Changeset 1901352

Timestamp:

06/29/2018 04:31:49 PM (7 years ago)

Author:

mindnl

Message:

security overhaul completed

Location:

ad-buttons/trunk

Files:

• adbuttonsact.php (modified) (4 diffs)
• adbuttonsadmin.php (modified) (5 diffs)
• adbuttonsstats.php (modified) (2 diffs)
• adbuttonsstatsimg.php (modified) (3 diffs)
• readme.txt (modified) (2 diffs)

ad-buttons/trunk/adbuttonsact.php

@@ -25 +25 @@
         $ad_button = intval( $_GET['adbut'] );
         //check if the nonce is valid
+        //if ( ! isset( $_GET['_abnonce'] ) || ! wp_verify_nonce( $_GET['_abnonce'], 'edit' )) {
+        if ( ! isset( $_GET['_abnonce'] )) {
+            print 'Sorry, your nonce did not verify.';
+            exit;
+        } else {
+           // process form data
         
-        if($ad_button_action == 'deactivate') {
-            $ol_flash = "Ad Button $ad_button has been deactivated.";
-            $wpdb->query($wpdb->prepare("UPDATE {$wpdb->prefix}ad_buttons 
-                             SET ad_active = 0 
-                           WHERE id = %d",$ad_button));
-        } elseif($ad_button_action == 'activate') {
-            $ol_flash = "Ad Button $ad_button has been activated.";
-            $wpdb->query($wpdb->prepare("UPDATE {$wpdb->prefix}ad_buttons 
-                             SET ad_active = 1 
-                           WHERE id = %d",$ad_button));
-        } elseif($ad_button_action == 'delete') {
-            $ol_flash = "Ad Button $ad_button has been deleted.";
-            $wpdb->query($wpdb->prepare("UPDATE {$wpdb->prefix}ad_buttons 
-                             SET ad_active = 2 
-                           WHERE id = %d",$ad_button)); 
-        } elseif($ad_button_action == 'edit') {
-            $ab_formfunc= 'edit';
-            $this_ad = $wpdb->get_row($wpdb->prepare("SELECT * 
-                                         FROM {$wpdb->prefix}ad_buttons 
-                                        WHERE id = %d",$ad_button));
-            $ab_img     = $this_ad->ad_picture;
-            $ab_link    = $this_ad->ad_link;
-            $ab_txt     = $this_ad->ad_text;
-            $ab_views   = $this_ad->ad_views;
-            $ab_clicks  = $this_ad->ad_clicks;
-            $ab_pos     = $this_ad->ad_pos;
-            $ab_adbut   = $this_ad->id;
+            if($ad_button_action == 'deactivate' && wp_verify_nonce( $_GET['_abnonce'], 'deactivate' )) {
+                $ol_flash = "Ad Button $ad_button has been deactivated.";
+                $wpdb->query($wpdb->prepare("UPDATE {$wpdb->prefix}ad_buttons 
+                                 SET ad_active = 0 
+                               WHERE id = %d",$ad_button));
+            } elseif($ad_button_action == 'activate' && wp_verify_nonce( $_GET['_abnonce'], 'activate' )) {
+                $ol_flash = "Ad Button $ad_button has been activated.";
+                $wpdb->query($wpdb->prepare("UPDATE {$wpdb->prefix}ad_buttons 
+                                 SET ad_active = 1 
+                               WHERE id = %d",$ad_button));
+            } elseif($ad_button_action == 'delete' && wp_verify_nonce( $_GET['_abnonce'], 'delete' )) {
+                $ol_flash = "Ad Button $ad_button has been deleted.";
+                $wpdb->query($wpdb->prepare("UPDATE {$wpdb->prefix}ad_buttons 
+                                 SET ad_active = 2 
+                               WHERE id = %d",$ad_button)); 
+            } elseif($ad_button_action == 'edit' && wp_verify_nonce( $_GET['_abnonce'], 'edit' )) {
+                $ab_formfunc= 'edit';
+                $this_ad = $wpdb->get_row($wpdb->prepare("SELECT * 
+                                             FROM {$wpdb->prefix}ad_buttons 
+                                            WHERE id = %d",$ad_button));
+                $ab_img     = $this_ad->ad_picture;
+                $ab_link    = $this_ad->ad_link;
+                $ab_txt     = $this_ad->ad_text;
+                $ab_views   = $this_ad->ad_views;
+                $ab_clicks  = $this_ad->ad_clicks;
+                $ab_pos     = $this_ad->ad_pos;
+                $ab_adbut   = $this_ad->id;
+            }
         }
     }
@@ -61 +68 @@
 // check if the form has been submitted and validate input
 if( $_SERVER['REQUEST_METHOD'] == 'POST' ){
-    if ( ! isset( $_POST['updnonce'] ) || ! wp_verify_nonce( $_POST['updnonce'], 'update-ad' )) {
+    if ( ! isset( $_POST['_abupd'] ) || ! wp_verify_nonce( $_POST['_abupd'], 'update-ad' )) {
         print 'Sorry, your nonce did not verify.';
         exit;
@@ -151 +158 @@
 
 <p><form method="post" name="ab_form">
-<?php wp_nonce_field('update-ad', 'updnonce'); 
+<?php wp_nonce_field('update-ad', '_abupd'); 
 $widget_adbuttons_cfg = get_option('widget_adbuttons_cfg');
 ?>
@@ -218 +225 @@
         $ad_ctr = 0;
     }
-/*
-    // Sample URL, note the & in there
-    $url = 'http://localhost/?arg1=value1&arg2=value2';
-     
-    // This will show http://localhost/?arg1=value1&amp;amp;arg2=value2&amp;amp;_wpnonce=abcdef
-    echo wp_nonce_url( $url, 'action' );
-     
-    // This will return http://localhost/?arg1=value1&arg2=value2&_wpnonce=abcdef
-    echo add_query_arg( '_wpnonce', wp_create_nonce( 'action' ), $url );
-    
-esc_url( add_query_arg( '_abnonce', wp_create_nonce( 'action' ), $url ) )
-
-*/
+
     echo  '
         <tr class="active">

ad-buttons/trunk/adbuttonsadmin.php

@@ -35 +35 @@
 $ol_flash = '';
 
-if ($_SERVER['REQUEST_METHOD'] == 'POST') {
-    if (is_numeric ($_POST['ab_dspcnt'])) {
-        $widget_adbuttons_cfg['ab_title'] = sanitize_text_field($_POST['ab_title']);
-        $widget_adbuttons_cfg['ab_dspcnt'] = (int)$_POST['ab_dspcnt'];
-        $widget_adbuttons_cfg['ab_target'] = sanitize_text_field($_POST['ab_target']);
-        $widget_adbuttons_cfg['ab_adsense'] = (bool)$_POST['ab_adsense'];
-        $widget_adbuttons_cfg['ab_adsense_fixed'] = 1;
-        $widget_adbuttons_cfg['ab_adsense_pos'] = (int)$_POST['ab_adsense_pos'];
-        if($widget_adbuttons_cfg['ab_adsense_pos'] > $widget_adbuttons_cfg['ab_dspcnt']){
-            $widget_adbuttons_cfg['ab_adsense_pos'] = $widget_adbuttons_cfg['ab_dspcnt'];
+// check if the form has been submitted and validate input
+if( $_SERVER['REQUEST_METHOD'] == 'POST' ){
+    if ( ! isset( $_POST['_abupd'] ) || ! wp_verify_nonce( $_POST['_abupd'], 'update-settings' )) {
+        print 'Sorry, your nonce did not verify.';
+        exit;
+    } else {
+       // process form data
+        if (is_numeric ($_POST['ab_dspcnt'])) {
+            $widget_adbuttons_cfg['ab_title'] = sanitize_text_field($_POST['ab_title']);
+            $widget_adbuttons_cfg['ab_dspcnt'] = (int)$_POST['ab_dspcnt'];
+            $widget_adbuttons_cfg['ab_target'] = sanitize_text_field($_POST['ab_target']);
+            $widget_adbuttons_cfg['ab_adsense'] = (bool)$_POST['ab_adsense'];
+            $widget_adbuttons_cfg['ab_adsense_fixed'] = 1;
+            $widget_adbuttons_cfg['ab_adsense_pos'] = (int)$_POST['ab_adsense_pos'];
+            if($widget_adbuttons_cfg['ab_adsense_pos'] > $widget_adbuttons_cfg['ab_dspcnt']){
+                $widget_adbuttons_cfg['ab_adsense_pos'] = $widget_adbuttons_cfg['ab_dspcnt'];
+            }
+            $widget_adbuttons_cfg['ab_adsense_pubid'] = sanitize_text_field($_POST['ab_adsense_pubid']);
+            $widget_adbuttons_cfg['ab_adsense_channel'] = (int)$_POST['ab_adsense_channel'];
+            if (preg_match('/rc:\d{1,2}/', $_POST['ab_adsense_corners']) == 1) $widget_adbuttons_cfg['ab_adsense_corners'] = $_POST['ab_adsense_corners'];
+            $widget_adbuttons_cfg['ab_adsense_col_border'] = (int)hexdec(trim($_POST['ab_adsense_col_border'], "#"));
+            $widget_adbuttons_cfg['ab_adsense_col_title'] = (int)hexdec(trim($_POST['ab_adsense_col_title'], "#"));
+            $widget_adbuttons_cfg['ab_adsense_col_bg'] = (int)hexdec(trim($_POST['ab_adsense_col_bg'], "#"));
+            $widget_adbuttons_cfg['ab_adsense_col_txt'] = (int)hexdec(trim($_POST['ab_adsense_col_txt'], "#"));
+            $widget_adbuttons_cfg['ab_adsense_col_url'] = (int)hexdec(trim($_POST['ab_adsense_col_url'], "#"));
+            $widget_adbuttons_cfg['ab_nocss'] = (bool)$_POST['ab_nocss'];
+            $widget_adbuttons_cfg['ab_width'] = (int)$_POST['ab_width'];
+            $widget_adbuttons_cfg['ab_padding'] = (int)$_POST['ab_padding'];
+            $widget_adbuttons_cfg['ab_nofollow'] = (bool)$_POST['ab_nofollow'];
+            $widget_adbuttons_cfg['ab_powered'] = (bool)$_POST['ab_powered'];
+            $widget_adbuttons_cfg['ab_yah'] = (bool)$_POST['ab_yah'];
+            $widget_adbuttons_cfg['ab_yourad'] = (bool)$_POST['ab_yourad'];
+            $widget_adbuttons_cfg['ab_yaht'] = $_POST['ab_yaht'];
+            $widget_adbuttons_cfg['ab_yahurl'] = $_POST['ab_yahurl'];   
+            $widget_adbuttons_cfg['ab_fix'] = (bool)$_POST['ab_fix'];
+            $widget_adbuttons_cfg['ab_count'] = (int)$_POST['ab_count'];                    
+            update_option('widget_adbuttons_cfg',$widget_adbuttons_cfg);
+            $ol_flash = "Your settings have been saved.";
+        } else {
+            $ab_num_err = 1;
         }
-        $widget_adbuttons_cfg['ab_adsense_pubid'] = sanitize_text_field($_POST['ab_adsense_pubid']);
-        $widget_adbuttons_cfg['ab_adsense_channel'] = (int)$_POST['ab_adsense_channel'];
-        if (preg_match('/rc:\d{1,2}/', $_POST['ab_adsense_corners']) == 1) $widget_adbuttons_cfg['ab_adsense_corners'] = $_POST['ab_adsense_corners'];
-        $widget_adbuttons_cfg['ab_adsense_col_border'] = (int)hexdec(trim($_POST['ab_adsense_col_border'], "#"));
-        $widget_adbuttons_cfg['ab_adsense_col_title'] = (int)hexdec(trim($_POST['ab_adsense_col_title'], "#"));
-        $widget_adbuttons_cfg['ab_adsense_col_bg'] = (int)hexdec(trim($_POST['ab_adsense_col_bg'], "#"));
-        $widget_adbuttons_cfg['ab_adsense_col_txt'] = (int)hexdec(trim($_POST['ab_adsense_col_txt'], "#"));
-        $widget_adbuttons_cfg['ab_adsense_col_url'] = (int)hexdec(trim($_POST['ab_adsense_col_url'], "#"));
-        $widget_adbuttons_cfg['ab_nocss'] = (bool)$_POST['ab_nocss'];
-        $widget_adbuttons_cfg['ab_width'] = (int)$_POST['ab_width'];
-        $widget_adbuttons_cfg['ab_padding'] = (int)$_POST['ab_padding'];
-        $widget_adbuttons_cfg['ab_nofollow'] = (bool)$_POST['ab_nofollow'];
-        $widget_adbuttons_cfg['ab_powered'] = (bool)$_POST['ab_powered'];
-        $widget_adbuttons_cfg['ab_yah'] = (bool)$_POST['ab_yah'];
-        $widget_adbuttons_cfg['ab_yourad'] = (bool)$_POST['ab_yourad'];
-        $widget_adbuttons_cfg['ab_yaht'] = $_POST['ab_yaht'];
-        $widget_adbuttons_cfg['ab_yahurl'] = $_POST['ab_yahurl'];   
-        $widget_adbuttons_cfg['ab_fix'] = (bool)$_POST['ab_fix'];
-        $widget_adbuttons_cfg['ab_count'] = (int)$_POST['ab_count'];                    
-        update_option('widget_adbuttons_cfg',$widget_adbuttons_cfg);
-        $ol_flash = "Your settings have been saved.";
-    } else {
-        $ab_num_err = 1;
     }
 }
@@ -77 +84 @@
 <h2>Ad Buttons Settings </h2>
 
-
-<?php wp_nonce_field('update-options'); 
+<?php
 $widget_adbuttons_cfg = get_option('widget_adbuttons_cfg');
 $ab_plugindir = get_option('siteurl').'/'.PLUGINDIR.'/'.dirname(plugin_basename(__FILE__));
@@ -841 +847 @@
 
 <form method="post">
+<?php wp_nonce_field( 'update-settings', '_abupd' ); ?>
 <table class="form-table">
 <tr>
@@ -1138 +1145 @@
     $count = $count + 1;
 }
+
 if($widget_adbuttons_cfg['ab_adsense']){
     if($widget_adbuttons_cfg['ab_adsense_pos']==$count){
@@ -1160 +1168 @@
     }
 }
-
     ?>
     <div id="ab_clear"></div>

ad-buttons/trunk/adbuttonsstats.php

@@ -5 +5 @@
 $ab_plugindir = get_option('siteurl').'/'.PLUGINDIR.'/'.dirname(plugin_basename(__FILE__));
 
-$graphdate = intval($_GET['month']);
-$cleanup   = intval($_GET['cln']);
+if(isset($_GET['month'])){
+    $graphdate = intval($_GET['month']);
+} else {
+    $graphdate = date('Ym');
+}
 
-if(!$graphdate){
-    $graphdate = date('Ym');
+if(isset($_GET['cln'])){
+    $cleanup   = intval($_GET['cln']);
+} else {
+    $cleanup   = 0;
 }
 
@@ -52 +57 @@
 <?php
 if ($cleanup === 1) {
+    
     echo "cleaning up stats database...</br>";
     // CLEANUP PROCEDURE

ad-buttons/trunk/adbuttonsstatsimg.php

@@ -5 +5 @@
 $ab_plugindir = get_option('siteurl').'/'.PLUGINDIR.'/'.dirname(plugin_basename(__FILE__));
 
-$graphdate = intval($_GET['graphdate']);
+if(isset($_GET['graphdate'])){
+    $graphdate = intval($_GET['graphdate']);
+} else {
+    $graphdate = date('Ym');
+}
 $graphyear = substr($graphdate, 0, 4);
 $graphmonth = substr($graphdate, 4, 2);
 $checkdate = "$graphyear-$graphmonth-";
 $stringmonth = date("F", mktime(0, 0, 0, ($graphmonth), 1));
-
 
 function monthdays($someMonth, $someYear){
@@ -43 +46 @@
 
 $days = monthdays($graphmonth,$graphyear);
+
+// initialize max variables
+$max_view = 0;
+$max_clicks = 0;
 
 foreach($view_counter as $view){                
@@ -240 +247 @@
         $click_scale = 200 / $max_clicks;
         $r_y = 240 - ($click_scale * $stat_values[$statdays[$count]]['clicks']);
-        $r_y2 = 240 - ($click_scale * $stat_values[$statdays[$count + 1]]['clicks']);
         if ($count<$days){
+            $r_y2 = 240 - ($click_scale * $stat_values[$statdays[$count + 1]]['clicks']);
             // make a new line and add it to the image
             imageline($im, $r_x, $r_y, $r_x + 20, $r_y2, $darkgrey);

ad-buttons/trunk/readme.txt

@@ -5 +5 @@
 Requires at least: 2.8.0
 Tested up to: 4.9
-Stable tag: 2.3.2
+Stable tag: 3.0
 
 The Ad Buttons plugin displays a number of graphical ads in a sidebar widget.
@@ -36 +36 @@
 
 = 3.0 =
-* 27-06-2018
+* 29-06-2018
 * complete overhaul to make the plugin more secure