From 649bf3bee5c23a38628ef3e304aa69b4ba4089ab Mon Sep 17 00:00:00 2001
From: Ben Marshall <ben.s.marshall@icloud.com>
Date: Thu, 7 Mar 2024 11:55:43 -0600
Subject: [PATCH] fix(cloudflare): fix for cloudflare caching spam detections

---
 core/class-access.php               | 50 ++++++++++++++++++++++++-----
 modules/comments/class-comments.php | 21 +++---------
 2 files changed, 46 insertions(+), 25 deletions(-)

diff --git a/core/class-access.php b/core/class-access.php
index 3640aea..ea2a56e 100644
--- a/core/class-access.php
+++ b/core/class-access.php
@@ -33,23 +33,59 @@ public function init() {
 		}
 	}
 
+	/**
+	 * Terminates execution with a custom error message and HTTP status code.
+	 *
+	 * Registers an action to prevent caching on error conditions by setting
+	 * appropriate HTTP headers before leveraging WordPress's wp_die() function
+	 * to produce an error page with a specified message, title, and HTTP status
+	 * code.
+	 *
+	 * @param string $title   The text to be used as the page title for the error message.
+	 *                        This content will be sanitized to remove unwanted HTML.
+	 * @param string $message The error message to display. This content will be escaped
+	 *                        to ensure only safe HTML is included.
+	 * @param int    $code    Optional. The HTTP status code to be sent in the header.
+	 *                        Defaults to 403 to indicate a Forbidden error.
+	 */
+	public static function die( $title, $message, $code = 403 ) {
+		header( 'Cache-Control: no-store, no-cache, must-revalidate, max-age=0' );
+		header( 'Cache-Control: post-check=0, pre-check=0', false );
+		header( 'Pragma: no-cache' );
+
+		wp_die(
+			wp_kses_post( $message ),
+			esc_html( $title ),
+			[
+				'response' => $code,
+			]
+		);
+	}
+
 	/**
 	 * Determines is security checks need to be triggers.
 	 *
 	 * @param boolean $ignore_ajax True if AJAX shouldn't be checked.
 	 */
 	public static function process( $ignore_ajax = false ) {
-		$user_ip  = \ZeroSpam\Core\User::get_ip();
+		if ( empty( $_SERVER['REQUEST_URI'] ) ) {
+			return false;
+		}
+
+		$user_ip = \ZeroSpam\Core\User::get_ip();
+
+		// Sanitize the REQUEST_URI before further processing.
+		$request_uri = esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) );
 
 		// Check for .ico requests.
-		$path = parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH );
+		$path = wp_parse_url( $request_uri, PHP_URL_PATH );
 		if ( substr( $path, -4 ) === '.ico' ) {
 			return false;
 		}
 
-		if ( $ignore_ajax && is_admin() || is_user_logged_in() || \ZeroSpam\Core\Utilities::is_whitelisted( $user_ip ) ) {
+		if ( ( $ignore_ajax && is_admin() ) || is_user_logged_in() || \ZeroSpam\Core\Utilities::is_whitelisted( $user_ip ) ) {
 			return false;
-		} elseif ( ! $ignore_ajax && ( is_admin() && ! wp_doing_ajax() ) || is_user_logged_in() ) {
+		} elseif ( ! $ignore_ajax && ( ( is_admin() && ! wp_doing_ajax() ) || is_user_logged_in() ) ) {
 			return false;
 		}
 
@@ -82,9 +118,7 @@ public function access_check() {
 			if ( ! empty( $settings['block_handler']['value'] ) ) {
 				switch ( $settings['block_handler']['value'] ) {
 					case 403:
-						header( 'Cache-Control: no-cache, no-store, must-revalidate' );
-						header( 'Pragma: no-cache' );
-						header( 'Expires: 0' );
+						add_action( 'send_headers', [ $this, 'prevent_cache_on_error_condition' ] );
 
 						$message = __( 'Your IP address has been blocked due to detected spam/malicious activity.', 'zero-spam' );
 						if ( ! empty( $settings['blocked_message']['value'] ) ) {
@@ -153,7 +187,7 @@ public static function get_blocked_details( $blocked_record, $failed = false ) {
 		}
 
 		if ( $blocked ) {
-			$access_check['blocked']            = true;
+			$access_check['blocked']           = true;
 			$access_check['type']              = 'blocked';
 			$access_check['details']           = $blocked_record;
 			$access_check['details']['failed'] = $failed;
diff --git a/modules/comments/class-comments.php b/modules/comments/class-comments.php
index ce82d97..be7dd23 100644
--- a/modules/comments/class-comments.php
+++ b/modules/comments/class-comments.php
@@ -67,7 +67,7 @@ public function types( $types ) {
 	 */
 	public function add_scripts() {
 		// Only add scripts to the appropriate pages.
-		if ( 
+		if (
 			'enabled' === \ZeroSpam\Core\Settings::get_settings( 'verify_comments' ) &&
 			'enabled' === \ZeroSpam\Core\Settings::get_settings( 'davidwalsh' )
 		) {
@@ -171,22 +171,9 @@ public function preprocess_comments( $commentdata ) {
 				}
 			}
 
-			wp_die(
-				wp_kses(
-					$error_message,
-					array(
-						'a'      => array(
-							'target' => array(),
-							'href'   => array(),
-							'rel'    => array(),
-						),
-						'strong' => array(),
-					)
-				),
-				esc_html( \ZeroSpam\Core\Utilities::detection_title( 'comment_spam_message' ) ),
-				array(
-					'response' => 403,
-				)
+			\ZeroSpam\Core\Access::die(
+				\ZeroSpam\Core\Utilities::detection_title( 'comment_spam_message' ),
+				$error_message
 			);
 		}