); |
There was a problem hiding this comment.
The error code key has a trailing space ('invalid_vaptcha ') which is inconsistent with WordPress conventions and the pattern used in other parts of the code. This should be 'invalid_vaptcha' without the trailing space for consistency.
| $errorcode = $response->msg; | ||
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:非法数据' . $errorcode); | ||
| } | ||
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:人机验证失败'); |
There was a problem hiding this comment.
The error code key has a trailing space ('invalid_vaptcha ') which is inconsistent with WordPress conventions. This should be 'invalid_vaptcha' without the trailing space for consistency.
| function Vaptcha_lostpassword_CHECK($errors) | ||
| { | ||
| if (empty($_POST)) | ||
| { | ||
| return false; | ||
| } |
There was a problem hiding this comment.
Missing REQUEST_METHOD check. The turnstile implementation checks if $_SERVER['REQUEST_METHOD'] !== 'POST' and returns early. This function should follow the same pattern to avoid processing on non-POST requests.
| $ip2 = explode('|', str_replace(',', '|', $ip)); | ||
| return apply_filters('wpb_get_ip', trim($ip2[0])); //解决HTTP_X_FORWARDED_FOR获取到代理地址而导致人机验证不通过 |
There was a problem hiding this comment.
Potential undefined array index: The code accesses $ip2[0] without checking if the array is empty. If $ip is an empty string or contains only delimiters, $ip2[0] might not exist, resulting in a PHP warning. Add a check to ensure the array is not empty before accessing the first element.
| if (empty($_POST)) | ||
| { |
There was a problem hiding this comment.
Inconsistent brace style: The opening brace is on a new line, which is inconsistent with the coding style used elsewhere in this file. The brace should be on the same line as the if statement for consistency.
| } else if (is_string($response)) { | ||
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:' . $response); | ||
| } | ||
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:未知错误'); |
There was a problem hiding this comment.
The error code key has a trailing space ('invalid_vaptcha ') which is inconsistent with WordPress conventions. This should be 'invalid_vaptcha' without the trailing space for consistency.
| function Vaptcha_registration_CHECK($errors, $sanitized_user_login, $user_email) | ||
| { | ||
| if (empty($_POST)) | ||
| { | ||
| return new WP_Error(); | ||
| } |
There was a problem hiding this comment.
Missing REQUEST_METHOD check. The turnstile implementation checks if $_SERVER['REQUEST_METHOD'] !== 'POST' and returns early. This function should follow the same pattern to avoid processing on non-POST requests.
No description provided.