Contact Form: Defensive coding against bad hash (#20923)

Automattic · Feb 3, 2022 · 8e0dff0 · 8e0dff0
1 parent ff3ce45
commit 8e0dff0
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 7 deletions.
diff --git a/projects/plugins/jetpack/changelog/fix-wporg-warning b/projects/plugins/jetpack/changelog/fix-wporg-warning
@@ -0,0 +1,4 @@
+Significance: patch
+Type: bugfix
+
+Contact Form: ensure form validation uses the correct variable types.
diff --git a/projects/plugins/jetpack/modules/contact-form/grunion-contact-form.php b/projects/plugins/jetpack/modules/contact-form/grunion-contact-form.php
@@ -510,13 +510,17 @@ function unread_count( $screen ) {
 	 *
 	 * Conditionally attached to `template_redirect`
 	 */
-	function process_form_submission() {
-		// Add a filter to replace tokens in the subject field with sanitized field values
+	public function process_form_submission() {
+		// Add a filter to replace tokens in the subject field with sanitized field values.
 		add_filter( 'contact_form_subject', array( $this, 'replace_tokens_with_input' ), 10, 2 );
 
-		$id   = stripslashes( $_POST['contact-form-id'] );
-		$hash = isset( $_POST['contact-form-hash'] ) ? $_POST['contact-form-hash'] : '';
+		// phpcs:disable WordPress.Security.NonceVerification.Missing
+		$id   = isset( $_POST['contact-form-id'] ) ? wp_unslash( $_POST['contact-form-id'] ) : null;
+		$id   = is_string( $id ) ? $id : null;
+		$hash = isset( $_POST['contact-form-hash'] ) ? wp_unslash( $_POST['contact-form-hash'] ) : null;
+		$hash = is_string( $hash ) ? $hash : null;
 		$hash = preg_replace( '/[^\da-f]/i', '', $hash );
+		// phpcs:enable
 
 		if ( ! is_string( $id ) || ! is_string( $hash ) ) {
 			return false;
@@ -2532,13 +2536,13 @@ static function parse_contact_field( $attributes, $content ) {
 			$form->fields[] = $field;
 		}
 
-		if (
+		if ( // phpcs:disable WordPress.Security.NonceVerification.Missing
 			isset( $_POST['action'] ) && 'grunion-contact-form' === $_POST['action']
 			&&
 			isset( $_POST['contact-form-id'] ) && $form->get_attribute( 'id' ) == $_POST['contact-form-id']
 			&&
-			isset( $_POST['contact-form-hash'] ) && hash_equals( $form->hash, $_POST['contact-form-hash'] )
-		) {
+			isset( $_POST['contact-form-hash'] ) && is_string( $_POST['contact-form-hash'] ) && hash_equals( $form->hash, $_POST['contact-form-hash'] )
+		) { // phpcs:enable
 			// If we're processing a POST submission for this contact form, validate the field value so we can show errors as necessary.
 			$field->validate();
 		}