Changeset 2900225
- Timestamp:
- 04/17/2023 02:14:33 PM (3 years ago)
- Location:
- http-headers/trunk
- Files:
-
- 9 edited
-
README.txt (modified) (2 diffs)
-
http-headers.php (modified) (3 diffs)
-
languages/http-headers-bg_BG.mo (modified) (previous)
-
languages/http-headers-bg_BG.po (modified) (1 diff)
-
languages/http-headers.pot (modified) (1 diff)
-
views/advanced.php (modified) (5 diffs)
-
views/includes/breadcrumbs.inc.php (modified) (1 diff)
-
views/includes/csp-src.inc.php (modified) (1 diff)
-
views/includes/csp-text.inc.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
http-headers/trunk/README.txt
r2853329 r2900225 4 4 Tags: custom headers, http headers, headers, security, http header, header, cross domain, cors, xss, clickjacking, mitm, cross origin, cross site, privacy, p3p, hsts, referrer, csp, caching, compression, access control, authentication 5 5 Requires at least: 3.2 6 Tested up to: 6. 1.16 Tested up to: 6.2 7 7 Requires PHP: 5.3 8 Stable tag: 1.18. 78 Stable tag: 1.18.8 9 9 License: GPLv2 or later 10 10 License URI: https://www.gnu.org/licenses/gpl-2.0.html … … 87 87 == Changelog == 88 88 89 = 1.18.8 = 90 *Release Date - 17th April, 2023* 91 92 * Fixed: SQL Injection by an Admin user 93 * Fixed: Remote Code Execution by an Admin user 94 * Few PHP 8.x compatible fixes 95 89 96 = 1.18.7 = 90 97 *Release Date - 24th January, 2023* -
http-headers/trunk/http-headers.php
r2853329 r2900225 4 4 Plugin URI: https://github.com/riverside/http-headers 5 5 Description: A plugin for HTTP headers management including security, access-control (CORS), caching, compression, and authentication. 6 Version: 1.18. 76 Version: 1.18.8 7 7 Author: Dimitar Ivanov 8 8 Author URI: https://github.com/riverside … … 1514 1514 function http_headers_post_import() { 1515 1515 check_admin_referer('import'); 1516 if (!is_super_admin()) { 1517 wp_redirect(sprintf("%soptions-general.php?page=http-headers&tab=advanced&status=ERR&code=102", get_admin_url())); 1518 exit; 1519 } 1516 1520 global $wpdb; 1517 1521 if (!(isset($_FILES['file']['tmp_name']) … … 1541 1545 function http_headers_post_export() { 1542 1546 check_admin_referer('export'); 1547 if (!is_super_admin()) { 1548 wp_redirect(sprintf("%soptions-general.php?page=http-headers&tab=advanced&status=ERR&code=102", get_admin_url())); 1549 exit; 1550 } 1543 1551 global $wpdb; 1544 1552 $options = include dirname(__FILE__) . '/views/includes/options.inc.php'; -
http-headers/trunk/languages/http-headers-bg_BG.po
r2523948 r2900225 175 175 msgstr "Избери файл..." 176 176 177 #: views/advanced.php:208 178 msgid "Import / Export" 179 msgstr "Импорт / Експорт" 180 181 #: views/advanced.php:209 182 msgid "Only Super Admin users have access to this functionality." 183 msgstr "Само потребители с роля 'Супер Администратор' имат достъп до тази функционалност." 184 177 185 #: views/access-control-allow-credentials.php:3 178 186 msgid "The Access-Control-Allow-Credentials header indicates whether the response to request can be exposed when the credentials flag is true." -
http-headers/trunk/languages/http-headers.pot
r2523948 r2900225 177 177 msgstr "" 178 178 179 #: views/advanced.php:208 180 msgid "Import / Export" 181 msgstr "" 182 183 #: views/advanced.php:209 184 msgid "Only Super Admin users have access to this functionality." 185 msgstr "" 186 179 187 #: views/access-control-allow-credentials.php:3 180 188 msgid "The Access-Control-Allow-Credentials header indicates whether the response to request can be exposed when the credentials flag is true." -
http-headers/trunk/views/advanced.php
r2524185 r2900225 3 3 exit; 4 4 } 5 if (isset($_GET['status'], $_GET['code']) && $_GET['status'] == 'ERR') { 6 switch ($_GET['code']) { 7 case 100: 8 ?> 9 <div class="notice notice-error"> 10 <h2><?php _e('Error!', 'http-headers'); ?></h2> 11 <p><?php _e('Invalid file upload.', 'http-headers'); ?></p> 12 </div> 13 <?php 14 break; 15 case 101: 16 ?> 17 <div class="notice notice-error"> 18 <h2><?php _e('Error!', 'http-headers'); ?></h2> 19 <p><?php _e('An error was encountered while attempting to read the uploaded file.', 'http-headers'); ?></p> 20 </div> 21 <?php 22 break; 23 case 102: 24 ?> 25 <div class="notice notice-error"> 26 <h2><?php _e('Error!', 'http-headers'); ?></h2> 27 <p><?php _e('Only Super Admin users have access to this functionality.', 'http-headers'); ?></p> 28 </div> 29 <?php 30 break; 31 } 32 } 5 33 include dirname(__FILE__) . '/includes/config.inc.php'; 6 34 include dirname(__FILE__) . '/includes/breadcrumbs.inc.php'; … … 9 37 <?php settings_fields( 'http-headers-mtd' ); ?> 10 38 <?php do_settings_sections( 'http-headers-mtd' ); ?> 11 <div style=" overflow: hidden">12 <div style=" float: left; width: 49%">39 <div style="display: flex; justify-content: space-between; gap: 20px"> 40 <div style="width: 50%"> 13 41 <table class="hh-index-table"> 14 42 <thead> … … 38 66 </table> 39 67 </div> 40 <section class="hh-panel" style=" float: right; width: 49%; box-sizing: border-box; margin: 0">68 <section class="hh-panel" style="width: 50%; box-sizing: border-box; margin: 0"> 41 69 <table style="width: 100%"> 42 70 <thead> … … 48 76 <tr> 49 77 <td>Location of <code>.htaccess</code></td> 50 <td><input type="text" name="hh_htaccess_path" placeholder="<?php echo get_home_path(); ?>.htaccess" style="width: 100%" value="<?php echo get_option('hh_htaccess_path'); ?>"></td> 78 <td><?php 79 if (is_super_admin()) { 80 ?><input type="text" name="hh_htaccess_path" placeholder="<?php echo get_home_path(); ?>.htaccess" style="width: 100%" value="<?php echo get_option('hh_htaccess_path'); ?>"><?php 81 } else { 82 echo get_option('hh_htaccess_path'); 83 } 84 ?></td> 51 85 </tr> 52 86 <tr> 53 87 <td>Location of <code>.user.ini</code></td> 54 <td><input type="text" name="hh_user_ini_path" placeholder="<?php echo get_home_path(); ?>.user.ini" style="width: 100%" value="<?php echo get_option('hh_user_ini_path'); ?>"></td> 88 <td><?php 89 if (is_super_admin()) { 90 ?><input type="text" name="hh_user_ini_path" placeholder="<?php echo get_home_path(); ?>.user.ini" style="width: 100%" value="<?php echo get_option('hh_user_ini_path'); ?>"><?php 91 } else { 92 echo get_option('hh_user_ini_path'); 93 } 94 ?></td> 55 95 </tr> 56 96 <tr> 57 97 <td>Location of <code>.hh-htpasswd</code></td> 58 <td><input type="text" name="hh_htpasswd_path" placeholder="<?php echo get_home_path(); ?>.hh-htpasswd" style="width: 100%" value="<?php echo get_option('hh_htpasswd_path'); ?>"></td> 98 <td><?php 99 if (is_super_admin()) { 100 ?><input type="text" name="hh_htpasswd_path" placeholder="<?php echo get_home_path(); ?>.hh-htpasswd" style="width: 100%" value="<?php echo get_option('hh_htpasswd_path'); ?>"><?php 101 } else { 102 echo get_option('hh_htpasswd_path'); 103 } 104 ?></td> 59 105 </tr> 60 106 <tr> 61 107 <td>Location of <code>.hh-htdigest</code></td> 62 <td><input type="text" name="hh_htdigest_path" placeholder="<?php echo get_home_path(); ?>.hh-htdigest" style="width: 100%" value="<?php echo get_option('hh_htdigest_path'); ?>"></td> 63 </tr> 64 <tr> 65 <td></td> 66 <td><?php submit_button(null, 'primary', null, false); ?></td> 67 </tr> 108 <td><?php 109 if (is_super_admin()) { 110 ?><input type="text" name="hh_htdigest_path" placeholder="<?php echo get_home_path(); ?>.hh-htdigest" style="width: 100%" value="<?php echo get_option('hh_htdigest_path'); ?>"><?php 111 } else { 112 echo get_option('hh_htdigest_path'); 113 } 114 ?></td> 115 </tr> 116 <?php 117 if (is_super_admin()) { 118 ?> 119 <tr> 120 <td></td> 121 <td><?php submit_button(null, 'primary', null, false); ?></td> 122 </tr> 123 <?php 124 } 125 ?> 68 126 </tbody> 69 127 </table> … … 100 158 </form> 101 159 102 <section class="hh-panel"> 103 <table class="form-table hh-table"> 104 <tbody> 105 <tr valign="top"> 106 <th scope="row"><?php _e('Export', 'http-headers'); ?> 107 <p class="description"><?php _e('Export the plugin current state of settings for later use if recovery needs.', 'http-headers'); ?></p> 108 </th> 109 <td> </td> 110 <td> 111 <fieldset> 112 <form method="post" action="<?php echo admin_url('admin-post.php'); ?>" target="_blank"> 113 <?php wp_nonce_field('export'); ?> 114 <input type="hidden" name="action" value="export"> 115 <button type="submit" class="button button-primary"><?php _e('Export settings', 'http-headers'); ?></button> 116 </form> 117 </fieldset> 118 </td> 119 </tr> 120 <tr valign="top"> 121 <th scope="row"><?php _e('Import', 'http-headers'); ?> 122 <p class="description"><?php _e('Import a previously saved state of settings.', 'http-headers'); ?></p> 123 </th> 124 <td> </td> 125 <td> 126 <fieldset> 127 <form method="post" action="<?php echo admin_url('admin-post.php'); ?>" enctype="multipart/form-data"> 128 <?php wp_nonce_field('import'); ?> 129 <input type="hidden" name="action" value="import"> 130 <input type="file" name="file" id="hh-import-file" class="hh-hidden"> 131 <div class="button-group"> 132 <button type="button" class="button hh-btn-import-choose"><?php _e('Choose file...', 'http-headers'); ?></button> 133 <button type="submit" class="button button-primary"><?php _e('Import settings', 'http-headers'); ?></button> 134 </div> 135 <p id="hh-import-name"></p> 136 </form> 137 </fieldset> 138 </td> 139 </tr> 140 </tbody> 141 </table> 142 </section> 160 <?php 161 if (is_super_admin()) { 162 ?> 163 <section class="hh-panel"> 164 <table class="form-table hh-table"> 165 <tbody> 166 <tr valign="top"> 167 <th scope="row"><?php _e('Export', 'http-headers'); ?> 168 <p class="description"><?php _e('Export the plugin current state of settings for later use if recovery needs.', 'http-headers'); ?></p> 169 </th> 170 <td> </td> 171 <td> 172 <fieldset> 173 <form method="post" action="<?php echo admin_url('admin-post.php'); ?>" target="_blank"> 174 <?php wp_nonce_field('export'); ?> 175 <input type="hidden" name="action" value="export"> 176 <button type="submit" class="button button-primary"><?php _e('Export settings', 'http-headers'); ?></button> 177 </form> 178 </fieldset> 179 </td> 180 </tr> 181 <tr valign="top"> 182 <th scope="row"><?php _e('Import', 'http-headers'); ?> 183 <p class="description"><?php _e('Import a previously saved state of settings.', 'http-headers'); ?></p> 184 </th> 185 <td> </td> 186 <td> 187 <fieldset> 188 <form method="post" action="<?php echo admin_url('admin-post.php'); ?>" enctype="multipart/form-data"> 189 <?php wp_nonce_field('import'); ?> 190 <input type="hidden" name="action" value="import"> 191 <input type="file" name="file" id="hh-import-file" class="hh-hidden"> 192 <div class="button-group"> 193 <button type="button" class="button hh-btn-import-choose"><?php _e('Choose file...', 'http-headers'); ?></button> 194 <button type="submit" class="button button-primary"><?php _e('Import settings', 'http-headers'); ?></button> 195 </div> 196 <p id="hh-import-name"></p> 197 </form> 198 </fieldset> 199 </td> 200 </tr> 201 </tbody> 202 </table> 203 </section> 204 <?php 205 } else { 206 ?> 207 <section class="hh-panel"> 208 <strong><?php _e('Import / Export', 'http-headers'); ?></strong> 209 <p><?php _e('Only Super Admin users have access to this functionality.', 'http-headers'); ?></p> 210 </section> 211 <?php 212 } 213 ?> -
http-headers/trunk/views/includes/breadcrumbs.inc.php
r1797246 r2900225 9 9 if (isset($_GET['category'])) 10 10 { 11 ?><li><?php echo @$categories[$_GET['category']]; ?></li><?php11 ?><li><?php echo isset($categories[$_GET['category']]) ? $categories[$_GET['category']] : 'Unknown'; ?></li><?php 12 12 } elseif (isset($_GET['header'])) { 13 ?><li><a href="<?php echo get_admin_url(); ?>options-general.php?page=http-headers&category=<?php echo htmlspecialchars($headers[$_GET['header']][2]); ?>"><?php echo @$categories[$headers[$_GET['header']][2]]; ?></a></li><?php 14 ?><li><?php echo @$headers[$_GET['header']][0]; ?></li><?php 13 if (isset($headers[$_GET['header']][2])) 14 { 15 ?><li><a href="<?php echo get_admin_url(); ?>options-general.php?page=http-headers&category=<?php echo htmlspecialchars($headers[$_GET['header']][2]); ?>"><?php echo isset($categories[$headers[$_GET['header']][2]]) ? $categories[$headers[$_GET['header']][2]] : 'Unknown'; ?></a></li><?php 16 ?><li><?php echo $headers[$_GET['header']][0]; ?></li><?php 17 } 15 18 } elseif (isset($_GET['tab']) && $_GET['tab'] == 'advanced') { 16 19 ?><li><?php _e('Advanced settings', 'http-headers'); ?></li><?php -
http-headers/trunk/views/includes/csp-src.inc.php
r2064472 r2900225 82 82 size="40" 83 83 placeholder="<?php echo $host_sources[0]; ?>" 84 value="<?php echo esc_attr(@$csp_value[$item]['source']); ?>"<?php echo $content_security_policy == 1 ? NULL : ' readonly'; ?>84 value="<?php echo isset($csp_value[$item]['source']) ? esc_attr($csp_value[$item]['source']) : NULL; ?>"<?php echo $content_security_policy == 1 ? NULL : ' readonly'; ?>> 85 85 </p> -
http-headers/trunk/views/includes/csp-text.inc.php
r2064472 r2900225 1 1 <input type="text" name="hh_content_security_policy_value[<?php echo $item; ?>]" class="http-header-value" size="40" 2 value="<?php echo esc_attr(@$csp_value[$item]); ?>"<?php echo $content_security_policy == 1 ? NULL : ' readonly'; ?>>2 value="<?php echo isset($csp_value[$item]) ? esc_attr($csp_value[$item]) : NULL; ?>"<?php echo $content_security_policy == 1 ? NULL : ' readonly'; ?>> 3 3 <?php 4 4 if ($item == 'plugin-types')
Note: See TracChangeset
for help on using the changeset viewer.