Protect WAF: Ensure request body is parsed correctly (#39262)

--------- Co-authored-by: Nate Weller <[email protected]>
Automattic · Sep 10, 2024 · 6487d3c · 6487d3c
1 parent e522e27
commit 6487d3c
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 7 deletions.
diff --git a/projects/packages/waf/changelog/fix-waf-request-post-data b/projects/packages/waf/changelog/fix-waf-request-post-data
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Waf: Ensure that request body is parsed correctly
diff --git a/projects/packages/waf/src/class-waf-request.php b/projects/packages/waf/src/class-waf-request.php
@@ -334,17 +334,21 @@ public function get_get_vars() {
 	 * @return array{string, scalar}[]
 	 */
 	public function get_post_vars() {
+		$content_type = $this->get_header( 'content-type' );
 		if ( ! empty( $_POST ) ) {
+			// If $_POST is populated, use it.
 			return flatten_array( $_POST );
-		} elseif ( strpos( $this->get_header( 'content-type' ), 'application/json' ) !== false ) {
+		} elseif ( strpos( $content_type, 'application/json' ) !== false ) {
 			// Attempt to decode JSON requests.
 			$decoded_json = json_decode( $this->get_body(), true ) ?? array();
 			return flatten_array( $decoded_json, 'json', true );
-		} else {
-			// Attempt to retrieve all parameters when method used isn't POST
-			$body = $this->get_body();
-			parse_str( $body, $params );
+		} elseif ( strpos( $content_type, 'application/x-www-form-urlencoded' ) !== false ) {
+			// Attempt to decode url-encoded data
+			parse_str( $this->get_body(), $params );
 			return flatten_array( $params );
+		} else {
+			// Don't try to parse any other content types
+			return array();
 		}
 	}
 

diff --git a/projects/packages/waf/tests/php/unit/test-waf-request.php b/projects/packages/waf/tests/php/unit/test-waf-request.php
@@ -302,7 +302,7 @@ public function testGetVarsPost() {
 	}
 
 	/**
-	 * Test that the Waf_Request class returns $_POST data correctly decoded from JSON via Waf_Request::get_post_vars().
+	 * Test that the Waf_Request class returns POST-ed data correctly decoded from JSON via Waf_Request::get_post_vars().
 	 */
 	public function testGetVarsPostWithJson() {
 		$_SERVER['CONTENT_TYPE'] = 'application/json';
@@ -329,10 +329,23 @@ public function testGetVarsPostWithJson() {
 		unset( $_SERVER['CONTENT_TYPE'] );
 	}
 
+	/**
+	 * Test that the Waf_Request class returns POST data correctly when the content is XML
+	 */
+	public function testGetVarsPostWithXml() {
+		$_SERVER['CONTENT_TYPE'] = 'text/xml';
+		$request                 = $this->mock_request(
+			array(
+				'body' => '<?xml version="1.0"?><methodCall><methodName>methodName</methodName><params><param><value><string>AB</string></value></param></params></methodCall>',
+			)
+		);
+		$this->assertEmpty( $request->get_post_vars() );
+	}
+
 	/**
 	 * Test that the Waf_Request class returns any parameters when HTTP method isn't POST.
 	 */
-	public function testGetVarsPostHttpMethodNotPost() {
+	public function testGetVarsPostWithUrlEncoded() {
 		$_SERVER['CONTENT_TYPE'] = 'application/x-www-form-urlencoded';
 		$request                 = $this->mock_request(
 			array(