From 2ea4057079bd6a17f282523f80c18b13f1836f9b Mon Sep 17 00:00:00 2001
From: Miguel Xavier Penha Neto <miguelxpn2@gmail.com>
Date: Wed, 10 Apr 2024 15:01:49 -0300
Subject: [PATCH] Improve REQUEST_URI handling (#36833)

* Improve REQUEST_URI handling

* changelog
---
 projects/packages/waf/changelog/fix-request-uri-handling  | 4 ++++
 projects/packages/waf/src/class-waf-request.php           | 4 +++-
 projects/packages/waf/tests/php/unit/test-waf-request.php | 7 +++++++
 3 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 projects/packages/waf/changelog/fix-request-uri-handling

diff --git a/projects/packages/waf/changelog/fix-request-uri-handling b/projects/packages/waf/changelog/fix-request-uri-handling
new file mode 100644
index 0000000000000..e74ad77f8cb55
--- /dev/null
+++ b/projects/packages/waf/changelog/fix-request-uri-handling
@@ -0,0 +1,4 @@
+Significance: patch
+Type: security
+
+Improves handling of REQUEST_URI
diff --git a/projects/packages/waf/src/class-waf-request.php b/projects/packages/waf/src/class-waf-request.php
index 42378173f1c79..773766f49d6d6 100644
--- a/projects/packages/waf/src/class-waf-request.php
+++ b/projects/packages/waf/src/class-waf-request.php
@@ -208,7 +208,9 @@ protected function get_url() {
 		$uri = isset( $_SERVER['REQUEST_URI'] ) ? filter_var( wp_unslash( $_SERVER['REQUEST_URI'] ), FILTER_DEFAULT ) : '/';
 		if ( false !== strpos( $uri, '?' ) ) {
 			// remove the query string (we'll pull it from elsewhere later)
-			$uri = substr( $uri, 0, strpos( $uri, '?' ) );
+			$uri = urldecode( substr( $uri, 0, strpos( $uri, '?' ) ) );
+		} else {
+			$uri = urldecode( $uri );
 		}
 		$query_string = isset( $_SERVER['QUERY_STRING'] ) ? '?' . filter_var( wp_unslash( $_SERVER['QUERY_STRING'] ), FILTER_DEFAULT ) : '';
 		if ( 1 === preg_match( '/^https?:\/\//', $uri ) ) {
diff --git a/projects/packages/waf/tests/php/unit/test-waf-request.php b/projects/packages/waf/tests/php/unit/test-waf-request.php
index 8b89d851d9102..523ab75420c0a 100644
--- a/projects/packages/waf/tests/php/unit/test-waf-request.php
+++ b/projects/packages/waf/tests/php/unit/test-waf-request.php
@@ -188,6 +188,13 @@ public function testGetUri() {
 		$_SERVER['HTTP_HOST']   = 'wordpress.com';
 		$request                = new Waf_Request();
 		$this->assertSame( 'https://wordpress.com/index.php', $request->get_uri( true ) );
+		// test with encoded characters in REQUEST_URI
+		$_SERVER['REQUEST_URI'] = 'https://wordpress.com/wp-%61dmin/index.php';
+		$request                = new Waf_Request();
+		$this->assertSame( 'https://wordpress.com/wp-admin/index.php', $request->get_uri( true ) );
+		// should still work with query strings
+		$_SERVER['QUERY_STRING'] = 'red=1&orange=2';
+		$this->assertSame( 'https://wordpress.com/wp-admin/index.php', $request->get_uri( true ) );
 		// test with a query string
 		$_SERVER['QUERY_STRING'] = 'red=1&orange=2';
 		$_SERVER['REQUEST_URI']  = 'https://wordpress.com/index.php?incorrect=bad';