From b674db854394e688732535628ef5f4587b24c8b6 Mon Sep 17 00:00:00 2001 From: Weston Ruter Date: Tue, 23 Apr 2024 09:25:38 -0700 Subject: [PATCH 1/5] Use plugin slug exclusively for plugin install --- includes/admin/load.php | 21 ++++++++++++++------- includes/admin/plugins.php | 1 - phpstan.neon.dist | 1 + 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/includes/admin/load.php b/includes/admin/load.php index d4a12608dc..cc050b42da 100644 --- a/includes/admin/load.php +++ b/includes/admin/load.php @@ -234,6 +234,7 @@ function perflab_enqueue_features_page_scripts() { function perflab_install_activate_plugin_callback() { check_admin_referer( 'perflab_install_activate_plugin' ); + require_once ABSPATH . 'wp-admin/includes/plugin.php'; require_once ABSPATH . 'wp-admin/includes/plugin-install.php'; require_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php'; require_once ABSPATH . 'wp-admin/includes/class-wp-ajax-upgrader-skin.php'; @@ -241,14 +242,22 @@ function perflab_install_activate_plugin_callback() { if ( ! isset( $_GET['slug'] ) ) { wp_die( esc_html__( 'Missing required parameter.', 'performance-lab' ) ); } - - $plugin_slug = sanitize_text_field( wp_unslash( $_GET['slug'] ) ); - - if ( ! $plugin_slug ) { + $all_plugin_slugs = json_decode( file_get_contents( PERFLAB_PLUGIN_DIR_PATH . 'plugins.json' ), true )['plugins']; // phpcs:ignore WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents + $plugin_slug = sanitize_text_field( wp_unslash( $_GET['slug'] ) ); + if ( ! in_array( $plugin_slug, $all_plugin_slugs, true ) ) { wp_die( esc_html__( 'Invalid plugin.', 'performance-lab' ) ); } - $is_plugin_installed = isset( $_GET['file'] ) && $_GET['file']; + // Check if installed and determine the plugin basename. + $is_plugin_installed = false; + $plugin_basename = null; + foreach ( array_keys( get_plugins() ) as $plugin_file ) { + if ( strtok( $plugin_file, '/' ) === $plugin_slug ) { + $is_plugin_installed = true; + $plugin_basename = $plugin_file; // TODO: The variable name "$plugin_basename" seems misleading. To follow core convention, it should be "$plugin_file", right? + break; + } + } // Install the plugin if it is not installed yet. if ( ! $is_plugin_installed ) { @@ -294,8 +303,6 @@ function perflab_install_activate_plugin_callback() { $plugin_file_names = array_keys( $plugins ); $plugin_basename = $plugin_slug . '/' . $plugin_file_names[0]; - } else { - $plugin_basename = sanitize_text_field( wp_unslash( $_GET['file'] ) ); } if ( ! current_user_can( 'activate_plugin', $plugin_basename ) ) { diff --git a/includes/admin/plugins.php b/includes/admin/plugins.php index 1721cf4192..5436cbf5bf 100644 --- a/includes/admin/plugins.php +++ b/includes/admin/plugins.php @@ -174,7 +174,6 @@ function perflab_render_plugin_card( array $plugin_data ) { 'action' => 'perflab_install_activate_plugin', '_wpnonce' => wp_create_nonce( 'perflab_install_activate_plugin' ), 'slug' => $plugin_data['slug'], - 'file' => $status['file'], ), admin_url( 'options-general.php' ) ) diff --git a/phpstan.neon.dist b/phpstan.neon.dist index 438a769caf..67a966e4d2 100644 --- a/phpstan.neon.dist +++ b/phpstan.neon.dist @@ -8,6 +8,7 @@ parameters: - plugins/ - tests/ bootstrapFiles: + - load.php - plugins/speculation-rules/load.php - plugins/webp-uploads/load.php scanDirectories: From 04b132d99896bf21e0f7ef4297203c09cc40e895 Mon Sep 17 00:00:00 2001 From: Weston Ruter Date: Tue, 23 Apr 2024 09:27:05 -0700 Subject: [PATCH 2/5] Use plugin_file instead of misleading plugin_baseame --- includes/admin/load.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/includes/admin/load.php b/includes/admin/load.php index cc050b42da..d566331a1f 100644 --- a/includes/admin/load.php +++ b/includes/admin/load.php @@ -250,11 +250,11 @@ function perflab_install_activate_plugin_callback() { // Check if installed and determine the plugin basename. $is_plugin_installed = false; - $plugin_basename = null; - foreach ( array_keys( get_plugins() ) as $plugin_file ) { - if ( strtok( $plugin_file, '/' ) === $plugin_slug ) { + $plugin_file = null; + foreach ( array_keys( get_plugins() ) as $installed_plugin_file ) { + if ( strtok( $installed_plugin_file, '/' ) === $plugin_slug ) { $is_plugin_installed = true; - $plugin_basename = $plugin_file; // TODO: The variable name "$plugin_basename" seems misleading. To follow core convention, it should be "$plugin_file", right? + $plugin_file = $installed_plugin_file; break; } } @@ -302,14 +302,14 @@ function perflab_install_activate_plugin_callback() { } $plugin_file_names = array_keys( $plugins ); - $plugin_basename = $plugin_slug . '/' . $plugin_file_names[0]; + $plugin_file = $plugin_slug . '/' . $plugin_file_names[0]; } - if ( ! current_user_can( 'activate_plugin', $plugin_basename ) ) { + if ( ! current_user_can( 'activate_plugin', $plugin_file ) ) { wp_die( esc_html__( 'Sorry, you are not allowed to activate this plugin.', 'default' ) ); } - $result = activate_plugin( $plugin_basename ); + $result = activate_plugin( $plugin_file ); if ( is_wp_error( $result ) ) { wp_die( esc_html( $result->get_error_message() ) ); } From 6700d944be7f7794b877b43d779da9a485f25293 Mon Sep 17 00:00:00 2001 From: Weston Ruter Date: Tue, 23 Apr 2024 09:33:42 -0700 Subject: [PATCH 3/5] Remove redundant variable and add comments --- includes/admin/load.php | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/includes/admin/load.php b/includes/admin/load.php index d566331a1f..55ae6b0b24 100644 --- a/includes/admin/load.php +++ b/includes/admin/load.php @@ -248,19 +248,18 @@ function perflab_install_activate_plugin_callback() { wp_die( esc_html__( 'Invalid plugin.', 'performance-lab' ) ); } - // Check if installed and determine the plugin basename. - $is_plugin_installed = false; - $plugin_file = null; + // Check if plugin (by slug) is installed by obtaining the plugin file. + // Remember a plugin file typically looks like "{slug}/load.php" or "{slug}/{slug}.php". + $plugin_file = null; foreach ( array_keys( get_plugins() ) as $installed_plugin_file ) { if ( strtok( $installed_plugin_file, '/' ) === $plugin_slug ) { - $is_plugin_installed = true; - $plugin_file = $installed_plugin_file; + $plugin_file = $installed_plugin_file; break; } } - // Install the plugin if it is not installed yet. - if ( ! $is_plugin_installed ) { + // Install the plugin if it is not installed yet (in which case the plugin file could not be discovered above). + if ( ! isset( $plugin_file ) ) { // Check if the user have plugin installation capability. if ( ! current_user_can( 'install_plugins' ) ) { wp_die( esc_html__( 'Sorry, you are not allowed to install plugins on this site.', 'default' ) ); From 5b87e8536a718e285a2bcf68cc7c568eaa10c7f0 Mon Sep 17 00:00:00 2001 From: Weston Ruter Date: Tue, 23 Apr 2024 09:43:36 -0700 Subject: [PATCH 4/5] Use perflab_get_standalone_plugin_data() instead of parsing plugins.json --- includes/admin/load.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/includes/admin/load.php b/includes/admin/load.php index 55ae6b0b24..0bed1f0476 100644 --- a/includes/admin/load.php +++ b/includes/admin/load.php @@ -242,7 +242,8 @@ function perflab_install_activate_plugin_callback() { if ( ! isset( $_GET['slug'] ) ) { wp_die( esc_html__( 'Missing required parameter.', 'performance-lab' ) ); } - $all_plugin_slugs = json_decode( file_get_contents( PERFLAB_PLUGIN_DIR_PATH . 'plugins.json' ), true )['plugins']; // phpcs:ignore WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents + + $all_plugin_slugs = array_keys( perflab_get_standalone_plugin_data() ); $plugin_slug = sanitize_text_field( wp_unslash( $_GET['slug'] ) ); if ( ! in_array( $plugin_slug, $all_plugin_slugs, true ) ) { wp_die( esc_html__( 'Invalid plugin.', 'performance-lab' ) ); From efe9711ecd9d1e30426a9da678aadda3c85b32c3 Mon Sep 17 00:00:00 2001 From: Weston Ruter Date: Tue, 23 Apr 2024 11:42:17 -0700 Subject: [PATCH 5/5] Reuse perflab_get_standalone_plugins() --- includes/admin/load.php | 5 ++--- includes/admin/plugins.php | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/includes/admin/load.php b/includes/admin/load.php index 0bed1f0476..3bc94bae91 100644 --- a/includes/admin/load.php +++ b/includes/admin/load.php @@ -243,9 +243,8 @@ function perflab_install_activate_plugin_callback() { wp_die( esc_html__( 'Missing required parameter.', 'performance-lab' ) ); } - $all_plugin_slugs = array_keys( perflab_get_standalone_plugin_data() ); - $plugin_slug = sanitize_text_field( wp_unslash( $_GET['slug'] ) ); - if ( ! in_array( $plugin_slug, $all_plugin_slugs, true ) ) { + $plugin_slug = sanitize_text_field( wp_unslash( $_GET['slug'] ) ); + if ( ! in_array( $plugin_slug, perflab_get_standalone_plugins(), true ) ) { wp_die( esc_html__( 'Invalid plugin.', 'performance-lab' ) ); } diff --git a/includes/admin/plugins.php b/includes/admin/plugins.php index 5436cbf5bf..6269ebd0fe 100644 --- a/includes/admin/plugins.php +++ b/includes/admin/plugins.php @@ -53,9 +53,9 @@ function perflab_query_plugin_info( string $plugin_slug ) { * * @since 2.8.0 * - * @return array List of WPP standalone plugins as slugs. + * @return string[] List of WPP standalone plugins as slugs. */ -function perflab_get_standalone_plugins() { +function perflab_get_standalone_plugins(): array { return array_keys( perflab_get_standalone_plugin_data() );