* FIX: Resolved a security issue by no longer decoding query paramete…

…rs when redirecting to a 404 page.
aaron13100 · Nov 18, 2024 · e597ba6 · e597ba6
1 parent 119657a
commit e597ba6
Show file tree

Hide file tree

Showing 8 changed files with 29 additions and 8 deletions.
diff --git a/404-solution.php b/404-solution.php
@@ -7,7 +7,7 @@
 	Author:      Aaron J
 	Author URI:  https://www.ajexperience.com/404-solution/
 
-	Version: 2.35.19
+	Version: 2.35.20
 
 	License: GPL-3.0-or-later
 	License URI: https://www.gnu.org/licenses/gpl-3.0.html

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Changelog #
 
+## Version 2.35.20 (November 18, 2024) ##
+* FIX: Resolved a security issue by no longer decoding query parameters when redirecting to a 404 page.
+
 ## Version 2.35.19 (November 18, 2024) ##
 * FIX: Try to fix logging issues caused by people that use latin1 as their database encoding (urlencode utf8mb4 characters when storing to the logs table and warn about it). (thanks to debug log file participants)
 * FIX: Avoid error messages when trying to assure that table names are lower case (probably introduced in 2.35.16).

diff --git a/README.md b/README.md
@@ -88,6 +88,9 @@ Please try this website for studying Japanese flashcards.
 
 ## Changelog ##
 
+## Version 2.35.20 (November 18, 2024) ##
+* FIX: Resolved a security issue by no longer decoding query parameters when redirecting to a 404 page.
+
 ## Version 2.35.19 (November 18, 2024) ##
 * FIX: Try to fix logging issues caused by people that use latin1 as their database encoding (urlencode utf8mb4 characters when storing to the logs table and warn about it). (thanks to debug log file participants)
 * FIX: Avoid error messages when trying to assure that table names are lower case (probably introduced in 2.35.16).

diff --git a/includes/Loader.php b/includes/Loader.php
@@ -10,7 +10,7 @@
 define('ABJ404_SOLUTION_BASENAME', function_exists('plugin_basename') ? plugin_basename(ABJ404_FILE) : 
 	basename(dirname(ABJ404_FILE)) . '/' . basename(ABJ404_FILE));
 
-define( 'ABJ404_VERSION', '2.35.19' );
+define( 'ABJ404_VERSION', '2.35.20' );
 define( 'URL_TRACKING_SUFFIX', '?utm_source=404SolutionPlugin&utm_medium=WordPress');
 define( 'ABJ404_HOME_URL', 'https://www.ajexperience.com/404-solution/' . URL_TRACKING_SUFFIX);
 define( 'ABJ404_FC_URL', 'https://www.ajexperience.com/' . URL_TRACKING_SUFFIX);

diff --git a/includes/PluginLogic.php b/includes/PluginLogic.php
@@ -2000,8 +2000,11 @@ function forceRedirect($location, $status = 302, $type = -1, $requestedURL = '')
     	$f = ABJ_404_Solution_Functions::getInstance();
     	$abj404logging = ABJ_404_Solution_Logging::getInstance();
 
-    	$commentPartAndQueryPart = $this->getCommentPartAndQueryPartOfRequest();
-    	$finalDestination = $location . $commentPartAndQueryPart;
+        $commentPartAndQueryPart = $this->getCommentPartAndQueryPartOfRequest();
+        // Sanitize and encode the base location and query parts
+        $sanitizedLocation = esc_url_raw($location); // Ensure the base URL is safe
+        $sanitizedQueryPart = esc_html($commentPartAndQueryPart); // Encode the query part for safe output
+        $finalDestination = $sanitizedLocation . $sanitizedQueryPart;
 
     	$previousRequest = $this->readCookieWithPreviousRqeuestShort();
     	$finalDestNoHome = $f->substr($finalDestination, $f->strpos($finalDestination, '://') + 3);

diff --git a/includes/php/objs/UserRequest.php b/includes/php/objs/UserRequest.php
@@ -76,9 +76,18 @@ public static function initialize() {
                     'urlToParse result: ' . $urlToParse);
             return false;
         }
-        // make things work with foreign languages.
+        // make things work with foreign languages while avoiding XSS issues.
         foreach ($urlParts as $key => $value) {
-            $urlParts[$key] = urldecode($value);
+            // Decode only if necessary, then sanitize and encode output
+            if ($key === 'query') {
+                // For query strings, sanitize each key-value pair
+                parse_str($value, $queryArray);
+                $safeQueryArray = array_map('sanitize_text_field', $queryArray);
+                $urlParts[$key] = http_build_query($safeQueryArray);
+            } else {
+                // Sanitize text parts like paths
+                $urlParts[$key] = sanitize_text_field($value);
+            }
         }
 
         // remove a pointless trailing /amp

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "404-solution",
-  "version": "2.35.19",
+  "version": "2.35.20",
   "description": "The 404 Solution Plugin.",
   "main": "Gulpfile.js",
   "dependencies": {

diff --git a/readme.txt b/readme.txt
@@ -4,7 +4,7 @@ Website: https://www.ajexperience.com/404-solution/
 Tags: 404, redirect, 301, 302
 Requires at least: 3.9
 Tested up to: 6.7
-Stable tag: 2.35.19
+Stable tag: 2.35.20
 License: GPL-3.0-or-later
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
 
@@ -90,6 +90,9 @@ Please try this website for studying flashcards.
 
 == Changelog ==
 
+= Version 2.35.20 (November 18, 2024) =
+* FIX: Resolved a security issue by no longer decoding query parameters when redirecting to a 404 page.
+
 = Version 2.35.19 (November 18, 2024) =
 * FIX: Try to fix logging issues caused by people that use latin1 as their database encoding (urlencode utf8mb4 characters when storing to the logs table and warn about it). (thanks to debug log file participants)
 * FIX: Avoid error messages when trying to assure that table names are lower case (probably introduced in 2.35.16).