Changeset 2999478

Timestamp:

11/21/2023 10:28:12 AM (16 months ago)

Author:

jorisvanmontfort

Message:

1.2.4

Location:

jvm-rich-text-icons/trunk

Files:

• plugin.php (modified) (3 diffs)
• readme.txt (modified) (1 diff)
• src/settings.php (modified) (2 diffs)

jvm-rich-text-icons/trunk/plugin.php

@@ -3 +3 @@
  * Plugin Name: JVM rich text icons
  * Description: Add Font Awesome icons, or icons from a custom icon set to the Gutenberg editor.
- * Version: 1.2.3
+ * Version: 1.2.4
  * Author: Joris van Montfort
  * Author URI: https://jorisvm.nl
@@ -11 +11 @@
  * @category Gutenberg
  * @author Joris van Montfort
- * @version 1.2.3
+ * @version 1.2.4
  * @package JVM rich text icons
  */
@@ -24 +24 @@
 
 if (is_admin()) {
-    require_once plugin_dir_path( __FILE__ ) . 'src/settings.php';
+   require_once plugin_dir_path( __FILE__ ) . 'src/settings.php';
 }
 

jvm-rich-text-icons/trunk/readme.txt

@@ -88 +88 @@
 == Changelog ==
 
+= 1.2.4 =
+Security update. Fixed a vulnerability issue in the uploader and plugin settings.
+
 = 1.2.3 =
 Fixed the thick border around the toolbar button by using the correct toolbar button markup.

jvm-rich-text-icons/trunk/src/settings.php

@@ -20 +20 @@
      */
     public function try_add_settings() {
-        $show_settings = apply_filters('jvm_richtext_icons_show_settings', true);
-        if ($show_settings) {
-            add_action( 'admin_menu', array( $this, 'add_plugin_page' ) );
-            add_action( 'admin_init', array( $this, 'page_init' ) );
-            add_action( 'admin_enqueue_scripts', array( $this, 'enqueue_scripts' ));
-
-            // Ajax calls
-            add_action('wp_ajax_jvm-rich-text-icons-delete-icon', array( $this, 'ajax_delete_icon'));
-            add_action('wp_ajax_jvm-rich-text-icons-upload-icon', array( $this, 'ajax_upload_icon'));
-
-            // Notice on settings screen if a custom icon set is loaded
-            add_action('admin_notices', array($this, 'admin_notice'));
+        $user = wp_get_current_user();
+        // Only admin users have access to the settings.
+        if (in_array( 'administrator', (array) $user->roles ) ) {
+
+            $show_settings = apply_filters('jvm_richtext_icons_show_settings', true);
+            if ($show_settings) {
+                add_action( 'admin_menu', array( $this, 'add_plugin_page' ) );
+                add_action( 'admin_init', array( $this, 'page_init' ) );
+                add_action( 'admin_enqueue_scripts', array( $this, 'enqueue_scripts' ));
+
+                // Ajax calls
+                if (current_user_can( 'upload_files' )) {
+                    add_action('wp_ajax_jvm-rich-text-icons-delete-icon', array( $this, 'ajax_delete_icon'));
+                    add_action('wp_ajax_jvm-rich-text-icons-upload-icon', array( $this, 'ajax_upload_icon'));
+                }
+
+                // Notice on settings screen if a custom icon set is loaded
+                add_action('admin_notices', array($this, 'admin_notice'));
+            }
         }
     }
@@ -117 +124 @@
      */
     public function ajax_upload_icon() {
-        if (isset($_FILES['file'])) {
+        if (isset($_FILES['file']) && wp_verify_nonce($_GET['nonce'], 'jvm-rich-text-icons-upload-icon' )) {
             // Check if file is SVG as we only accept SVG files
-            if ($_FILES['file']['type'] == 'image/svg+xml') {
+            $pi = pathinfo($_FILES['file']['name']);
+            if ($_FILES['file']['type'] == 'image/svg+xml' && strtolower($pi['extension']) == 'svg') {
                 
                 $base = JVM_Richtext_icons::get_svg_directory();