Bug found and fixed: Reversed 'thefrom' variable in $_REQUEST gets overwritten

What's the best way to document the bug and the fix and get it over to your devs?

    iNET

    In /popover/inc/class-popup-base.php , you guys have added this new block of code to get around an iThemes issue:

    /*
     * URLs for the "from" and "referer" fields are transmitted in reversed
     * format (moc.elpmaxe//:ptth)
     * Reason for this is that plugins like iThemes security might block
     * incoming requests that contain the value "http://". This is how
     * we bypass that security check.
     */
    if ( ! empty( $_REQUEST['thefrom'] ) ) { $_REQUEST['thefrom'] = strrev( $_REQUEST['thefrom'] ); }
    if ( ! empty( $_REQUEST['thereferrer'] ) ) { $_REQUEST['thereferrer'] = strrev( $_REQUEST['thereferrer'] ); }

    However, WordPress resets the values of the $_REQUEST superglobal in the wp_magic_quotes() function in /wp-includes/load.php. Here is the specific line:

    // Force REQUEST to be GET + POST.
    $_REQUEST = array_merge( $_GET, $_POST );

    So by the time the URL rule classes start looking at $_REQUEST['thefrom'], it has been reset back to its original, reversed value. This causes these rules to fail when being applied.

    Rather than trying to modify the values in $_REQUEST (which I personally feel is a bad idea), I moved the call to strrev() into the individual rule classes.

    In /popover/inc/rules/class-poup-rule-url.php, I changed the current_url() function definition to the following:

    public function current_url() {
    	global $wp;
    	$current_url = '';
    
    	if ( empty( $_REQUEST['thefrom'] ) ) {
    		$current_url = home_url( $wp->request );
    	} else {
    		$current_url = strtok( $_REQUEST['thefrom'], '#' );
    
    		// Make URL isn't still reversed, since wp_magic_quotes() tends
    		// to reset the values of $_REQUEST
    		if ( 'ptth' == substr( $current_url, -4) ) {
    			$current_url = strrev( $current_url );
    		}
    	}
    
    	return $current_url;
    }

    I did the same in In /popover/inc/rules/class-poup-rule-advurl.php:

    protected function current_url() {
    	global $wp;
    	$current_url = '';
    
    	if ( empty( $_REQUEST['thefrom'] ) ) {
    		$current_url = home_url( $wp->request );
    	} else {
    		$current_url = strtok( $_REQUEST['thefrom'], '#' );
    
    		// Make URL isn't still reversed, since wp_magic_quotes() tends
    		// to reset the values of $_REQUEST
    		if ( 'ptth' == substr( $current_url, -4) ) {
    			$current_url = strrev( $current_url );
    		}
    	}
    
    	return $current_url;
    }