Changeset 1648105

Timestamp:

04/29/2017 04:45:32 PM (9 years ago)

Author:

DWUser.com

Message:

Commit update to version 1.0.14 - security update

Location:

easyrotator-for-wordpress

Files:

• tags/1.0.2/engine/main.php (modified) (3 diffs)
• trunk/easyrotator.php (modified) (2 diffs)
• trunk/readme.txt (modified) (2 diffs)

easyrotator-for-wordpress/tags/1.0.2/engine/main.php

@@ -2 +2 @@
 
 /*
-Copyright 2011-2012 DWUser.com.
+Copyright 2011-2017 DWUser.com.
 Email contact: support {at] dwuser.com
 
@@ -64 +64 @@
         if (@$_GET['action'] == 'renderFrame')
         {
+            if (!preg_match('|engine/main\.php$|i', $_SERVER['PHP_SELF']))
+                die('Invalid request.');
+                
             $path = @$_GET['path'];
             ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
@@ -1170 +1173 @@
     public function renderRotator($fullPath)
     {
+        // Initial input validation
+        if (!preg_match('|^[A-Za-z0-9/_]+$|', $fullPath))
+        {
+            return ('<div style="background:#000; padding: 10px; color: #FFF;">Invalid rotator ID specified.  Unable to display rotator.</div>');
+        }
+    
         $path = $this->getContentDir() . $fullPath;
         $path = preg_replace('|/$|', '', $path); // remove any trailing slash

easyrotator-for-wordpress/trunk/easyrotator.php

@@ -4 +4 @@
 Plugin URI: http://www.dwuser.com/easyrotator/wordpress/
 Description: Add professional, customizable photo sliders to your site in seconds.  Powered by the EasyRotator application from DWUser.com.
-Version: 1.0.13
+Version: 1.0.14
 Author: DWUser.com
 Author URI: http://www.dwuser.com/
@@ -12 +12 @@
 
 /*
-Copyright 2011-2015 DWUser.com.
+Copyright 2011-2017 DWUser.com.
 Email contact: support {at] dwuser.com
 

easyrotator-for-wordpress/trunk/readme.txt

@@ -5 +5 @@
 Requires at least: 2.8
 Tested up to: 4.7.1
-Stable tag: 1.0.13
+Stable tag: 1.0.14
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -166 +166 @@
 
 == Changelog ==
+= 1.0.14 =
+* Security Update: Important update to ensure malicious plugins cannot compromise security when using the WordPress admin with EasyRotator installed.
+
 = 1.0.13 =
 * Compatibility Enhancement: Update widget constructor for WordPress 4.3