Changeset 3041265

Timestamp:

02/26/2024 12:37:55 PM (22 months ago)

Author:

madalin.ungureanu

Message:

realeasing version 1.1.3

Location:

passwordless-login

Files:

• tags/1.1.3 (added)
• tags/1.1.3/assets (added)
• tags/1.1.3/assets/logo_150_150.png (added)
• tags/1.1.3/assets/style-back-end.css (added)
• tags/1.1.3/assets/style-front-end.css (added)
• tags/1.1.3/inc (added)
• tags/1.1.3/inc/wpa.class.notices.php (added)
• tags/1.1.3/languages (added)
• tags/1.1.3/languages/passwordless-login.pot (added)
• tags/1.1.3/passwordless_login.php (added)
• tags/1.1.3/readme.txt (added)
• trunk/inc/wpa.class.notices.php (modified) (1 diff)
• trunk/passwordless_login.php (modified) (10 diffs)
• trunk/readme.txt (modified) (2 diffs)

passwordless-login/trunk/inc/wpa.class.notices.php

@@ -49 +49 @@
 
     function dismiss_notification() {
+
+        if( empty( $_GET['_wpnonce'] ) || !wp_verify_nonce( sanitize_text_field( $_GET['_wpnonce'] ), 'wpa_notice_dismiss' ) )
+            return;
+
         global $current_user;
 

passwordless-login/trunk/passwordless_login.php

@@ -2 +2 @@
 /**
 * Plugin Name: Passwordless Login
-* Plugin URI: http://www.cozmoslabs.com
+* Plugin URI: https://www.cozmoslabs.com
 * Description: Shortcode based login form. Enter an email/username and get link via email that will automatically log you in.
-* Version: 1.1.2
+* Version: 1.1.3
 * Author: Cozmoslabs, sareiodata
-* Author URI: http:/www.cozmoslabs.com
+* Author URI: https://www.cozmoslabs.com
 * License: GPL2
 * Text Domain: passwordless-login
@@ -35 +35 @@
  *
  */
-define( 'PASSWORDLESS_LOGIN_VERSION', '1.1.2' );
+define( 'PASSWORDLESS_LOGIN_VERSION', '1.1.3' );
 define( 'WPA_PLUGIN_DIR', WP_PLUGIN_DIR . '/' . dirname( plugin_basename( __FILE__ ) ) );
 define( 'WPA_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
@@ -146 +146 @@
 function wpa_front_end_login(){
     ob_start();
-    $account = ( isset( $_POST['user_email_username']) ) ? $account = sanitize_text_field( $_POST['user_email_username'] ) : false;
-    $error_token = ( isset( $_GET['wpa_error_token']) ) ? $error_token = sanitize_key( $_GET['wpa_error_token'] ) : false;
+    $account        = ( isset( $_POST['user_email_username']) ) ? $account = sanitize_text_field( $_POST['user_email_username'] ) : false;
+    $error_token    = ( isset( $_GET['wpa_error_token']) ) ? $error_token  = sanitize_key( $_GET['wpa_error_token'] ) : false;
     $adminapp_error = ( isset( $_GET['wpa_adminapp_error']) ) ? sanitize_key( $_GET['wpa_adminapp_error'] ) : false;
 
@@ -156 +156 @@
     } elseif ( is_user_logged_in() ) {
         $current_user = wp_get_current_user();
-        echo '<p class="wpa-box wpa-alert">'.apply_filters('wpa_success_login_msg', sprintf(__( 'You are currently logged in as %1$s. %2$s', 'passwordless-login' ), '<a href="'.$authorPostsUrl = get_author_posts_url( $current_user->ID ).'" title="'.$current_user->display_name.'">'.$current_user->display_name.'</a>', '<a href="'.wp_logout_url( $redirectTo = wpa_curpageurl() ).'" title="'.__( 'Log out of this account', 'passwordless-login' ).'">'. __( 'Log out', 'passwordless-login').' &raquo;</a>' ) ) . '</p><!-- .alert-->';
+        echo '<p class="wpa-box wpa-alert">'.apply_filters('wpa_success_login_msg', sprintf(__( 'You are currently logged in as %1$s. %2$s', 'passwordless-login' ), '<a href="'.esc_url( get_author_posts_url( $current_user->ID ) ).'" title="'.esc_attr( $current_user->display_name ).'">'.esc_html( $current_user->display_name ).'</a>', '<a href="'.esc_url( wp_logout_url( $redirectTo = wpa_curpageurl() ) ).'" title="'.__( 'Log out of this account', 'passwordless-login' ).'">'. __( 'Log out', 'passwordless-login').' &raquo;</a>' ) ) . '</p><!-- .alert-->';
     } else {
         if ( is_wp_error($sent_link) ){
-            echo '<p class="wpa-box wpa-error">' . apply_filters( 'wpa_error', $sent_link->get_error_message() ) . '</p>';
+            echo '<p class="wpa-box wpa-error">' . esc_html( apply_filters( 'wpa_error', $sent_link->get_error_message() ) ) . '</p>';
         }
         if( $error_token ) {
@@ -186 +186 @@
     <form name="wpaloginform" id="wpaloginform" action="" method="post">
         <p>
-            <label for="user_email_username"><?php echo( apply_filters('wpa_change_form_label', $label)) ; ?></label>
+            <label for="user_email_username"><?php echo esc_html( apply_filters('wpa_change_form_label', $label ) ); ?></label>
             <input type="text" name="user_email_username" id="user_email_username" class="input" value="<?php echo esc_attr( $account ); ?>" size="25" />
             <input type="submit" name="wpa-submit" id="wpa-submit" class="button-primary" value="<?php esc_attr_e('Log In', 'passwordless-login'); ?>" />
@@ -233 +233 @@
     }
 
-    return new WP_Error( 'invalid_account', __( 'The username or email you provided do not exist. Please try again.', 'passwordless-login' ) );
+    return new WP_Error( 'invalid_account', __( 'The username or email you provided does not exist. Please try again.', 'passwordless-login' ) );
 }
 
@@ -339 +339 @@
 
     if( isset( $_GET['token'] ) && isset( $_GET['uid'] ) && isset( $_GET['nonce'] ) ){
-        $uid = sanitize_key( $_GET['uid'] );
-        $token  =  sanitize_key( $_REQUEST['token'] );
-        $nonce  = sanitize_key( $_REQUEST['nonce'] );
-
-        $hash_meta = get_user_meta( $uid, 'wpa_' . $uid, true);
+        $uid   = sanitize_key( $_GET['uid'] );
+        $token = sanitize_key( $_REQUEST['token'] );
+        $nonce = sanitize_key( $_REQUEST['nonce'] );
+
+        $hash_meta            = get_user_meta( $uid, 'wpa_' . $uid, true);
         $hash_meta_expiration = get_user_meta( $uid, 'wpa_' . $uid . '_expiration', true);
-        $arr_params = array( 'uid', 'token', 'nonce' );
-        $current_page_url = remove_query_arg( $arr_params, wpa_curpageurl() );
+        $arr_params           = array( 'uid', 'token', 'nonce' );
+        $current_page_url     = remove_query_arg( $arr_params, wpa_curpageurl() );
 
         require_once( ABSPATH . 'wp-includes/class-phpass.php');
         $wp_hasher = new PasswordHash(8, TRUE);
-        $time = time();
+        $time      = time();
 
         $wppb_generalSettings = get_option('wppb_general_settings', 'not_found');//profile builder settings are required for admin approval compatibility
@@ -369 +369 @@
             update_option( 'wpa_total_logins', $total_logins + 1);
 
-            if (function_exists('wppb_custom_redirect_url')){
-                wp_redirect( apply_filters('wpa_after_login_redirect', wppb_custom_redirect_url('after_login', $current_page_url ) ) );
-                exit;
-            }
-
-            wp_redirect( apply_filters('wpa_after_login_redirect', $current_page_url ) );
+            if ( function_exists('wppb_custom_redirect_url') ){
+                $wppb_custom_redirects_url = wppb_custom_redirect_url( 'after_login', $current_page_url );
+            }
+
+            $redirect_url = !empty( $wppb_custom_redirects_url ) ? $wppb_custom_redirects_url : $current_page_url;
+
+            wp_redirect( apply_filters('wpa_after_login_redirect', $redirect_url ) );
             exit;
         }
+
     }
 }
@@ -421 +423 @@
     $req_uri = $_SERVER['REQUEST_URI'];
 
-    $home_path = trim( parse_url( home_url(), PHP_URL_PATH ), '/' );
+    $parsed_url = parse_url( home_url(), PHP_URL_PATH );
+
+    if( !empty( $parsed_url ) )
+        $home_path = trim( $parsed_url, '/' );
+    else
+        $home_path = $parsed_url;
+
+    if( $home_path === null || $home_path === false )
+        $home_path = '';
+
     $home_path_regex = sprintf( '|^%s|i', preg_quote( $home_path, '|' ) );
 
@@ -440 +451 @@
  * @return string
  */
-
-include_once("inc/wpa.class.notices.php");
-$learn_more_notice = new WPA_Add_Notices(
-    'wpa_learn_more',
-    sprintf( __( '<p>Use [passwordless-login] shortcode in your pages or widgets. %1$sLearn more.%2$s  %3$sDismiss%4$s</p>', 'passwordless-login'), "<a href='users.php?page=passwordless-login&wpa_learn_more_dismiss_notification=0'>", "</a>", "<a href='". add_query_arg( 'wpa_learn_more_dismiss_notification', '0' ) ."' class='wpa-dismiss-notification' style='float:right;margin-left:20px;'> ", "</a>" ),
-    'updated',  '', ''
-);
+add_action( 'admin_init', 'wpa_admin_general_notices', 9 );
+function wpa_admin_general_notices(){
+    include_once("inc/wpa.class.notices.php");
+    $learn_more_notice = new WPA_Add_Notices(
+        'wpa_learn_more',
+        sprintf( __( '<p>Use [passwordless-login] shortcode in your pages or widgets. %1$sLearn more.%2$s  %3$sDismiss%4$s</p>', 'passwordless-login'), "<a href='users.php?page=passwordless-login&wpa_learn_more_dismiss_notification=0'>", "</a>", "<a href='". wp_nonce_url( add_query_arg( 'wpa_learn_more_dismiss_notification', '0' ), 'wpa_notice_dismiss' ) ."' class='wpa-dismiss-notification' style='float:right;margin-left:20px;'> ", "</a>" ),
+        'updated',  '', ''
+    );  
+}

passwordless-login/trunk/readme.txt

@@ -5 +5 @@
 Tags: passwordless login, passwordless, front-end login, login shortcode, custom login form, login without password, passwordless authentication
 Requires at least: 3.9
-Tested up to: 6.0.1
-Stable tag: 1.1.2
+Tested up to: 6.4.3
+Stable tag: 1.1.3
 
 
@@ -77 +77 @@
 
 == Changelog ==
+= 1.1.3 =
+* Fix: XSS issue with the already logged in message. Thanks to Mat Rollings
+* Fix: Added nonce check for the admin notice dismiss action
+* Fix: Sanitize additional output
+* Fix: A compatibility bug with Profile Builder when an after login redirect returned an empty string 
 
 = 1.1.2 =