增加vaptcha对忘记密码页面和注册界面的支持,修复ip因为获取到x_forwarded_for多个代理ip而导致vaptcha不可用 #1332
Conversation
|
这个 PR 已经 45 天没有任何活动了,将被标记为过时 stale 。 删除 stale 的标签或评论,否则将在 10 天内关闭。 |
There was a problem hiding this comment.
Pull request overview
This PR extends Vaptcha CAPTCHA support to the forgot password and registration pages, and fixes an issue where the get_the_user_ip() function was failing with multiple proxy IPs in the X-Forwarded-For header.
Key changes:
- Added Vaptcha initialization hooks to registration and forgot password forms
- Implemented validation functions for Vaptcha on registration and password reset flows
- Modified IP extraction logic to handle comma-separated proxy IP lists
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.
| } | ||
| if ($response->success === 0) { | ||
| $errorcode = $response->msg; | ||
| return new WP_Error('prooffail', '<strong>错误</strong>:非法数据' . $errorcode); |
There was a problem hiding this comment.
Missing space before concatenation operator. The error message should be '<strong>错误</strong>:非法数据' . $errorcode with spaces around the . operator for better readability and consistency with PHP coding standards.
| } | ||
| add_filter('authenticate', 'checkVaptchaAction', 20, 3); | ||
|
|
||
| function Vaptcha_lostpassword_CHECK($errors) |
There was a problem hiding this comment.
Function name should follow the codebase naming convention. Change Vaptcha_lostpassword_CHECK to vaptcha_lostpassword_check to match the style used by similar functions like lostpassword_CHECK, turnstile_lostpassword_check, and other captcha verification functions in this file.
| function Vaptcha_lostpassword_CHECK($errors) | |
| function vaptcha_lostpassword_check($errors) |
| } | ||
| if (!(isset($_POST['vaptcha_server']) && isset($_POST['vaptcha_token']))) | ||
| { | ||
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:请先进行人机验证'); |
There was a problem hiding this comment.
Trailing space after error code identifier 'invalid_vaptcha '. Remove the trailing space to make it 'invalid_vaptcha' for consistency.
| } | ||
| if (!preg_match('/^https:\/\/([\w-]+\.)+[\w-]*([^<>=?\"\'])*$/', $_POST['vaptcha_server']) || !preg_match('/^[\w\-\$]+$/', $_POST['vaptcha_token'])) | ||
| { | ||
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:非法数据'); |
There was a problem hiding this comment.
Trailing space after error code identifier 'invalid_vaptcha '. Remove the trailing space to make it 'invalid_vaptcha' for consistency.
| $errorcode = $response->msg; | ||
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:非法数据' . $errorcode); | ||
| } | ||
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:人机验证失败'); |
There was a problem hiding this comment.
Trailing space after error code identifier 'invalid_vaptcha '. Remove the trailing space to make it 'invalid_vaptcha' for consistency.
| } | ||
| add_action('lostpassword_post', 'Vaptcha_lostpassword_CHECK'); | ||
|
|
||
| function Vaptcha_registration_CHECK($errors, $sanitized_user_login, $user_email) |
There was a problem hiding this comment.
Function name should follow the codebase naming convention. Change Vaptcha_registration_CHECK to vaptcha_registration_check to match the style used by similar functions like registration_CAPTCHA_CHECK, turnstile_registration_check, and other captcha verification functions in this file.
| function Vaptcha_registration_CHECK($errors, $sanitized_user_login, $user_email) | |
| function vaptcha_registration_check($errors, $sanitized_user_login, $user_email) |
| { | ||
| if (empty($_POST)) | ||
| { | ||
| return false; |
There was a problem hiding this comment.
The function returns false when $_POST is empty, but this is inconsistent with the expected return type. The lostpassword_post action expects an $errors object to be returned, not false. This should return $errors directly to maintain consistency with the Turnstile implementation (line 3524) which returns $errors for similar conditions.
| return false; | |
| return $errors; |
| } | ||
| if ($response->success === 0) { | ||
| $errorcode = $response->msg; | ||
| return $errors->add('invalid_vaptcha ', '<strong>错误</strong>:非法数据' . $errorcode); |
There was a problem hiding this comment.
Trailing space after error code identifier 'invalid_vaptcha '. Remove the trailing space to make it 'invalid_vaptcha' for consistency.
| $ip2 = explode('|', str_replace(',', '|', $ip)); | ||
| return apply_filters('wpb_get_ip', trim($ip2[0])); //解决HTTP_X_FORWARDED_FOR获取到代理地址而导致人机验证不通过 |
There was a problem hiding this comment.
The delimiter handling uses pipe character | but HTTP_X_FORWARDED_FOR typically uses commas (,) as separators, not pipes. The str_replace(',', '|', $ip) converts commas to pipes and then explodes on pipes, which is unnecessarily convoluted. Consider simplifying to: $ip_array = explode(',', $ip); return apply_filters('wpb_get_ip', trim($ip_array[0]));
| $ip2 = explode('|', str_replace(',', '|', $ip)); | |
| return apply_filters('wpb_get_ip', trim($ip2[0])); //解决HTTP_X_FORWARDED_FOR获取到代理地址而导致人机验证不通过 | |
| $ip_array = explode(',', $ip); | |
| return apply_filters('wpb_get_ip', trim($ip_array[0])); //解决HTTP_X_FORWARDED_FOR获取到代理地址而导致人机验证不通过 |
| $ip = $_SERVER['HTTP_CLIENT_IP'] ?? $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']; | ||
| return apply_filters('wpb_get_ip', $ip); | ||
| $ip2 = explode('|', str_replace(',', '|', $ip)); | ||
| return apply_filters('wpb_get_ip', trim($ip2[0])); //解决HTTP_X_FORWARDED_FOR获取到代理地址而导致人机验证不通过 |
There was a problem hiding this comment.
The function assumes HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR always contain valid IP addresses, but these headers can be spoofed by clients. While this PR fixes the issue of multiple proxy IPs, consider adding validation to ensure the extracted IP is actually a valid IP address using filter_var($ip, FILTER_VALIDATE_IP) before returning it.
| return apply_filters('wpb_get_ip', trim($ip2[0])); //解决HTTP_X_FORWARDED_FOR获取到代理地址而导致人机验证不通过 | |
| $user_ip = trim($ip2[0]); | |
| if (!filter_var($user_ip, FILTER_VALIDATE_IP)) { | |
| $user_ip = ''; | |
| } | |
| return apply_filters('wpb_get_ip', $user_ip); //解决HTTP_X_FORWARDED_FOR获取到代理地址而导致人机验证不通过 |
1 participant
No description provided.