Improve REQUEST_URI handling (#36833)

* Improve REQUEST_URI handling

* changelog

projects/packages/waf/changelog/fix-request-uri-handling

@@ -0,0 +1,4 @@
+Significance: patch
+Type: security
+
+Improves handling of REQUEST_URI

projects/packages/waf/src/class-waf-request.php

@@ -208,7 +208,9 @@ protected function get_url() {
 		$uri = isset( $_SERVER['REQUEST_URI'] ) ? filter_var( wp_unslash( $_SERVER['REQUEST_URI'] ), FILTER_DEFAULT ) : '/';
 		if ( false !== strpos( $uri, '?' ) ) {
 			// remove the query string (we'll pull it from elsewhere later)
-			$uri = substr( $uri, 0, strpos( $uri, '?' ) );
+			$uri = urldecode( substr( $uri, 0, strpos( $uri, '?' ) ) );
+		} else {
+			$uri = urldecode( $uri );
 		}
 		$query_string = isset( $_SERVER['QUERY_STRING'] ) ? '?' . filter_var( wp_unslash( $_SERVER['QUERY_STRING'] ), FILTER_DEFAULT ) : '';
 		if ( 1 === preg_match( '/^https?:\/\//', $uri ) ) {

projects/packages/waf/tests/php/unit/test-waf-request.php

@@ -188,6 +188,13 @@ public function testGetUri() {
 		$_SERVER['HTTP_HOST']   = 'wordpress.com';
 		$request                = new Waf_Request();
 		$this->assertSame( 'https://wordpress.com/index.php', $request->get_uri( true ) );
+		// test with encoded characters in REQUEST_URI
+		$_SERVER['REQUEST_URI'] = 'https://wordpress.com/wp-%61dmin/index.php';
+		$request                = new Waf_Request();
+		$this->assertSame( 'https://wordpress.com/wp-admin/index.php', $request->get_uri( true ) );
+		// should still work with query strings
+		$_SERVER['QUERY_STRING'] = 'red=1&orange=2';
+		$this->assertSame( 'https://wordpress.com/wp-admin/index.php', $request->get_uri( true ) );
 		// test with a query string
 		$_SERVER['QUERY_STRING'] = 'red=1&orange=2';
 		$_SERVER['REQUEST_URI']  = 'https://wordpress.com/index.php?incorrect=bad';