Fix clear for all cli actions + change hash

litespeedtech · Jun 28, 2024 · 657b8bb · 657b8bb
1 parent 7a89f12
commit 657b8bb
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/cli/purge.cls.php b/cli/purge.cls.php
@@ -157,6 +157,7 @@ public function url($args)
 	{
 		$data = array(
 			Router::ACTION => Core::ACTION_QS_PURGE,
+			Router::VALIDATE_PURGE => Router::get_hash(),
 		);
 		$url = $args[0];
 		$deconstructed = wp_parse_url($url);

diff --git a/src/router.cls.php b/src/router.cls.php
@@ -14,6 +14,7 @@ class Router extends Base
 {
 	const NONCE = 'LSCWP_NONCE';
 	const ACTION = 'LSCWP_CTRL';
+	const VALIDATE_PURGE = 'VALIDATE_PURGE';
 
 	const ACTION_SAVE_SETTINGS_NETWORK = 'save-settings-network';
 	const ACTION_DB_OPTM = 'db_optm';
@@ -501,12 +502,18 @@ private function verify_action()
 		// Each action must have a valid nonce unless its from admin ip and is public action
 		// Validate requests nonce (from admin logged in page or cli)
 		if (!$this->verify_nonce($action)) {
-			// check if it is from admin ip
-			if (!$this->is_admin_ip()) {
+			// check if action is from admin ip. skip test for action Core::ACTION_QS_PURGE.
+			if ( $action != Core::ACTION_QS_PURGE && !$this->is_admin_ip()) {
 				Debug2::debug('[Router] LSCWP_CTRL query string - did not match admin IP: ' . $action);
 				return;
 			}
 
+			// Validate request for action Core::ACTION_QS_PURGE. test if request parameter isset and is correct.
+			if( $action == Core::ACTION_QS_PURGE && ( !isset($_REQUEST[Router::VALIDATE_PURGE]) || $_REQUEST[Router::VALIDATE_PURGE] != Router::get_hash() ) ){
+				Debug2::debug('[Router] LSCWP_CTRL query string - could not validate request for: ' . $action);
+				return;
+			}
+
 			// check if it is public action
 			if (
 				!in_array($action, array(