/**
* Check if the call back trigger is set - if so do the work.
*/
public static function plugin_trigger_check()
{
if (intval(get_query_var(self::PLUGIN_TRIGGER)) == 1) {
// Check the nonce is valid, try to stop people attacking the site.
if (!check_admin_referer(self::RESPONSE_NONCE_ACTION, self::RESPONSE_NONCE_QUERYFIELD)) {
exit;
}
// Send `204 No Content` status code
http_response_code(204);
// Get the raw POST data
$data = file_get_contents('php://input');
// Receives:
// {"csp-report":
// {"blocked-uri":"http://storagewest.localhost.com/wp-content/uploads/2014/10/testimonial-3.png",
// "document-uri":"http://storagewest.localhost.com/",
// "original-policy":"default-src 'none'; script-src 'none'; style-src 'none'; img-src 'none'; font-src 'none'; frame-src 'none'; object-src 'none'; connect-src 'none'; report-uri http://storagewest.localhost.com/wp-content/plugins/wp-content-security-policy/includes/receiveCSPviol.php",
// "referrer":"",
// "violated-directive":"img-src 'none'"}
// }
// Only continue if it’s valid JSON that is not just `null`, `0`, `false` or an
// empty string, i.e. if it could be a CSP violation report.
if ($CSPViolation = json_decode($data, true)) {
wpCSPclass::LogPolicyViolation($CSPViolation);
}
exit;
}
}
/**
* checks the URL checker, see if its reading the ignored URLs correctly.
*/
private static function TestURLChecker()
{
$return = array();
// Testing various ways of checking for errors in option arrays
// array( BlockedURI, OptionString, ExpectedTestResult )
// where BlockedURI is emulating the issue we received from the browser.
// and OptionString is emulating the options entered by the user.
// ExpectedTestResult is what we expect to receive back from the routine.
// True indicates the routine should find a match, and false not a match.
$TestArray = array(array('data:', 'data:', true), array('http:', 'http:', true), array('https:', 'https:', true), array('data:', 'http:', false), array('data:', 'https:', false), array('http:', 'data:', false), array('https:', 'data:', false), array('data:urlencoded 64 dsdsdsddsd', 'data:', true), array('http://www.example.com', 'http:', true), array('https://www.example.com', 'https:', true), array('data:urlencoded 64 dsdsdsddsd', 'http:', false), array('http://www.example.com', 'https:', false), array('https://www.example.com', 'data:', false), array(site_url(), "'self'", true), array(site_url(), "data:", false), array(site_url(), "http://www.example.com", false), array(site_url(), "https://www.example.com", false), array(site_url(), "www.example.com", false), array(site_url(), "*.example.com", false), array('http://www.example.com', "http://www.example.com", true), array('http://www.example.com', "https://www.example.com", false), array('www.example.com', "https://www.example.com", false), array('www.example.com', "http://www.example.com", false), array('www.example.com', "www.example.com", true), array('http://www.example.com/test/url', "http://www.example.com", true), array('http://www.example.com/test/url', "https://www.example.com", false), array('http://www.example.com/test/url', "www.example.com", true), array('www.example.com/test/url', "https://www.example.com", false), array('www.example.com/test/url', "http://www.example.com", false), array('www.example.com/test/url', "www.example.com", true), array('http://www.example.com', "www.example.com", true), array('http://www.example.com', "*.example.com", true), array('https://www.example.com', "www.example.com", true), array('https://www.example.com', "*.example.com", true), array('ssss://www.example.com', "www.example.com", true), array('ssss://www.example.com', "*.example.com", true), array('http://www.example.com', "*example.com", false), array('https://www.example.com', "*example.com", false), array('ssss://www.example.com', "*example.com", false), array('http://www.example.com', ".example.com", false), array('https://www.example.com', ".example.com", false), array('ssss://www.example.com', ".example.com", false), array('http://www.example.com', "example.com", false), array('https://www.example.com', "example.com", false), array('ssss://www.example.com', "example.com", false), array('http://www.example.com/test/url', "www.example.com", true), array('http://www.example.com/test/url', "*.example.com", true), array('https://www.example.com/test/url', "www.example.com", true), array('https://www.example.com/test/url', "*.example.com", true), array('ssss://www.example.com/test/url', "www.example.com", true), array('ssss://www.example.com/test/url', "*.example.com", true), array('http://www.example.com/test/url', "*example.com", false), array('https://www.example.com/test/url', "*example.com", false), array('ssss://www.example.com/test/url', "*example.com", false), array('http://www.example.com/test/url', ".example.com", false), array('https://www.example.com/test/url', ".example.com", false), array('ssss://www.example.com/test/url', ".example.com", false), array('http://www.example.com/test/url', "example.com", false), array('https://www.example.com/test/url', "example.com", false), array('ssss://www.example.com/test/url', "example.com", false), array('http://www.example.com', "www.notexample.com", false), array('http://www.example.com', "*.notexample.com", false), array('https://www.example.com', "www.notexample.com", false), array('https://www.example.com', "*.notexample.com", false), array('ssss://www.example.com', "www.notexample.com", false), array('ssss://www.example.com', "*.notexample.com", false), array('http://www.example.com/path/to/file/', "*.notexample.com", false), array('https://www.example.com/path/to/file/', "www.notexample.com", false), array('http://www.example.com/path/to/file/', "*.example.com", true), array('https://www.example.com/path/to/file/', "www.example.com", true), array('http://www.example.com/path/to/file/', "*.example.com/path/", false), array('https://www.example.com/path/to/file/', "www.example.com/path/", false), array('http://www.example.com/path/to/file/', "*.example.com/path/to", false), array('https://www.example.com/path/to/file/', "www.example.com/path/to", false), array('http://www.example.com/path/to/file/', "*.example.com/path/to/file/", true), array('https://www.example.com/path/to/file/', "www.example.com/path/to/file/", true), array('http://www.example.com/path/to/file/thefile.php', "*.notexample.com", false), array('https://www.example.com/path/to/file/thefile.php', "www.notexample.com", false), array('http://www.example.com/path/to/file/thefile.php', "*.example.com", true), array('https://www.example.com/path/to/file/thefile.php', "www.example.com", true), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com", false), array('https://www.example.com/path/to/file/thefile.php', "https://www.example.com", true), array('http://www.example.com/path/to/file/thefile.php', "*.example.com/path/", false), array('https://www.example.com/path/to/file/thefile.php', "www.example.com/path/", false), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com/path/", false), array('https://www.example.com/path/to/file/thefile.php', "https://www.example.com/path/", false), array('http://www.example.com/path/to/file/thefile.php', "*.example.com/path/to", false), array('https://www.example.com/path/to/file/thefile.php', "www.example.com/path/to", false), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com/path/to", false), array('http://www.example.com/path/to/file/thefile.php', "*.example.com/path/to/file/", true), array('https://www.example.com/path/to/file/thefile.php', "www.example.com/path/to/file/", true), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com/path/to/file/", false), array('https://www.example.com/path/to/file/thefile.php', "https://www.example.com/path/to/file/", true), array('http://www.example.com/path/to/file/thefile.php', "*.example.com/path/to/file/thefile.php", true), array('https://www.example.com/path/to/file/thefile.php', "www.example.com/path/to/file/thefile.php", true), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com/path/to/file/thefile.php", false), array('https://www.example.com/path/to/file/thefile.php', "https://www.example.com/path/to/file/thefile.php", true), array('', "*.notexample.com", false), array('', "", false), array('http://www.example.com', "", false), array('http://www.example.com', "none", false), array('http://www.example.com', "'none'", false), array("'none'", "'none'", false), array('data:urlencoded 64 dsdsdsddsd', '*', false), array('http://www.example.com', '*', true), array('https://www.example.com', '*', true));
foreach ($TestArray as $Test) {
$return[] = "------------ Starting test:" . print_r($Test, true);
$ret = wpCSPclass::IsURIInOptionString($Test[0], $Test[1]);
if ($ret !== $Test[2]) {
$return[] = "****** failed test:" . print_r($Test, true);
$return[] = "returned:" . print_r($ret, true);
break;
}
}
// Test end to end including logging.
$CSPViolation = array('csp-report' => array('effective-directive' => 'img-src', 'blocked-uri' => 'http://b.wallyworld.zzzz'));
if (wpCSPclass::LogPolicyViolation($CSPViolation) === false) {
$return[] = "Should be logging b.wallyworld.zzzz as it is not blocked by ignored urls<br>\n ;";
}
$return[] = "Finished tests with no issues.<br>\n";
return "<li>" . implode("</li><li>", $return) . "</li>";
}
