Changeset 2375366

Timestamp:

09/04/2020 04:44:59 PM (5 years ago)

Author:

activecampaign

Message:

CSRF fix, invalid cookie attribute fix

Location:

activecampaign-subscription-forms/trunk

Files:

• README.md (modified) (1 diff)
• activecampaign.php (modified) (5 diffs)
• readme.txt (modified) (1 diff)
• site_tracking.js (modified) (1 diff)

activecampaign-subscription-forms/trunk/README.md

@@ -72 +72 @@
 ## Changelog
 
+### 8.0.2
+* Security fix to address CSRF vulnerability
+* General fix to address browser warning for invalid cookie attribute
+
 ### 8.0.1
 * removing php 7 feature usage

activecampaign-subscription-forms/trunk/activecampaign.php

@@ -5 +5 @@
 Description: Allows you to add ActiveCampaign contact forms to any post, page, or sidebar. Also allows you to embed <a href="http://www.activecampaign.com/help/site-event-tracking/" target="_blank">ActiveCampaign site tracking</a> code in your pages. To get started, please activate the plugin and add your <a href="http://www.activecampaign.com/help/using-the-api/" target="_blank">API credentials</a> in the <a href="options-general.php?page=activecampaign">plugin settings</a>.
 Author: ActiveCampaign
-Version: 8.0.1
+Version: 8.0.2
 Author URI: http://www.activecampaign.com
 */
@@ -49 +49 @@
 ## version 8.0.0: Update ActiveCampaign forms embed to be compatible with Gutenberg editor, Resolve account connection UI bug
 ## version 8.0.1: Removing php 7 feature usage
+## version: 8.0.2: Security fix to address CSRF vulnerability, general fix to address browser warning for invalid cookie attribute
 
 define("ACTIVECAMPAIGN_URL", "");
@@ -54 +55 @@
 require_once(dirname(__FILE__) . "/activecampaign-api-php/ActiveCampaign.class.php");
 require_once(dirname(__FILE__) . "/activecampaign-form-block/activecampaign-form-block.php");
+require_once( ABSPATH . 'wp-includes/pluggable.php' );
 
 /**
@@ -134 +136 @@
 
         if ($_POST["api_url"] && $_POST["api_key"]) {
+            //Nonce check for preventing CSRF
+            if (isset($_REQUEST["_wpnonce"])) {
+                $nonce = $_REQUEST["_wpnonce"];
+            } else {
+                $nonce = wp_create_nonce( "invalid_nonce" );
+            }
+            if ( ! wp_verify_nonce( $nonce, "activecampaign_save_settings" ) ) {
+                exit;
+            }
+
 
             $ac = new ActiveCampaignWordPress($_POST["api_url"], $_POST["api_key"]);
@@ -511 +523 @@
 
             <p><button type="submit" style="font-size: 16px; margin-top: 25px; padding: 10px;"><?php echo __($button_value, "menu-activecampaign"); ?></button></p>
-
-        </form>
+            <?php wp_nonce_field( 'activecampaign_save_settings' ); ?>
+
+        </form>
 
         <?php

activecampaign-subscription-forms/trunk/readme.txt

@@ -89 +89 @@
 == Changelog ==
 
+= 8.0.2 =
+* Security fix to address CSRF vulnerability
+* General fix to address browser warning for invalid cookie attribute
+
 = 8.0.1 =
 * removing php 7 feature usage

activecampaign-subscription-forms/trunk/site_tracking.js

@@ -13 +13 @@
     function acEnableTracking() {
         var expiration = new Date(new Date().getTime() + 1000 * 60 * 60 * 24 * 30);
-        document.cookie = "ac_enable_tracking=1; expires= " + expiration + "; path=/";
+        document.cookie = "ac_enable_tracking=1;samesite=none;secure; expires= " + expiration + "; path=/";
         pgo('process', 'allowTracking');
     }