Recommended Fixes from Plugin Checker

Author: Benjamin Pick

admin-ui.php

@@ -195,7 +195,7 @@ function geoip_detect_option_page() {
 				break;
 
 			case 'choose':
-				$sourceId = sanitize_text_field($_POST['options']['source']);
+				$sourceId = sanitize_text_field(isset($_POST['options']['source']) ? $_POST['options']['source'] : '' );
 				$registry->setCurrentSource($sourceId);
 				break;
 
@@ -219,7 +219,7 @@ function geoip_detect_option_page() {
 					if (in_array($opt_name, $numeric_options))
 						$opt_value = isset($_POST['options'][$opt_name]) ? (int) $_POST['options'][$opt_name] : 0;
 					else {
-						$opt_value = geoip_detect_sanitize_option($opt_name, @$_POST['options'][$opt_name], $m);
+						$opt_value = geoip_detect_sanitize_option($opt_name, isset($_POST['options'][$opt_name]) ? $_POST['options'][$opt_name] : '', $m);
 					}
 					if ($m) {
 						$messages[] = $m;

ajax.php

@@ -49,7 +49,7 @@ function geoip_detect_ajax_get_info_from_current_ip() {
 
 	// Referer check
 
-    $referer = _geoip_detect_get_domain_name($_SERVER['HTTP_REFERER']);
+    $referer = _geoip_detect_get_domain_name(isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '');
     if (!$referer) {
         _geoip_detect_ajax_error('This AJAX call does not work when called directly. Do an AJAX call via JS instead.');
 	}
@@ -75,7 +75,7 @@ function geoip_detect_ajax_get_info_from_current_ip() {
 
 
 function _geoip_detect_get_domain_name($url) {
-	$result = parse_url($url);
+	$result = wp_parse_url($url);
 	return $result['host'];
 }
 

check_compatibility.php

@@ -96,11 +96,11 @@ function checkCompatible() {
             $line2 = __('These incompatible files have been found to be loaded from another plugin: ', 'geoip-detect') . $data;
             $line3 = __('Please test if looking up an IP adress works without an PHP Error. If it works, you can dismiss this notice. It will appear again when their libraries are changed.', 'geoip-detect');
 
-            $body = <<<BODY
+            $body = "
 <p><i>$line1</i></p>
 <p>$line2</p>
 <p>$line3</p>
-BODY;
+";
             $this->adminNotices[] = [
                 'id' => 'maxmind_vendor_old_' . md5($data),
                 'title' => __('Geolocation IP Detection: Warning: Old Maxmind Libraries detected.', 'geoip-detect'),

data-sources/auto.php

@@ -143,7 +143,7 @@ public function saveParameters($post) {
 
 	protected function download_url($url, $modified = 0) {
 		// Similar to wordpress download_url, but with custom UA
-		$url_filename = basename( parse_url( $url, PHP_URL_PATH ) );
+		$url_filename = basename( wp_parse_url( $url, PHP_URL_PATH ) );
 
 		$tmpfname = wp_tempnam( $url_filename );
 		if ( ! $tmpfname )
@@ -161,7 +161,7 @@ protected function download_url($url, $modified = 0) {
 			return new \WP_Error( 'http_304', __('It has not changed since the last update.', 'geoip-detect') );
 		}
 		if (is_wp_error( $response ) || 200 !=  $http_response_code) {
-			unlink($tmpfname);
+			wp_delete_file($tmpfname);
 			$body = wp_remote_retrieve_body($response);
 			return new \WP_Error( 'http_404', $http_response_code . ': ' . trim( wp_remote_retrieve_response_message( $response ) ) . ' ' . $body );
 		}
@@ -220,7 +220,7 @@ public function maxmindUpdate($forceUpdate = false)
 		}
 
 		update_option('geoip-detect-auto_downloaded_file', '');
-		unlink($tmpFile);
+		wp_delete_file($tmpFile);
 
 		return true;
 	}
@@ -252,7 +252,7 @@ protected function unpackArchive($downloadedFilename, $outFile) {
 			$phar->extractTo($outDir, null, true);
 		} catch(\Throwable $e) {
 			// Fallback method of unpacking?
-			unlink($downloadedFilename); // Do not try to unpack this file again, instead re-download
+			wp_delete_file($downloadedFilename); // Do not try to unpack this file again, instead re-download
 			return __('The downloaded file seems to be corrupt. Try again ...', 'geoip-detect');
 		}
 
@@ -309,7 +309,7 @@ public function set_cron_schedule()
 	public function schedule_next_cron_run() {
 		// Try to update every 1-2 weeks
 		$next = time() + WEEK_IN_SECONDS;
-		$next += mt_rand(1, WEEK_IN_SECONDS);
+		$next += \wp_rand(1, WEEK_IN_SECONDS);
 
 		wp_schedule_single_event($next, 'geoipdetectupdate');
 	}
@@ -329,7 +329,7 @@ public function uninstall() {
 		// Delete the automatically downloaded file, if it exists
 		$filename = $this->maxmindGetFilename();
 		if ($filename) {
-			unlink($filename);
+			wp_delete_file($filename);
 		}
 	}
 }

geoip-detect.php

@@ -9,7 +9,6 @@
 License:         GPLv3 or later
 License URI:     http://www.gnu.org/licenses/gpl-3.0.html
 Text Domain:     geoip-detect
-Domain Path:     /languages
 GitHub Plugin URI: https://github.com/yellowtree/geoip-detect
 GitHub Branch:   master
 Requires WP:     5.4

init.php

@@ -36,12 +36,6 @@ function geoip_detect_check_ipv6_support() {
 	return @inet_pton('::1') !== false;
 }
 
-// Load Locales
-function geoip_detect_load_textdomain() {
-  load_plugin_textdomain( 'geoip-detect', false, GEOIP_PLUGIN_DIR . '/languages' );
-}
-add_action( 'init', 'geoip_detect_load_textdomain' );
-
 
 function geoip_detect_enqueue_admin_notices() {
 	// Nobody would see these notices them anyway.
@@ -89,15 +83,15 @@ function geoip_detect_admin_notice_template($id, $title, $body, $addButtonDismis
 ?>
 <div class="error notice is-dismissible">
 	<p style="float: right">
-		<a href="tools.php?page=<?php echo GEOIP_PLUGIN_BASENAME ?>&geoip_detect_dismiss_notice=<?php echo $id ?>"><?php _e('Dismiss notice', 'geoip-detect'); ?></a>
+		<a href="tools.php?page=<?php echo GEOIP_PLUGIN_BASENAME ?>&geoip_detect_dismiss_notice=<?php echo esc_attr($id) ?>"><?php _e('Dismiss notice', 'geoip-detect'); ?></a>
 	</p>
 
 	<h3><?php echo $title; ?></h3>
 
 	<?php echo $body; ?>
 	<?php if ($addButtonDismiss) : ?>
 	<p>
-		<a class="button button-secondary" href="?geoip_detect_dismiss_notice=<?= $id ?>">Hide this notice</a>
+		<a class="button button-secondary" href="?geoip_detect_dismiss_notice=<?php echo esc_attr($id) ?>">Hide this notice</a>
 	</p>
 	<?php endif; ?>
 </div>

lib/ccpa.php

@@ -288,7 +288,7 @@ public function schedule($forceReschedule = false) {
 
     protected function schedule_next_cron_run() {
         $next = time() + DAY_IN_SECONDS;
-        $next += mt_rand(1, HOUR_IN_SECONDS);
+        $next += wp_rand(1, HOUR_IN_SECONDS);
         wp_schedule_single_event($next, 'geoipdetectccpaupdate');
     }
 }

lib/dynamic-reverse-proxies/abstract.php

@@ -168,7 +168,7 @@ public function unschedule() {
 
     protected function schedule_next_cron_run() {
         $next = time() + DAY_IN_SECONDS;
-        $next += mt_rand(1, HOUR_IN_SECONDS);
+        $next += wp_rand(1, HOUR_IN_SECONDS);
         wp_schedule_single_event($next, 'geoipdetectdynamicproxiesupdate');
     }
 }

readme.txt

@@ -2,8 +2,8 @@
 Contributors: benjaminpick
 Tags: geolocation, locator, geoip, maxmind, ipstack
 Requires at least: 5.0
-Tested up to: 6.7
-Requires PHP: 7.2
+Tested up to: 6.8
+Requires PHP: 7.2.5
 Stable tag: 5.5.0
 License: GPLv3 or later
 License URI: http://www.gnu.org/licenses/gpl-3.0.html

views/client-ip.php

@@ -36,9 +36,9 @@
 		</span>
 	</p>
 	<p>
-		REMOTE_ADDR: <b><?php echo $_SERVER['REMOTE_ADDR']; ?></b><br>
+		REMOTE_ADDR: <b><?php echo esc_html($_SERVER['REMOTE_ADDR']); ?></b><br>
 		<span class="detail-box">In server configurations without reverse proxy, this will equal to the "detected client IP". Otherwise, this is the IP of the reverse proxy.</span>
-		HTTP_X_FORWARDED_FOR: <b><?php echo isset($_SERVER["HTTP_X_FORWARDED_FOR"]) ? $_SERVER["HTTP_X_FORWARDED_FOR"] : __('(unset)', 'geoip-detect'); ?></b><br>
+		HTTP_X_FORWARDED_FOR: <b><?php echo isset($_SERVER["HTTP_X_FORWARDED_FOR"]) ? esc_html($_SERVER["HTTP_X_FORWARDED_FOR"]) : __('(unset)', 'geoip-detect'); ?></b><br>
 		<span class="detail-box">Reverse proxies usually add this header to indicate the original IP. If several IPs are given here (seperated by a comma), the correct user IP usually is the leftmost one.</span>
 		<?php if (isset($_SERVER["HTTP_X_FORWARDED_FOR"]) && !get_option('geoip-detect-has_reverse_proxy')): ?>
 		<i>(Probably you should enable the reverse proxy option.)</i>
@@ -56,10 +56,10 @@
 
 		<li>Add known proxies of a cloud provider enabled: <b><?php echo get_option('geoip-detect-dynamic_reverse_proxies') ? 'Yes, ' . ucfirst(get_option('geoip-detect-dynamic_reverse_proxy_type', '')) : 'No'; ?></b>
 			<span class="detail-box">If your site is hosted by CloudFlare or AWS, this should probably be enabled. It will automatically retrieve the many IP adresses that a reverse proxy of this provider can have, and update the list daily.</span>
-			<span class="detail-box">Here is the current list of IP adresses: <b><?= implode(', ', \YellowTree\GeoipDetect\DynamicReverseProxies\addDynamicIps()) ?: '(Empty)' ?></b></span>
+			<span class="detail-box">Here is the current list of IP adresses: <b><?php echo implode(', ', \YellowTree\GeoipDetect\DynamicReverseProxies\addDynamicIps()) ?: '(Empty)' ?></b></span>
 			<span class="detail-box">
-				Last updated: <b><?= geoip_detect_format_localtime($last_update); ?></b><br>
-				Next update:  <b><?= geoip_detect_format_localtime(wp_next_scheduled('geoipdetectdynamicproxiesupdate')); ?></b>
+				Last updated: <b><?php echo geoip_detect_format_localtime($last_update); ?></b><br>
+				Next update:  <b><?php echo geoip_detect_format_localtime(wp_next_scheduled('geoipdetectdynamicproxiesupdate')); ?></b>
 				<?php if(get_option('geoip-detect-dynamic_reverse_proxies')) : ?>
 				<form method="POST">
 					<?php wp_nonce_field( 'geoip_detect_reload-proxies' ); ?>