From 86ad8bcfd1918da9b53728aaf9362558b68912d6 Mon Sep 17 00:00:00 2001
From: Paul Schreiber <paul.schreiber@espn.com>
Date: Thu, 2 Mar 2017 10:20:33 -0500
Subject: [PATCH 1/5] PHPCS fixes: strict comparison, rawurlencode(),
 sanitization

---
 wp-async-task.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/wp-async-task.php b/wp-async-task.php
index 70fc0c4..aeb68b5 100644
--- a/wp-async-task.php
+++ b/wp-async-task.php
@@ -128,8 +128,8 @@ public function launch() {
 		public function launch_on_shutdown() {
 			if ( ! empty( $this->_body_data ) ) {
 				$cookies = array();
-				foreach ( $_COOKIE as $name => $value ) {
-					$cookies[] = "$name=" . urlencode( is_array( $value ) ? serialize( $value ) : $value );
+				foreach ( $_COOKIE as $name => $value ) { // input var ok
+					$cookies[] = "$name=" . rawurlencode( is_array( $value ) ? serialize( $value ) : $value );
 				}
 
 				$request_args = array(
@@ -157,7 +157,7 @@ public function launch_on_shutdown() {
 		 * @uses wp_die()
 		 */
 		public function handle_postback() {
-			if ( isset( $_POST['_nonce'] ) && $this->verify_async_nonce( $_POST['_nonce'] ) ) {
+			if ( isset( $_POST['_nonce'] ) && $this->verify_async_nonce( sanitize_text_field( wp_unslash( $_POST['_nonce'] ) ) ) ) { // input var ok
 				if ( ! is_user_logged_in() ) {
 					$this->action = "nopriv_$this->action";
 				}
@@ -201,12 +201,12 @@ protected function verify_async_nonce( $nonce ) {
 			$i      = wp_nonce_tick();
 
 			// Nonce generated 0-12 hours ago
-			if ( substr( wp_hash( $i . $action . get_class( $this ), 'nonce' ), - 12, 10 ) == $nonce ) {
+			if ( substr( wp_hash( $i . $action . get_class( $this ), 'nonce' ), - 12, 10 ) === $nonce ) {
 				return 1;
 			}
 
 			// Nonce generated 12-24 hours ago
-			if ( substr( wp_hash( ( $i - 1 ) . $action . get_class( $this ), 'nonce' ), - 12, 10 ) == $nonce ) {
+			if ( substr( wp_hash( ( $i - 1 ) . $action . get_class( $this ), 'nonce' ), - 12, 10 ) === $nonce ) {
 				return 2;
 			}
 

From 95e0e0ebcf7c166518e8ca4b345d9b694cb13b70 Mon Sep 17 00:00:00 2001
From: Paul Schreiber <paul.schreiber@espn.com>
Date: Thu, 2 Mar 2017 10:34:06 -0500
Subject: [PATCH 2/5] move die() to its own line

---
 wp-async-task.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/wp-async-task.php b/wp-async-task.php
index aeb68b5..c9e0961 100644
--- a/wp-async-task.php
+++ b/wp-async-task.php
@@ -164,7 +164,9 @@ public function handle_postback() {
 				$this->run_action();
 			}
 
-			add_filter( 'wp_die_handler', function() { die(); } );
+			add_filter( 'wp_die_handler', function() {
+				die();
+			});
 			wp_die();
 		}
 

From f94b2332d6996188825d59512df14e023712fa8f Mon Sep 17 00:00:00 2001
From: Paul Schreiber <paulschreiber@gmail.com>
Date: Tue, 7 Mar 2017 22:33:00 -0500
Subject: [PATCH 3/5] add @uses sanitize_text_field() and wp_unslash() to
 handle_postback docblock

---
 wp-async-task.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/wp-async-task.php b/wp-async-task.php
index c9e0961..4be2ff0 100644
--- a/wp-async-task.php
+++ b/wp-async-task.php
@@ -155,6 +155,8 @@ public function launch_on_shutdown() {
 		 * @uses is_user_logged_in()
 		 * @uses add_filter()
 		 * @uses wp_die()
+		 * @uses sanitize_text_field()
+		 * @uses wp_unslash()
 		 */
 		public function handle_postback() {
 			if ( isset( $_POST['_nonce'] ) && $this->verify_async_nonce( sanitize_text_field( wp_unslash( $_POST['_nonce'] ) ) ) ) { // input var ok

From 0cc9856ce0035299f942979b1012c8de881cc664 Mon Sep 17 00:00:00 2001
From: Paul Schreiber <paulschreiber@gmail.com>
Date: Tue, 7 Mar 2017 22:33:17 -0500
Subject: [PATCH 4/5] add mocks for sanitize_text_field() and wp_unslash()

---
 tests/phpunit/WP-Async-TaskTest.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/phpunit/WP-Async-TaskTest.php b/tests/phpunit/WP-Async-TaskTest.php
index 0101668..63db5f8 100644
--- a/tests/phpunit/WP-Async-TaskTest.php
+++ b/tests/phpunit/WP-Async-TaskTest.php
@@ -226,7 +226,8 @@ public function test_handle_postback_invalid_nonce() {
 			die();
 		} );
 		WP_Mock::wpFunction( 'wp_die', array( 'times' => 1 ) );
-
+		WP_Mock::wpPassthruFunction( 'sanitize_text_field' );
+		WP_Mock::wpPassthruFunction( 'wp_unslash' );
 		/** @var Async $async */
 		$async->handle_postback();
 

From c785cb58bbf5d19d49ee8c63433fc4a43e837969 Mon Sep 17 00:00:00 2001
From: Paul Schreiber <paul.schreiber@espn.com>
Date: Wed, 8 Mar 2017 14:13:23 -0500
Subject: [PATCH 5/5] remove sanitize_text_field() and wp_unslash() calls from
 verify_async_nonce()

---
 wp-async-task.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wp-async-task.php b/wp-async-task.php
index c9e0961..623db94 100644
--- a/wp-async-task.php
+++ b/wp-async-task.php
@@ -157,7 +157,7 @@ public function launch_on_shutdown() {
 		 * @uses wp_die()
 		 */
 		public function handle_postback() {
-			if ( isset( $_POST['_nonce'] ) && $this->verify_async_nonce( sanitize_text_field( wp_unslash( $_POST['_nonce'] ) ) ) ) { // input var ok
+			if ( isset( $_POST['_nonce'] ) && $this->verify_async_nonce( $_POST['_nonce'] ) ) { // input var ok
 				if ( ! is_user_logged_in() ) {
 					$this->action = "nopriv_$this->action";
 				}