Changeset 3081914

Timestamp:

05/06/2024 12:18:39 PM (20 months ago)

Author:

advancedads

Message:

Update to version 1.52.2 from GitHub

Location:

advanced-ads

Files:

• tags/1.52.2 (copied) (copied from advanced-ads/trunk)
• tags/1.52.2/advanced-ads.php (modified) (2 diffs)
• tags/1.52.2/includes/utilities/class-wordpress.php (modified) (1 diff)
• tags/1.52.2/languages/advanced-ads.pot (modified) (2 diffs)
• tags/1.52.2/modules/gutenberg/includes/class-gutenberg.php (modified) (1 diff)
• tags/1.52.2/modules/import-export/classes/import.php (modified) (2 diffs)
• tags/1.52.2/readme.txt (modified) (2 diffs)
• trunk/advanced-ads.php (modified) (2 diffs)
• trunk/includes/utilities/class-wordpress.php (modified) (1 diff)
• trunk/languages/advanced-ads.pot (modified) (2 diffs)
• trunk/modules/gutenberg/includes/class-gutenberg.php (modified) (1 diff)
• trunk/modules/import-export/classes/import.php (modified) (2 diffs)
• trunk/readme.txt (modified) (2 diffs)

advanced-ads/tags/1.52.2/advanced-ads.php

@@ -13 +13 @@
  * Plugin URI:        https://wpadvancedads.com
  * Description:       Manage and optimize your ads in WordPress
- * Version:           1.52.1
+ * Version:           1.52.2
  * Author:            Advanced Ads GmbH
  * Author URI:        https://wpadvancedads.com
@@ -34 +34 @@
 
 define( 'ADVADS_FILE', __FILE__ );
-define( 'ADVADS_VERSION', '1.52.1' );
+define( 'ADVADS_VERSION', '1.52.2' );
 
 // Load the autoloader.

advanced-ads/tags/1.52.2/includes/utilities/class-wordpress.php

@@ -118 +118 @@
         return $is_gutenberg && $is_writing;
     }
+
+    /**
+     * Unserializes data only if it was serialized.
+     *
+     * @link https://patchstack.com/articles/unauthenticated-php-object-injection-in-flatsome-theme-3-17-5/
+     *
+     * @param string $data Data that might be unserialized.
+     *
+     * @return mixed Unserialized data can be any type.
+     */
+    public static function maybe_unserialize( $data ) {
+        if ( is_serialized( $data ) ) { // Don't attempt to unserialize data that wasn't serialized going in.
+            return @unserialize( trim( $data ), [ 'allowed_classes' => false ] ); // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged, WordPress.PHP.DiscouragedPHPFunctions.serialize_unserialize
+        }
+
+        return $data;
+    }
 }

advanced-ads/tags/1.52.2/languages/advanced-ads.pot

@@ -3 +3 @@
 msgid ""
 msgstr ""
-"Project-Id-Version: Advanced Ads 1.52.0\n"
+"Project-Id-Version: Advanced Ads 1.52.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/advanced-ads/\n"
 "Last-Translator: Thomas Maier <[email protected]>\n"
@@ -10 +10 @@
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2024-04-04T11:02:12+00:00\n"
+"POT-Creation-Date: 2024-05-06T12:18:03+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.6.0\n"

advanced-ads/tags/1.52.2/modules/gutenberg/includes/class-gutenberg.php

@@ -218 +218 @@
 
         if ( isset( $attr['fixed_widget'] ) ) {
-            $output['wrapper_attrs']['data-fixed_widget'] = $attr['fixed_widget'];
+            $output['wrapper_attrs']['data-fixed_widget'] = esc_attr( $attr['fixed_widget'] );
         }
 
         if ( ! empty( $attr['width'] ) ) {
-            $output['output']['wrapper_attrs']['style']['width'] = $attr['width'] . 'px';
+            $output['output']['wrapper_attrs']['style']['width'] = absint( $attr['width'] ) . 'px';
         }
 
         if ( ! empty( $attr['height'] ) ) {
-            $output['output']['wrapper_attrs']['style']['height'] = $attr['height'] . 'px';
-        }
-
-        $align           = $attr['align'] ?? 'default';
+            $output['output']['wrapper_attrs']['style']['height'] = absint( $attr['height'] ) . 'px';
+        }
+
+        $align           = esc_attr( $attr['align'] ) ?? 'default';
         $after_ad_filter = function( $output, $ad ) {
             return $output . '<br style="clear: both; display: block; float: none;">';

advanced-ads/tags/1.52.2/modules/import-export/classes/import.php

@@ -153 +153 @@
                     foreach ( $ad['meta_input'] as $meta_k => &$meta_v ) {
                         if ( Advanced_Ads_Ad::$options_meta_field !== $meta_k ) {
-                            $meta_v = maybe_unserialize( $meta_v );
+                            $meta_v = WordPress::maybe_unserialize( $meta_v );
                         }
                     }
@@ -535 +535 @@
                 /* translators: %s: Option name. */
                 $this->messages[] = [ 'update', sprintf( __( 'Option was updated: <em>%s</em>', 'advanced-ads' ), $option_name ) ];
-                update_option( $option_name, maybe_unserialize( $option_to_import ) );
+                update_option( $option_name, WordPress::maybe_unserialize( $option_to_import ) );
             }
         }

advanced-ads/tags/1.52.2/readme.txt

@@ -5 +5 @@
 Tested up to: 6.5
 Requires PHP: 7.2
-Stable tag: 1.52.1
+Stable tag: 1.52.2
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -339 +339 @@
 == Changelog ==
 
+= 1.52.2 (May 6, 2024) =
+
+- Fix: enhance data handling in Gutenberg block module for improved security
+- Fix: replace function 'maybe_unserialize' with a more secure custom function
+
 = 1.52.1 (April 4, 2024) =
 

advanced-ads/trunk/advanced-ads.php

@@ -13 +13 @@
  * Plugin URI:        https://wpadvancedads.com
  * Description:       Manage and optimize your ads in WordPress
- * Version:           1.52.1
+ * Version:           1.52.2
  * Author:            Advanced Ads GmbH
  * Author URI:        https://wpadvancedads.com
@@ -34 +34 @@
 
 define( 'ADVADS_FILE', __FILE__ );
-define( 'ADVADS_VERSION', '1.52.1' );
+define( 'ADVADS_VERSION', '1.52.2' );
 
 // Load the autoloader.

advanced-ads/trunk/includes/utilities/class-wordpress.php

@@ -118 +118 @@
         return $is_gutenberg && $is_writing;
     }
+
+    /**
+     * Unserializes data only if it was serialized.
+     *
+     * @link https://patchstack.com/articles/unauthenticated-php-object-injection-in-flatsome-theme-3-17-5/
+     *
+     * @param string $data Data that might be unserialized.
+     *
+     * @return mixed Unserialized data can be any type.
+     */
+    public static function maybe_unserialize( $data ) {
+        if ( is_serialized( $data ) ) { // Don't attempt to unserialize data that wasn't serialized going in.
+            return @unserialize( trim( $data ), [ 'allowed_classes' => false ] ); // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged, WordPress.PHP.DiscouragedPHPFunctions.serialize_unserialize
+        }
+
+        return $data;
+    }
 }

advanced-ads/trunk/languages/advanced-ads.pot

@@ -3 +3 @@
 msgid ""
 msgstr ""
-"Project-Id-Version: Advanced Ads 1.52.0\n"
+"Project-Id-Version: Advanced Ads 1.52.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/advanced-ads/\n"
 "Last-Translator: Thomas Maier <[email protected]>\n"
@@ -10 +10 @@
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2024-04-04T11:02:12+00:00\n"
+"POT-Creation-Date: 2024-05-06T12:18:03+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.6.0\n"

advanced-ads/trunk/modules/gutenberg/includes/class-gutenberg.php

@@ -218 +218 @@
 
         if ( isset( $attr['fixed_widget'] ) ) {
-            $output['wrapper_attrs']['data-fixed_widget'] = $attr['fixed_widget'];
+            $output['wrapper_attrs']['data-fixed_widget'] = esc_attr( $attr['fixed_widget'] );
         }
 
         if ( ! empty( $attr['width'] ) ) {
-            $output['output']['wrapper_attrs']['style']['width'] = $attr['width'] . 'px';
+            $output['output']['wrapper_attrs']['style']['width'] = absint( $attr['width'] ) . 'px';
         }
 
         if ( ! empty( $attr['height'] ) ) {
-            $output['output']['wrapper_attrs']['style']['height'] = $attr['height'] . 'px';
-        }
-
-        $align           = $attr['align'] ?? 'default';
+            $output['output']['wrapper_attrs']['style']['height'] = absint( $attr['height'] ) . 'px';
+        }
+
+        $align           = esc_attr( $attr['align'] ) ?? 'default';
         $after_ad_filter = function( $output, $ad ) {
             return $output . '<br style="clear: both; display: block; float: none;">';

advanced-ads/trunk/modules/import-export/classes/import.php

@@ -153 +153 @@
                     foreach ( $ad['meta_input'] as $meta_k => &$meta_v ) {
                         if ( Advanced_Ads_Ad::$options_meta_field !== $meta_k ) {
-                            $meta_v = maybe_unserialize( $meta_v );
+                            $meta_v = WordPress::maybe_unserialize( $meta_v );
                         }
                     }
@@ -535 +535 @@
                 /* translators: %s: Option name. */
                 $this->messages[] = [ 'update', sprintf( __( 'Option was updated: <em>%s</em>', 'advanced-ads' ), $option_name ) ];
-                update_option( $option_name, maybe_unserialize( $option_to_import ) );
+                update_option( $option_name, WordPress::maybe_unserialize( $option_to_import ) );
             }
         }

advanced-ads/trunk/readme.txt

@@ -5 +5 @@
 Tested up to: 6.5
 Requires PHP: 7.2
-Stable tag: 1.52.1
+Stable tag: 1.52.2
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -339 +339 @@
 == Changelog ==
 
+= 1.52.2 (May 6, 2024) =
+
+- Fix: enhance data handling in Gutenberg block module for improved security
+- Fix: replace function 'maybe_unserialize' with a more secure custom function
+
 = 1.52.1 (April 4, 2024) =