Merge pull request #373 from Highfivery/fix/366-cloudflare-caching

Fix/366 Cloudflare Cachine
Highfivery · Mar 7, 2024 · 998c416 · 998c416
2 parents 1ddd762 + d07c9d0
commit 998c416
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 34 deletions.
diff --git a/core/class-access.php b/core/class-access.php
@@ -24,7 +24,12 @@ public function __construct() {
 	}
 
 	/**
-	 * Fires after WordPress has finished loading but before any headers are sent.
+	 * Initializes the class by setting up hooks and actions.
+	 *
+	 * This method is called during the WordPress initialization process. It
+	 * registers the 'template_redirect' action to perform access checks and
+	 * adds a filter for 'zerospam_access_checks' to determine if the current
+	 * request should be blocked.
 	 */
 	public function init() {
 		if ( ! is_admin() && is_main_query() && self::process() ) {
@@ -33,23 +38,59 @@ public function init() {
 		}
 	}
 
+	/**
+	 * Terminates execution with a custom error message and HTTP status code.
+	 *
+	 * Registers an action to prevent caching on error conditions by setting
+	 * appropriate HTTP headers before leveraging WordPress's wp_die() function
+	 * to produce an error page with a specified message, title, and HTTP status
+	 * code.
+	 *
+	 * @param string $title   The text to be used as the page title for the error message.
+	 *                        This content will be sanitized to remove unwanted HTML.
+	 * @param string $message The error message to display. This content will be escaped
+	 *                        to ensure only safe HTML is included.
+	 * @param int    $code    Optional. The HTTP status code to be sent in the header.
+	 *                        Defaults to 403 to indicate a Forbidden error.
+	 */
+	public static function terminate_execution( $title, $message, $code = 403 ) {
+		header( 'Cache-Control: no-store, no-cache, must-revalidate, max-age=0' );
+		header( 'Cache-Control: post-check=0, pre-check=0', false );
+		header( 'Pragma: no-cache' );
+
+		wp_die(
+			wp_kses_post( $message ),
+			esc_html( $title ),
+			[
+				'response' => $code,
+			]
+		);
+	}
+
 	/**
 	 * Determines is security checks need to be triggers.
 	 *
 	 * @param boolean $ignore_ajax True if AJAX shouldn't be checked.
 	 */
 	public static function process( $ignore_ajax = false ) {
-		$user_ip  = \ZeroSpam\Core\User::get_ip();
+		if ( empty( $_SERVER['REQUEST_URI'] ) ) {
+			return false;
+		}
+
+		$user_ip = \ZeroSpam\Core\User::get_ip();
+
+		// Sanitize the REQUEST_URI before further processing.
+		$request_uri = esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) );
 
 		// Check for .ico requests.
-		$path = parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH );
+		$path = wp_parse_url( $request_uri, PHP_URL_PATH );
 		if ( substr( $path, -4 ) === '.ico' ) {
 			return false;
 		}
 
-		if ( $ignore_ajax && is_admin() || is_user_logged_in() || \ZeroSpam\Core\Utilities::is_whitelisted( $user_ip ) ) {
+		if ( ( $ignore_ajax && is_admin() ) || is_user_logged_in() || \ZeroSpam\Core\Utilities::is_whitelisted( $user_ip ) ) {
 			return false;
-		} elseif ( ! $ignore_ajax && ( is_admin() && ! wp_doing_ajax() ) || is_user_logged_in() ) {
+		} elseif ( ! $ignore_ajax && ( ( is_admin() && ! wp_doing_ajax() ) || is_user_logged_in() ) ) {
 			return false;
 		}
 
@@ -82,21 +123,12 @@ public function access_check() {
 			if ( ! empty( $settings['block_handler']['value'] ) ) {
 				switch ( $settings['block_handler']['value'] ) {
 					case 403:
-						header( 'Cache-Control: no-cache, no-store, must-revalidate' );
-						header( 'Pragma: no-cache' );
-						header( 'Expires: 0' );
-
 						$message = __( 'Your IP address has been blocked due to detected spam/malicious activity.', 'zero-spam' );
 						if ( ! empty( $settings['blocked_message']['value'] ) ) {
 							$message = $settings['blocked_message']['value'];
 						}
-						wp_die(
-							$message,
-							__( 'Blocked', 'zero-spam' ),
-							array(
-								'response' => 403,
-							)
-						);
+
+						self::terminate_execution( __( 'Blocked', 'zero-spam' ), $message );
 						break;
 					case 'redirect':
 						$url = 'https://wordpress.org/plugins/zero-spam/';
@@ -153,7 +185,7 @@ public static function get_blocked_details( $blocked_record, $failed = false ) {
 		}
 
 		if ( $blocked ) {
-			$access_check['blocked']            = true;
+			$access_check['blocked']           = true;
 			$access_check['type']              = 'blocked';
 			$access_check['details']           = $blocked_record;
 			$access_check['details']['failed'] = $failed;

diff --git a/modules/comments/class-comments.php b/modules/comments/class-comments.php
@@ -67,7 +67,7 @@ public function types( $types ) {
 	 */
 	public function add_scripts() {
 		// Only add scripts to the appropriate pages.
-		if ( 
+		if (
 			'enabled' === \ZeroSpam\Core\Settings::get_settings( 'verify_comments' ) &&
 			'enabled' === \ZeroSpam\Core\Settings::get_settings( 'davidwalsh' )
 		) {
@@ -171,22 +171,9 @@ public function preprocess_comments( $commentdata ) {
 				}
 			}
 
-			wp_die(
-				wp_kses(
-					$error_message,
-					array(
-						'a'      => array(
-							'target' => array(),
-							'href'   => array(),
-							'rel'    => array(),
-						),
-						'strong' => array(),
-					)
-				),
-				esc_html( \ZeroSpam\Core\Utilities::detection_title( 'comment_spam_message' ) ),
-				array(
-					'response' => 403,
-				)
+			\ZeroSpam\Core\Access::terminate_execution(
+				\ZeroSpam\Core\Utilities::detection_title( 'comment_spam_message' ),
+				$error_message
 			);
 		}