Fix clear for all cli actions + change hash

litespeedtech · Jun 28, 2024 · 2aa6003 · 2aa6003
1 parent eafa608
commit 2aa6003
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 6 deletions.
diff --git a/cli/purge.cls.php b/cli/purge.cls.php
@@ -157,8 +157,7 @@ public function url($args)
 	{
 		$data = array(
 			Router::ACTION => Core::ACTION_QS_PURGE,
-			// Select every 3rd character from NONCE_KEY
-			Router::VALIDATE_PURGE => preg_replace('/.{1,3}(.?)/', '$1', NONCE_KEY),
+			Router::VALIDATE_PURGE => Router::get_hash(),
 		);
 		$url = $args[0];
 		$deconstructed = wp_parse_url($url);

diff --git a/src/router.cls.php b/src/router.cls.php
@@ -501,14 +501,19 @@ private function verify_action()
 
 		// Each action must have a valid nonce unless its from admin ip and is public action
 		// Validate requests nonce (from admin logged in page or cli)
-		if (!$this->verify_nonce($action) && isset($_REQUEST[Router::VALIDATE_PURGE])) {
-			// check if valid request
-			// Select every 3rd character from NONCE_KEY
-			if( !$_REQUEST[Router::VALIDATE_PURGE] == preg_replace('/.{1,3}(.?)/', '$1', NONCE_KEY) ){
+		if (!$this->verify_nonce($action)) {
+			// check if action is from admin ip. skip test for action Core::ACTION_QS_PURGE.
+			if ( $action != Core::ACTION_QS_PURGE && !$this->is_admin_ip()) {
 				Debug2::debug('[Router] LSCWP_CTRL query string - did not match admin IP: ' . $action);
 				return;
 			}
 
+			// Validate request for action Core::ACTION_QS_PURGE. test if request parameter isset and is correct.
+			if( $action == Core::ACTION_QS_PURGE && ( !isset($_REQUEST[Router::VALIDATE_PURGE]) || $_REQUEST[Router::VALIDATE_PURGE] != Router::get_hash() ) ){
+				Debug2::debug('[Router] LSCWP_CTRL query string - could not validate request for: ' . $action);
+				return;
+			}
+
 			// check if it is public action
 			if (
 				!in_array($action, array(