/** * Check if the call back trigger is set - if so do the work. */ public static function plugin_trigger_check() { if (intval(get_query_var(self::PLUGIN_TRIGGER)) == 1) { // Check the nonce is valid, try to stop people attacking the site. if (!check_admin_referer(self::RESPONSE_NONCE_ACTION, self::RESPONSE_NONCE_QUERYFIELD)) { exit; } // Send `204 No Content` status code http_response_code(204); // Get the raw POST data $data = file_get_contents('php://input'); // Receives: // {"csp-report": // {"blocked-uri":"http://storagewest.localhost.com/wp-content/uploads/2014/10/testimonial-3.png", // "document-uri":"http://storagewest.localhost.com/", // "original-policy":"default-src 'none'; script-src 'none'; style-src 'none'; img-src 'none'; font-src 'none'; frame-src 'none'; object-src 'none'; connect-src 'none'; report-uri http://storagewest.localhost.com/wp-content/plugins/wp-content-security-policy/includes/receiveCSPviol.php", // "referrer":"", // "violated-directive":"img-src 'none'"} // } // Only continue if it’s valid JSON that is not just `null`, `0`, `false` or an // empty string, i.e. if it could be a CSP violation report. if ($CSPViolation = json_decode($data, true)) { wpCSPclass::LogPolicyViolation($CSPViolation); } exit; } }
/** * checks the URL checker, see if its reading the ignored URLs correctly. */ private static function TestURLChecker() { $return = array(); // Testing various ways of checking for errors in option arrays // array( BlockedURI, OptionString, ExpectedTestResult ) // where BlockedURI is emulating the issue we received from the browser. // and OptionString is emulating the options entered by the user. // ExpectedTestResult is what we expect to receive back from the routine. // True indicates the routine should find a match, and false not a match. $TestArray = array(array('data:', 'data:', true), array('http:', 'http:', true), array('https:', 'https:', true), array('data:', 'http:', false), array('data:', 'https:', false), array('http:', 'data:', false), array('https:', 'data:', false), array('data:urlencoded 64 dsdsdsddsd', 'data:', true), array('http://www.example.com', 'http:', true), array('https://www.example.com', 'https:', true), array('data:urlencoded 64 dsdsdsddsd', 'http:', false), array('http://www.example.com', 'https:', false), array('https://www.example.com', 'data:', false), array(site_url(), "'self'", true), array(site_url(), "data:", false), array(site_url(), "http://www.example.com", false), array(site_url(), "https://www.example.com", false), array(site_url(), "www.example.com", false), array(site_url(), "*.example.com", false), array('http://www.example.com', "http://www.example.com", true), array('http://www.example.com', "https://www.example.com", false), array('www.example.com', "https://www.example.com", false), array('www.example.com', "http://www.example.com", false), array('www.example.com', "www.example.com", true), array('http://www.example.com/test/url', "http://www.example.com", true), array('http://www.example.com/test/url', "https://www.example.com", false), array('http://www.example.com/test/url', "www.example.com", true), array('www.example.com/test/url', "https://www.example.com", false), array('www.example.com/test/url', "http://www.example.com", false), array('www.example.com/test/url', "www.example.com", true), array('http://www.example.com', "www.example.com", true), array('http://www.example.com', "*.example.com", true), array('https://www.example.com', "www.example.com", true), array('https://www.example.com', "*.example.com", true), array('ssss://www.example.com', "www.example.com", true), array('ssss://www.example.com', "*.example.com", true), array('http://www.example.com', "*example.com", false), array('https://www.example.com', "*example.com", false), array('ssss://www.example.com', "*example.com", false), array('http://www.example.com', ".example.com", false), array('https://www.example.com', ".example.com", false), array('ssss://www.example.com', ".example.com", false), array('http://www.example.com', "example.com", false), array('https://www.example.com', "example.com", false), array('ssss://www.example.com', "example.com", false), array('http://www.example.com/test/url', "www.example.com", true), array('http://www.example.com/test/url', "*.example.com", true), array('https://www.example.com/test/url', "www.example.com", true), array('https://www.example.com/test/url', "*.example.com", true), array('ssss://www.example.com/test/url', "www.example.com", true), array('ssss://www.example.com/test/url', "*.example.com", true), array('http://www.example.com/test/url', "*example.com", false), array('https://www.example.com/test/url', "*example.com", false), array('ssss://www.example.com/test/url', "*example.com", false), array('http://www.example.com/test/url', ".example.com", false), array('https://www.example.com/test/url', ".example.com", false), array('ssss://www.example.com/test/url', ".example.com", false), array('http://www.example.com/test/url', "example.com", false), array('https://www.example.com/test/url', "example.com", false), array('ssss://www.example.com/test/url', "example.com", false), array('http://www.example.com', "www.notexample.com", false), array('http://www.example.com', "*.notexample.com", false), array('https://www.example.com', "www.notexample.com", false), array('https://www.example.com', "*.notexample.com", false), array('ssss://www.example.com', "www.notexample.com", false), array('ssss://www.example.com', "*.notexample.com", false), array('http://www.example.com/path/to/file/', "*.notexample.com", false), array('https://www.example.com/path/to/file/', "www.notexample.com", false), array('http://www.example.com/path/to/file/', "*.example.com", true), array('https://www.example.com/path/to/file/', "www.example.com", true), array('http://www.example.com/path/to/file/', "*.example.com/path/", false), array('https://www.example.com/path/to/file/', "www.example.com/path/", false), array('http://www.example.com/path/to/file/', "*.example.com/path/to", false), array('https://www.example.com/path/to/file/', "www.example.com/path/to", false), array('http://www.example.com/path/to/file/', "*.example.com/path/to/file/", true), array('https://www.example.com/path/to/file/', "www.example.com/path/to/file/", true), array('http://www.example.com/path/to/file/thefile.php', "*.notexample.com", false), array('https://www.example.com/path/to/file/thefile.php', "www.notexample.com", false), array('http://www.example.com/path/to/file/thefile.php', "*.example.com", true), array('https://www.example.com/path/to/file/thefile.php', "www.example.com", true), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com", false), array('https://www.example.com/path/to/file/thefile.php', "https://www.example.com", true), array('http://www.example.com/path/to/file/thefile.php', "*.example.com/path/", false), array('https://www.example.com/path/to/file/thefile.php', "www.example.com/path/", false), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com/path/", false), array('https://www.example.com/path/to/file/thefile.php', "https://www.example.com/path/", false), array('http://www.example.com/path/to/file/thefile.php', "*.example.com/path/to", false), array('https://www.example.com/path/to/file/thefile.php', "www.example.com/path/to", false), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com/path/to", false), array('http://www.example.com/path/to/file/thefile.php', "*.example.com/path/to/file/", true), array('https://www.example.com/path/to/file/thefile.php', "www.example.com/path/to/file/", true), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com/path/to/file/", false), array('https://www.example.com/path/to/file/thefile.php', "https://www.example.com/path/to/file/", true), array('http://www.example.com/path/to/file/thefile.php', "*.example.com/path/to/file/thefile.php", true), array('https://www.example.com/path/to/file/thefile.php', "www.example.com/path/to/file/thefile.php", true), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com/path/to/file/thefile.php", false), array('https://www.example.com/path/to/file/thefile.php', "https://www.example.com/path/to/file/thefile.php", true), array('', "*.notexample.com", false), array('', "", false), array('http://www.example.com', "", false), array('http://www.example.com', "none", false), array('http://www.example.com', "'none'", false), array("'none'", "'none'", false), array('data:urlencoded 64 dsdsdsddsd', '*', false), array('http://www.example.com', '*', true), array('https://www.example.com', '*', true)); foreach ($TestArray as $Test) { $return[] = "------------ Starting test:" . print_r($Test, true); $ret = wpCSPclass::IsURIInOptionString($Test[0], $Test[1]); if ($ret !== $Test[2]) { $return[] = "****** failed test:" . print_r($Test, true); $return[] = "returned:" . print_r($ret, true); break; } } // Test end to end including logging. $CSPViolation = array('csp-report' => array('effective-directive' => 'img-src', 'blocked-uri' => 'http://b.wallyworld.zzzz')); if (wpCSPclass::LogPolicyViolation($CSPViolation) === false) { $return[] = "Should be logging b.wallyworld.zzzz as it is not blocked by ignored urls<br>\n ;"; } $return[] = "Finished tests with no issues.<br>\n"; return "<li>" . implode("</li><li>", $return) . "</li>"; }