Changeset 2999526

Timestamp:

11/21/2023 11:31:41 AM (2 years ago)

Author:

woosms

Message:

3.0.3

Location:

woosms-sms-module-for-woocommerce/trunk

Files:

• readme.txt (modified) (2 diffs)
• src/Event/Helpers.php (modified) (2 diffs)
• src/Event/OrderForm.php (modified) (1 diff)
• src/Template/Basic.php (modified) (3 diffs)
• src/Template/Init.php (modified) (2 diffs)
• vendor/bulkgate/plugin/src/Event/Dispatcher.php (modified) (2 diffs)
• vendor/bulkgate/plugin/src/Event/Hook.php (modified) (1 diff)
• vendor/composer/installed.json (modified) (3 diffs)
• vendor/composer/installed.php (modified) (3 diffs)
• woosms-sms-module-for-woocommerce.php (modified) (1 diff)

woosms-sms-module-for-woocommerce/trunk/readme.txt

@@ -3 +3 @@
 Requires at least: 5.7
 Tested up to: 6.4
-Stable tag: 3.0.0
+Stable tag: 3.0.3
 Requires PHP: 7.4
 License: GPLv3
@@ -160 +160 @@
 
 == Changelog ==
+
+= 3.0.3 =
+* Broken Access Control vulnerability fix
+* OptIn Checkbox set default to off
+* Order message mutation fix values
 
 = 3.0.2 =

woosms-sms-module-for-woocommerce/trunk/src/Event/Helpers.php

@@ -9 +9 @@
 
 use BulkGate\{Plugin\DI\MissingServiceException, Plugin\Event\Dispatcher, Plugin\Strict, WooSms\DI\Factory};
-use function apply_filters, has_filter, str_replace;
+use function apply_filters, has_filter, str_replace, current_user_can, wp_die, wp_verify_nonce;
 
 class Helpers
 {
     use Strict;
+
+    public const CrossSiteRequestForgerySecurityParameter = 'security';
 
     public static function dispatch(string $name, callable $callback): callable
@@ -49 +51 @@
         return $statuses["wc-$status"] ?? $status;
     }
+
+
+    public static function checkAccess(?string $nonce): bool
+    {
+        if (!current_user_can('manage_options') || wp_verify_nonce($nonce ?? '') === false)
+        {
+            wp_die('', 403);
+        }
+
+        return true;
+    }
 }

woosms-sms-module-for-woocommerce/trunk/src/Event/OrderForm.php

@@ -15 +15 @@
     use Strict;
 
-    public const DefaultEnabled = true;
+    public const DefaultEnabled = false;
 
     private const Consent = [

woosms-sms-module-for-woocommerce/trunk/src/Template/Basic.php

@@ -9 +9 @@
 
 use function time, date, admin_url, is_ssl, wp_print_inline_script_tag, wp_print_script_tag;
-use BulkGate\{Plugin\Event\Dispatcher, Plugin\IO\Url, Plugin\Settings\Settings, Plugin\Settings\Synchronizer, Plugin\Strict, Plugin\DI\Container, Plugin\User\Sign, WooSms\Utils\Escape, WooSms\Event\OrderForm, WooSms\Utils\Logo};
+use BulkGate\{Plugin\Event\Dispatcher, Plugin\IO\Url, Plugin\Settings\Settings, Plugin\Settings\Synchronizer, Plugin\Strict, Plugin\DI\Container, Plugin\User\Sign, WooSms\Event\Helpers, WooSms\Utils\Escape, WooSms\Event\OrderForm, WooSms\Utils\Logo};
 
 class Basic
@@ -22 +22 @@
 
         $ajax_url = admin_url('/admin-ajax.php', is_ssl() ? 'https' : 'http');
+        $csfr_token = wp_create_nonce();
 
         $proxy = [
             'PROXY_LOG_IN' => [
                 'url' => $ajax_url,
-                'params' => ['action' => 'login']
+                'params' => ['action' => 'login', Helpers::CrossSiteRequestForgerySecurityParameter => $csfr_token]
             ],
             'PROXY_LOG_OUT' => [
                 'url' => $ajax_url,
-                'params' => ['action' => 'logout_module']
+                'params' => ['action' => 'logout_module', Helpers::CrossSiteRequestForgerySecurityParameter => $csfr_token]
             ],
             'PROXY_SAVE_MODULE_SETTINGS' => [
                 'url' => $ajax_url,
-                'params' => ['action' => 'save_module_settings']
+                'params' => ['action' => 'save_module_settings', Helpers::CrossSiteRequestForgerySecurityParameter => $csfr_token]
             ]
         ];
@@ -78 +79 @@
                                 'Content-Type': "application/x-www-form-urlencoded"
                             },
-                            body: "action=authenticate",
+                            body: {$escape_js('action=authenticate&' . Helpers::CrossSiteRequestForgerySecurityParameter . "=$csfr_token")},
                         });
                         let {token, redirect} = await response.json();

woosms-sms-module-for-woocommerce/trunk/src/Template/Init.php

@@ -8 +8 @@
  */
 
-use BulkGate\{Plugin\Debug\Logger, Plugin\Debug\Requirements, Plugin\Eshop, Plugin\Settings\Settings, Plugin\Strict, Plugin\User\Sign, Plugin\Utils\JsonResponse, WooSms\Ajax\Authenticate, WooSms\Ajax\PluginSettingsChange, WooSms\Debug\Page, WooSms\DI\Factory, WooSms\Utils\Logo, WooSms\Utils\Meta};
+use BulkGate\Plugin\{Debug\Logger, Debug\Requirements, Eshop, Settings\Settings, Strict, User\Sign, Utils\JsonResponse};
+use BulkGate\WooSms\{Ajax\Authenticate, Ajax\PluginSettingsChange, Debug\Page, DI\Factory, Event\Helpers, Utils\Logo, Utils\Meta};
 use function method_exists, in_array;
 
@@ -47 +48 @@
         });
 
-        add_action('wp_ajax_authenticate', fn () => Factory::get()->getByClass(Authenticate::class)->run(admin_url('admin.php?page=bulkgate#/sign/in')));
+        add_action('wp_ajax_authenticate', function (): void
+        {
+            Helpers::checkAccess($_POST[Helpers::CrossSiteRequestForgerySecurityParameter] ?? null) && Factory::get()->getByClass(Authenticate::class)->run(admin_url('admin.php?page=bulkgate#/sign/in'));
+        });
 
-        add_action('wp_ajax_login', fn () => JsonResponse::send(Factory::get()->getByClass(Sign::class)->in(
-            sanitize_text_field((string) ($_POST['__bulkgate']['email'] ?? '')),
-            sanitize_text_field((string) ($_POST['__bulkgate']['password'] ?? '')),
-            admin_url('admin.php?page=bulkgate#/dashboard')
-        )));
+        add_action('wp_ajax_login', function (): void
+        {
+            Helpers::checkAccess($_POST[Helpers::CrossSiteRequestForgerySecurityParameter] ?? null) && JsonResponse::send(Factory::get()->getByClass(Sign::class)->in(
+                sanitize_text_field((string)($_POST['__bulkgate']['email'] ?? '')),
+                sanitize_text_field((string)($_POST['__bulkgate']['password'] ?? '')),
+                admin_url('admin.php?page=bulkgate#/dashboard')
+            ));
+        });
 
-        add_action('wp_ajax_logout_module', fn () => JsonResponse::send(Factory::get()->getByClass(Sign::class)->out(admin_url('admin.php?page=bulkgate#/sign/in'))));
-        add_action('wp_ajax_save_module_settings', fn () => JsonResponse::send(Factory::get()->getByClass(PluginSettingsChange::class)->run($_POST['__bulkgate'] ?? [])));
+        add_action('wp_ajax_logout_module', function (): void
+        {
+            Helpers::checkAccess($_POST[Helpers::CrossSiteRequestForgerySecurityParameter] ?? null) && JsonResponse::send(Factory::get()->getByClass(Sign::class)->out(admin_url('admin.php?page=bulkgate#/sign/in')));
+        });
+        add_action('wp_ajax_save_module_settings', function (): void
+        {
+            Helpers::checkAccess($_POST[Helpers::CrossSiteRequestForgerySecurityParameter] ?? null) && JsonResponse::send(Factory::get()->getByClass(PluginSettingsChange::class)->run($_POST['__bulkgate'] ?? []));
+        });
     }
 }

woosms-sms-module-for-woocommerce/trunk/vendor/bulkgate/plugin/src/Event/Dispatcher.php

@@ -72 +72 @@
         {
             $language = $variables['lang_id'] ?? 'en';
-            $store_id = $variables['store_id'] ?? 0;
+            $shop_id = $variables['shop_id'] ?? 0;
             $category = str_replace('-', '_', $category);
 
@@ -80 +80 @@
             }
 
-            foreach (["admin_sms-default-$store_id", "customer_sms-$language-$store_id"] as $scope)
+            foreach (["admin_sms-default-$shop_id", "customer_sms-$language-$shop_id"] as $scope)
             {
                 if ($category === 'order' && $endpoint === 'status_change' && isset($variables['order_status_id']))

woosms-sms-module-for-woocommerce/trunk/vendor/bulkgate/plugin/src/Event/Hook.php

@@ -41 +41 @@
         $endpoint = str_replace('_', '-', $endpoint);
 
-        $this->send("api/$this->version/eshop/$category/$endpoint", ['variables' => $variables]);
+        $this->send("api/$this->version/eshop/$category/$endpoint", ['language' => $variables['lang_id'] ?? null, 'shop_id' => $variables['shop_id'] ?? null, 'variables' => $variables]);
     }
 

woosms-sms-module-for-woocommerce/trunk/vendor/composer/installed.json

@@ -3 +3 @@
         {
             "name": "bulkgate/plugin",
-            "version": "1.0.0-RC6",
-            "version_normalized": "1.0.0.0-RC6",
+            "version": "1.0.0",
+            "version_normalized": "1.0.0.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/BulkGate/plugin.git",
-                "reference": "9484b1cecd9351d76ceb81b57b41cd809d46b5d8"
+                "reference": "c051c684f9fb1f1c312ec5fb3aaa35f3483e8c28"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/BulkGate/plugin/zipball/9484b1cecd9351d76ceb81b57b41cd809d46b5d8",
-                "reference": "9484b1cecd9351d76ceb81b57b41cd809d46b5d8",
+                "url": "https://api.github.com/repos/BulkGate/plugin/zipball/c051c684f9fb1f1c312ec5fb3aaa35f3483e8c28",
+                "reference": "c051c684f9fb1f1c312ec5fb3aaa35f3483e8c28",
                 "shasum": ""
             },
@@ -30 +30 @@
                 "tracy/tracy": "^2.9"
             },
-            "time": "2023-11-13T15:14:11+00:00",
+            "time": "2023-11-21T11:11:11+00:00",
             "type": "library",
             "installation-source": "dist",
@@ -48 +48 @@
             "support": {
                 "issues": "https://github.com/BulkGate/plugin/issues",
-                "source": "https://github.com/BulkGate/plugin/tree/1.0.0-RC6"
+                "source": "https://github.com/BulkGate/plugin/tree/1.0.0"
             },
             "install-path": "../bulkgate/plugin"

woosms-sms-module-for-woocommerce/trunk/vendor/composer/installed.php

@@ -2 +2 @@
     'root' => array(
         'name' => 'bulkgate/woosms',
-        'pretty_version' => '3.0.0',
-        'version' => '3.0.0.0',
-        'reference' => '7f9900c9851243cf01e4ea2ec6dd982653f88795',
+        'pretty_version' => '3.0.3',
+        'version' => '3.0.3.0',
+        'reference' => '0371d4f0ca9106920cf5d811833d6326370fb582',
         'type' => 'project',
         'install_path' => __DIR__ . '/../../',
@@ -12 +12 @@
     'versions' => array(
         'bulkgate/plugin' => array(
-            'pretty_version' => '1.0.0-RC6',
-            'version' => '1.0.0.0-RC6',
-            'reference' => '9484b1cecd9351d76ceb81b57b41cd809d46b5d8',
+            'pretty_version' => '1.0.0',
+            'version' => '1.0.0.0',
+            'reference' => 'c051c684f9fb1f1c312ec5fb3aaa35f3483e8c28',
             'type' => 'library',
             'install_path' => __DIR__ . '/../bulkgate/plugin',
@@ -21 +21 @@
         ),
         'bulkgate/woosms' => array(
-            'pretty_version' => '3.0.0',
-            'version' => '3.0.0.0',
-            'reference' => '7f9900c9851243cf01e4ea2ec6dd982653f88795',
+            'pretty_version' => '3.0.3',
+            'version' => '3.0.3.0',
+            'reference' => '0371d4f0ca9106920cf5d811833d6326370fb582',
             'type' => 'project',
             'install_path' => __DIR__ . '/../../',

woosms-sms-module-for-woocommerce/trunk/woosms-sms-module-for-woocommerce.php

@@ -5 +5 @@
  * Plugin URI: https://www.bulkgate.com/en/integrations/sms-plugin-for-woocommerce/
  * Description: Notify your customers about order status via SMS notifications.
- * Version: 3.0.2
+ * Version: 3.0.3
  * Author: BulkGate
  * Author URI: https://www.bulkgate.com/