Changeset 2684506

Timestamp:

02/24/2022 04:29:26 PM (4 years ago)

Author:

blackandwhitedigital

Message:

security Fix

Location:

book-press/trunk

Files:

• README.txt (modified) (3 diffs)
• book-press.php (modified) (1 diff)
• freemius/includes/class-freemius.php (modified) (4 diffs)
• freemius/includes/managers/class-fs-admin-notice-manager.php (modified) (1 diff)
• freemius/includes/sdk/Exceptions/ArgumentNotExistException.php (modified) (1 diff)
• freemius/includes/sdk/Exceptions/EmptyArgumentException.php (modified) (1 diff)
• freemius/includes/sdk/Exceptions/Exception.php (modified) (1 diff)
• freemius/includes/sdk/Exceptions/InvalidArgumentException.php (modified) (1 diff)
• freemius/includes/sdk/Exceptions/OAuthException.php (modified) (1 diff)
• freemius/includes/sdk/FreemiusBase.php (modified) (1 diff)
• freemius/includes/sdk/FreemiusWordPress.php (modified) (1 diff)
• freemius/require.php (modified) (1 diff)
• freemius/start.php (modified) (1 diff)
• freemius/templates/account/partials/addon.php (modified) (1 diff)
• freemius/templates/ajax-loader.php (modified) (1 diff)
• freemius/templates/debug.php (modified) (4 diffs)
• freemius/templates/firewall-issues-js.php (modified) (2 diffs)
• freemius/templates/partials/network-activation.php (modified) (1 diff)
• freemius/templates/sticky-admin-notice-js.php (modified) (1 diff)

book-press/trunk/README.txt

@@ -2 +2 @@
 Contributors: blackandwhitedigital, freemius
 Tags: Book, chapters, author, self-publish, ebook, novel, ePub, writer, books
-Requires at least: 4.4
-Tested up to: 5.8.1
-Stable tag: 1.2.2
+Requires at least: 5
+Tested up to: 5.9.1
+Stable tag: 1.2.3
 License: GPLv2
 Donate Link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=RSXSRDQ7HANFQ&source=wordpresspluginpage
@@ -110 +110 @@
 
 == Changelog ==
+
+= 1.2.3- 24 Feburary 2022=
+*Security Fix
+
 = 1.2.2 - 15 September 2021 =
 * Update Licencing SDK 2.4.2
@@ -196 +200 @@
 
 == Upgrade Notice ==
+= 1.2.3- 24 Feburary 2022=
+*Security Fix
+
 = 1.1.20 - 07 October 2020 =
  Fix Unwanted text on cover page

book-press/trunk/book-press.php

@@ -17 +17 @@
  * Plugin URI:        https://bookpress.net/
  * Description:       Tools for authors to write and display their books easily on WordPress.
- * Version:           1.2.2
+ * Version:           1.2.3
  * Author:            Black and White Digital Ltd
  * Author URI:        https://www.blackandwhitedigital.net/

book-press/trunk/freemius/includes/class-freemius.php

@@ -3551 +3551 @@
          */
         static function _toggle_debug_mode() {
+            check_admin_referer( 'fs_toggle_debug_mode' );
+
             if ( ! is_super_admin() ) {
                 return;
@@ -3572 +3574 @@
          */
         static function _get_debug_log() {
+            check_admin_referer( 'fs_get_debug_log' );
+
+            if ( ! is_super_admin() ) {
+                return;
+            }
+
+            $limit  = min( ! empty( $_POST['limit'] ) ? absint( $_POST['limit'] ) : 200, 200 );
+            $offset = min( ! empty( $_POST['offset'] ) ? absint( $_POST['offset'] ) : 200, 200 );
+
             $logs = FS_Logger::load_db_logs(
                 fs_request_get( 'filters', false, 'post' ),
-                ! empty( $_POST['limit'] ) && is_numeric( $_POST['limit'] ) ? $_POST['limit'] : 200,
-                ! empty( $_POST['offset'] ) && is_numeric( $_POST['offset'] ) ? $_POST['offset'] : 0
+                $limit,
+                $offset
             );
 
@@ -4448 +4459 @@
          */
         function _email_about_firewall_issue() {
+            check_admin_referer( 'fs_resolve_firewall_issues' );
+
+            if ( ! current_user_can( is_multisite() ? 'manage_options' : 'activate_plugins' ) ) {
+                return;
+            }
+
             $this->_admin_notices->remove_sticky( 'failed_connect_api' );
 
@@ -4522 +4539 @@
          */
         function _retry_connectivity_test() {
+            check_admin_referer( 'fs_retry_connectivity_test' );
+
+            if ( ! current_user_can( is_multisite() ? 'manage_options' : 'activate_plugins' ) ) {
+                return;
+            }
+
             $this->_admin_notices->remove_sticky( 'failed_connect_api_first' );
 

book-press/trunk/freemius/includes/managers/class-fs-admin-notice-manager.php

@@ -176 +176 @@
          */
         function dismiss_notice_ajax_callback() {
-            $this->_sticky_storage->remove( $_POST['message_id'] );
+            check_admin_referer( 'fs_dismiss_notice_action' );
+
+            if ( ! is_numeric( $_POST['message_id'] ) ) {
+                $this->_sticky_storage->remove( $_POST['message_id'] );
+            }
+
             wp_die();
         }

book-press/trunk/freemius/includes/sdk/Exceptions/ArgumentNotExistException.php

@@ -1 +1 @@
 <?php
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
     if ( ! class_exists( 'Freemius_InvalidArgumentException' ) ) {
         exit;

book-press/trunk/freemius/includes/sdk/Exceptions/EmptyArgumentException.php

@@ -1 +1 @@
 <?php
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
     if ( ! class_exists( 'Freemius_InvalidArgumentException' ) ) {
         exit;

book-press/trunk/freemius/includes/sdk/Exceptions/Exception.php

@@ -1 +1 @@
 <?php
+        if ( ! defined( 'ABSPATH' ) ) {
+            exit;
+        }
+
     if ( ! class_exists( 'Freemius_Exception' ) ) {
         /**

book-press/trunk/freemius/includes/sdk/Exceptions/InvalidArgumentException.php

@@ -1 +1 @@
 <?php
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
     if ( ! class_exists( 'Freemius_Exception' ) ) {
         exit;

book-press/trunk/freemius/includes/sdk/Exceptions/OAuthException.php

@@ -1 +1 @@
 <?php
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
     if ( ! class_exists( 'Freemius_Exception' ) ) {
         exit;

book-press/trunk/freemius/includes/sdk/FreemiusBase.php

@@ -16 +16 @@
      */
 
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
     if ( ! defined( 'FS_API__VERSION' ) ) {
         define( 'FS_API__VERSION', '1' );

book-press/trunk/freemius/includes/sdk/FreemiusWordPress.php

@@ -15 +15 @@
      * under the License.
      */
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
 
     require_once dirname( __FILE__ ) . '/FreemiusBase.php';

book-press/trunk/freemius/require.php

@@ -6 +6 @@
      * @since       1.1.9
      */
+
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
 
     // Configuration should be loaded first.

book-press/trunk/freemius/start.php

@@ -16 +16 @@
      * @var string
      */
-    $this_sdk_version = '2.4.2';
+    $this_sdk_version = '2.4.3';
 
     #region SDK Selection Logic --------------------------------------------------------------------

book-press/trunk/freemius/templates/account/partials/addon.php

@@ -1 +1 @@
 <?php
+
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
     /**
      * @var array    $VARS

book-press/trunk/freemius/templates/ajax-loader.php

@@ +1 @@
+<?php
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+?>
 <div class="fs-ajax-loader" style="display: none"><?php for ( $i = 1; $i <= 8; $i ++ ) : ?><div class="fs-ajax-loader-bar fs-ajax-loader-bar-<?php echo $i ?>"></div><?php endfor ?></div>

book-press/trunk/freemius/templates/debug.php

@@ -38 +38 @@
                     $.post( ajaxurl, {
                         action: 'fs_toggle_debug_mode',
+                        // As such we don't need to use `wp_json_encode` method but using it to follow wp.org guideline.
+                        _wpnonce   : <?php echo wp_json_encode( wp_create_nonce( 'fs_toggle_debug_mode' ) ); ?>,
                         is_on : ($(this).hasClass( 'fs-on' ) ? 1 : 0)
                     }, function ( response ) {
@@ -112 +114 @@
                 $.post(ajaxurl, {
                     action     : 'fs_get_db_option',
-                    _wpnonce   : '<?php echo wp_create_nonce( 'fs_get_db_option' ) ?>',
+                    // As such we don't need to use `wp_json_encode` method but using it to follow wp.org guideline.
+                    _wpnonce   : <?php echo wp_json_encode( wp_create_nonce( 'fs_get_db_option' ) ); ?>,
                     option_name: optionName
                 }, function (response) {
@@ -132 +135 @@
                     $.post(ajaxurl, {
                         action      : 'fs_set_db_option',
-                        _wpnonce   : '<?php echo wp_create_nonce( 'fs_set_db_option' ) ?>',
+                        // As such we don't need to use `wp_json_encode` method but using it to follow wp.org guideline.
+                        _wpnonce    : <?php echo wp_json_encode( wp_create_nonce( 'fs_set_db_option' ) ); ?>,
                         option_name : optionName,
                         option_value: optionValue
@@ -725 +729 @@
                 $.post(ajaxurl, {
                     action : 'fs_get_debug_log',
+                    // As such we don't need to use `wp_json_encode` method but using it to follow wp.org guideline.
+                    _wpnonce : <?php echo wp_json_encode( wp_create_nonce( 'fs_get_debug_log' ) ); ?>,
                     filters: filters,
                     offset : offset,

book-press/trunk/freemius/templates/firewall-issues-js.php

@@ -23 +23 @@
                 ajaxActionSuffix = notice.attr( 'data-manager-id' ).replace( ':', '-' );
 
-            var data = {
-                action    : 'fs_resolve_firewall_issues_' + ajaxActionSuffix,
-                error_type: error_type
-            };
+            var data = {
+                action   : 'fs_resolve_firewall_issues_' + ajaxActionSuffix,
+                // As such we don't need to use `wp_json_encode` method but using it to follow wp.org guideline.
+                _wpnonce : <?php echo wp_json_encode( wp_create_nonce( 'fs_resolve_firewall_issues' ) ); ?>,
+                error_type: error_type
+            };
 
             if ( 'squid' === error_type ) {
@@ -40 +42 @@
 
             if ( 'retry_ping' === error_type ) {
-                data.action = 'fs_retry_connectivity_test_' + ajaxActionSuffix;
+                data.action   = 'fs_retry_connectivity_test_' + ajaxActionSuffix;
+                // As such we don't need to use `wp_json_encode` method but using it to follow wp.org guideline.
+                data._wpnonce = <?php echo wp_json_encode( wp_create_nonce( 'fs_retry_connectivity_test' ) ); ?>;
             }
 

book-press/trunk/freemius/templates/partials/network-activation.php

@@ -1 +1 @@
 <?php
+
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
     /**
      * @var array $VARS

book-press/trunk/freemius/templates/sticky-admin-notice-js.php

@@ -24 +24 @@
             notice.fadeOut( 'fast', function() {
                 var data = {
-                    action    : 'fs_dismiss_notice_action_' + ajaxActionSuffix,
+                    action   : 'fs_dismiss_notice_action_' + ajaxActionSuffix,
+                    // As such we don't need to use `wp_json_encode` method but using it to follow wp.org guideline.
+                    _wpnonce : <?php echo wp_json_encode( wp_create_nonce( 'fs_dismiss_notice_action' ) ); ?>,
                     message_id: id
                 };