Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3208188

Timestamp:

12/15/2024 01:30:35 PM (14 months ago)

Author:

shinephp

Message:

Security Fix: Users - "Add Role", "Revoke Role" buttons: Cross-Site request forgery to privilege escalation was possible due to missed nonce validation. This issue was discovered and responsibly reported by vgo0.

Location:

user-role-editor/trunk

Files:

: 5 edited

changelog.txt (modified) (1 diff)
includes/classes/ajax-processor.php (modified) (3 diffs)
includes/classes/grant-roles.php (modified) (12 diffs)
js/users-grant-roles.js (modified) (3 diffs)
readme.txt (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

user-role-editor/trunk/changelog.txt

-                      r3201795
+                      r3208188
 CHANGES LOG (full version).
 ===========================
+= [4.64.4] 15.12.2024 =
+* Security Fix: Users - "Add Role", "Revoke Role" buttons: Cross-Site request forgery to privilege escalation was possible due to missed nonce validation. This issue was discovered and responsibly reported by vgo0.
 = [4.64.3] 03.12.2024 =

user-role-editor/trunk/includes/classes/ajax-processor.php

-                      r3037617
+                      r3208188
     protected function get_required_cap() {
+        if ( $this->action=='grant_roles' || $this->action=='get_user_roles' ) {
+        $promote_users_actions = array(
+            'grant_roles',
+            'get_user_roles',
+            'add_role_to_user',
+            'revoke_role_from_user'
+        );
+        if ( in_array( $this->action, $promote_users_actions ) ) {
             $cap = 'promote_users';
         } else {
 …
+    }
     // end of grant_roles()
+    protected function add_role_to_user() {
+        $answer = URE_Grant_Roles::add_role();
+        return $answer;
+    }
+    // end of add_role_to_user()
+    protected function revoke_role_from_user() {
+        $answer = URE_Grant_Roles::revoke_role();
+        return $answer;
+    }
+    // end of add_role_to_user()
     protected function get_user_roles() {
 …
                 $answer = $this->grant_roles();
                 break;
+            case 'add_role_to_user':
+                $answer = $this->add_role_to_user();
+                break;
+            case 'revoke_role_from_user':
+                $answer = $this->revoke_role_from_user();
+                break;
             case 'get_user_roles':
                 $answer = $this->get_user_roles();

user-role-editor/trunk/includes/classes/grant-roles.php

-                      r3201795
+                      r3208188
     public function __construct() {
         $this->lib = URE_Lib::get_instance();
+        $this->lib = URE_Lib::get_instance();
         add_action( 'load-users.php', array( $this, 'load' ) );
 …
         add_action('restrict_manage_users', array($this, 'show_roles_manage_html') );
         add_action('admin_head', array(User_Role_Editor::get_instance(), 'add_css_to_users_page') );
+        add_action('admin_enqueue_scripts', array($this, 'load_js') );
+        $this->update_roles();
+        add_action('admin_enqueue_scripts', array($this, 'load_js') );
+    }
 …
+    private function add_role( $users ) {
+        if ( !empty( $_REQUEST['ure_add_role'] ) ) {
+            $role = $_REQUEST['ure_add_role'];
+        } else {
+            $role = $_REQUEST['ure_add_role_2'];
+        }
+    public static function add_role() {
+        if ( !current_user_can('promote_users') ) {
+             $answer = array('result'=>'error', 'message'=>esc_html__('Not enough permissions', 'user-role-editor') );
+             return $answer;
+        }
+        if ( empty( $_REQUEST['users'] ) ) {
+            $answer = array('result'=>'error', 'message'=>esc_html__('Empty users list', 'user-role-editor') );
+            return $answer;
+        }
+        $users = (array) $_REQUEST['users'];
+        if ( !self::validate_users( $users ) ) {
+            $answer = array('result'=>'error', 'message'=>esc_html__('Can not edit user or invalid data at the users list', 'user-role-editor') );
+            return $answer;
+        }
+        $lib = URE_Lib::get_instance();
+        $role = $lib->get_request_var('role', 'post', 'string');
         if ( !self::validate_roles( array($role=>$role) ) ) {
+            return;
+        }
+        $done = false;
+            $answer = array('result'=>'error', 'message'=>esc_html__('Invalid role', 'user-role-editor') );
+            return $answer;
+        }
+        $quantity = 0;
         foreach( $users as $user_id ) {
             $user = get_user_by( 'id', $user_id );
 …
                 continue;
+            }
             if ( empty($user->roles) || !in_array( $role, $user->roles ) ) {
+            if ( empty( $user->roles ) || !in_array( $role, $user->roles ) ) {
                 $user->add_role( $role );
+                $done = true;
+            }
+        }
+        if ( $done ) {
+            // Redirect to the users screen.
+            if ( wp_redirect( add_query_arg( 'update', 'promote', 'users.php' ) ) ) {
+                 exit;
+            }
+        }
+                $quantity++;
+            }
+        }
+        if ( $quantity>0 ) {
+            // translators: template %d is a quantity of users to whom role was added
+            $message = sprintf( esc_html__('Role added to %d user(s).', 'user-role-editor'), $quantity );
+            $answer = array('result'=>'success', 'message'=>$message );
+        } else {
+            $answer = array('result'=>'error', 'message'=>esc_html__('Error: Role not added', 'user-role-editor') );
+        }
+        return $answer;
+    }
     // end of add_role()
     private function is_try_remove_admin_from_himself( $user_id, $role) {
+    private static function is_try_remove_admin_from_himself( $user_id, $role) {
         $result = false;
 …
         return $result;
+    }
+    private function revoke_role( $users ) {
+        if ( !empty( $_REQUEST['ure_revoke_role'] ) ) {
+            $role = $_REQUEST['ure_revoke_role'];
+        } else {
+            $role = $_REQUEST['ure_revoke_role_2'];
+        }
+    // end of is_try_remove_admin_from_himself()
+    public static function revoke_role() {
+        if ( !current_user_can('promote_users') ) {
+             $answer = array('result'=>'error', 'message'=>esc_html__('Not enough permissions', 'user-role-editor') );
+             return $answer;
+        }
+        if ( empty( $_REQUEST['users'] ) ) {
+            $answer = array('result'=>'error', 'message'=>esc_html__('Empty users list', 'user-role-editor') );
+            return $answer;
+        }
+        $users = (array) $_REQUEST['users'];
+        if ( !self::validate_users( $users ) ) {
+            $answer = array('result'=>'error', 'message'=>esc_html__('Can not edit user or invalid data at the users list', 'user-role-editor') );
+            return $answer;
+        }
+        $lib = URE_Lib::get_instance();
+        $role = $lib->get_request_var('role', 'post', 'string');
         if ( !self::validate_roles( array($role=>$role) ) ) {
+            return;
+        }
+        $done = false;
+            $answer = array('result'=>'error', 'message'=>esc_html__('Invalid role', 'user-role-editor') );
+            return $answer;
+        }
+        $quantity = 0;
         foreach( $users as $user_id ) {
             $user = get_user_by( 'id', $user_id );
             if (empty( $user ) ) {
+            if ( empty( $user ) ) {
                 continue;
+            }
             if ($this->is_try_remove_admin_from_himself( $user_id, $role ) ) {
+            if ( self::is_try_remove_admin_from_himself( $user_id, $role ) ) {
                 continue;
+            }
             if ( is_array($user->roles) && in_array( $role, $user->roles ) ) {
                 $user->remove_role( $role );
+                $done = true;
+            }
+        }
+        if ( $done ) {
+            if ( wp_redirect( add_query_arg( 'update', 'promote', 'users.php' ) ) ) {
+                exit;
+            }
+        }
+                $quantity++;
+            }
+        }
+        if ( $quantity>0 ) {
+            // translators: template %d is a quantity of users to whom role was added
+            $message = sprintf( esc_html__('Role revoked from %d user(s).', 'user-role-editor'), $quantity );
+            $answer = array('result'=>'success', 'message'=>$message );
+        } else {
+            $answer = array('result'=>'error', 'message'=>esc_html__('Error: Role not revoked', 'user-role-editor') );
+        }
+        return $answer;
+    }
     // end of revoke_role()
 …
     private static function validate_roles($roles) {
         if (!is_array($roles)) {
+    private static function validate_roles( $roles ) {
+        if ( !is_array( $roles ) ) {
             return false;
+        }
 …
         $lib = URE_Lib::get_instance();
         $editable_roles = $lib->get_all_editable_roles();
         $valid_roles = array_keys($editable_roles);
         foreach($roles as $role) {
             if (!in_array($role, $valid_roles)) {
+        $valid_roles = array_keys( $editable_roles );
+        foreach( $roles as $role ) {
+            if ( !in_array( $role, $valid_roles ) ) {
                 return false;
+            }
 …
         $users = $_POST['users'];
         if (!self::validate_users($users)) {
             $answer = array('result'=>'error', 'message'=>esc_html__('Can not edit user or invalid data at the users list', 'user-role-editor'));
+        if ( !self::validate_users( $users ) ) {
+            $answer = array('result'=>'error', 'message'=>esc_html__('Can not edit user or invalid data at the users list', 'user-role-editor') );
             return $answer;
+        }
 …
 ?>
         &nbsp;&nbsp;
         <input type="button" name="ure_grant_roles<?php echo $button_number;?>" id="ure_grant_roles<?php echo $button_number;?>" class="button"
+        <input type="button" name="ure_grant_roles<?php echo $button_number;?>" id="ure_grant_roles<?php echo $button_number;?>" class="button"
              value="<?php esc_html_e('Grant Roles', 'user-role-editor');?>">
         &nbsp;&nbsp;
+        &nbsp;&nbsp;
         <label class="screen-reader-text" for="ure_add_role<?php echo $button_number;?>"><?php esc_html_e( 'Add role&hellip;', 'user-role-editor' ); ?></label>
         <select name="ure_add_role<?php echo $button_number;?>" id="ure_add_role<?php echo $button_number;?>" style="display: inline-block; float: none;">
 …
             <?php echo $roles_options_list; ?>
         </select>
+    <?php submit_button( esc_html__( 'Add', 'user-role-editor' ), 'secondary', 'ure_add_role_submit'.$button_number, false ); ?>
+        <input type="button" name="ure_add_role_button<?php echo $button_number;?>" id="ure_add_role_button<?php echo $button_number;?>" class="button"
+             value="<?php esc_html_e('Add', 'user-role-editor');?>">
         &nbsp;&nbsp;
         <label class="screen-reader-text" for="ure_revoke_role<?php echo $button_number;?>"><?php esc_html_e( 'Revoke role&hellip;', 'user-role-editor' ); ?></label>
 …
             <?php echo $roles_options_list; ?>
         </select>
+    <?php submit_button( esc_html__( 'Revoke', 'user-role-editor' ), 'secondary', 'ure_revoke_role_submit'.$button_number, false ); ?>
+    <input type="button" name="ure_revoke_role_button<?php echo $button_number;?>" id="ure_revoke_role_button<?php echo $button_number;?>" class="button"
+             value="<?php esc_html_e('Revoke', 'user-role-editor');?>">
 …
             'select_users_first' => esc_html__('Select users to which you wish to grant roles!', 'user-role-editor'),
             'select_roles_first' => esc_html__('Select role(s) which you wish to grant!', 'user-role-editor'),
+            'select_role_first' => esc_html__('Select role first!', 'user-role-editor'),
+            'select_users_to_add_role' => esc_html__('Select users to which you wish to add role!', 'user-role-editor'),
+            'select_users_to_revoke_role' => esc_html__('Select users from which you wish revoke role!', 'user-role-editor'),
             'show_wp_change_role' => $show_wp_change_role ? 1: 0
         ));

user-role-editor/trunk/js/users-grant-roles.js

-                      r2715703
+                      r3208188
         ure_prepare_grant_roles_dialog();
     });
+    jQuery('#ure_add_role_button').click(function() {
+        ure_add_role( 1 );
+    });
+    jQuery('#ure_add_role_button_2').click(function() {
+        ure_add_role( 2 );
+    });
+    jQuery('#ure_revoke_role_button').click(function() {
+        ure_revoke_role( 1 );
+    });
+    jQuery('#ure_revoke_role_button_2').click(function() {
+        ure_revoke_role( 2 );
+    });
     if (ure_users_grant_roles_data.show_wp_change_role!=1) {
 …
         'primary_role': primary_role,
         'other_roles': other_roles,
+        'wp_nonce': ure_users_grant_roles_data.wp_nonce};
+        'wp_nonce': ure_users_grant_roles_data.wp_nonce
+    };
+    jQuery.post(ajaxurl, data, ure_page_reload, 'json');
+    return true;
+}
+function ure_add_role( control_number ) {
+    var users = ure_get_selected_checkboxes('users');
+    if ( users.length===0 ) {
+        alert( ure_users_grant_roles_data.select_users_to_add_role );
+        return;
+    }
+    var modifier = ( control_number===2 ) ? '_2' : '';
+    var role = jQuery('#ure_add_role'+ modifier).val();
+    if ( role.length===0 ) {
+         alert( ure_users_grant_roles_data.select_role_first );
+         return;
+    }
+    jQuery('#ure_task_status').show();
+    var data = {
+        'action': 'ure_ajax',
+        'sub_action':'add_role_to_user',
+        'users': users,
+        'role': role,
+        'wp_nonce': ure_users_grant_roles_data.wp_nonce
+    };
+    jQuery.post(ajaxurl, data, ure_page_reload, 'json');
+    return true;
+}
+function ure_revoke_role( control_number ) {
+    var users = ure_get_selected_checkboxes('users');
+    if ( users.length===0 ) {
+        alert( ure_users_grant_roles_data.select_users_to_revoke_role );
+        return;
+    }
+    var modifier = ( control_number===2 ) ? '_2' : '';
+    var role = jQuery('#ure_revoke_role'+ modifier).val();
+    if ( role.length===0 ) {
+         alert( ure_users_grant_roles_data.select_role_first );
+         return;
+    }
+    jQuery('#ure_task_status').show();
+    var data = {
+        'action': 'ure_ajax',
+        'sub_action':'revoke_role_from_user',
+        'users': users,
+        'role': role,
+        'wp_nonce': ure_users_grant_roles_data.wp_nonce
+    };
     jQuery.post(ajaxurl, data, ure_page_reload, 'json');
 …
     var url = ure_set_url_arg('update', 'promote');
     document.location = url;
+}
+}

user-role-editor/trunk/readme.txt

-                      r3202014
+                      r3208188
 == Changelog =
+= [4.64.4] 15.12.2024 =
+* Security Fix: Users - "Add Role", "Revoke Role" buttons: Cross-Site request forgery to privilege escalation was possible due to missed nonce validation. This issue was discovered and responsibly reported by vgo0.
 = [4.64.3] 03.12.2024 =
 …
 * Fix: PHP Notice:  "Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the <code>user-role-editor</code> domain was triggered too early." was fixed (shown only for those who used own .mo translation file installed).
 * Fix: Miscellaneous translation functionality (l18n) usage enhancements were applied.
-= [4.64.2] 19.02.2024 =
-* Update: Marked as compatible with WordPress 6.4.3
-* Update: URE_Advertisement: rand() is replaced with wp_rand().
-* Update: URE_Ajax_Proccessor: json_encode() is replaced with wp_json_encode().
-* Update: User_Role_Editor::load_translation(): load_plugin_textdomain() is called with the 2nd parameter value false, instead of deprecated ''.
-* Update: URE_Lib::is_right_admin_path(): parse_url() is replaced with wp_parse_url().
-* Update: URE_Lib::user_is_admin() does not call WP_User::has_cap() to enhance performance.
-* Update: Plugin version was added to CSS loaded to the "Users", "Users->User Role Editor", "Settings->User Role Editor" pages.
-* Update: All JavaScript files are loaded in footer now.
-* Fix: "Users->Add New Users". Unneeded extra '<table></table>' HTML tags was removed (thanks to Alejandro A. for this bug report).
-= [4.64.1] 24.10.2023 =
-* Update: Marked as compatible with WordPress 6.4
-* Fix: Notice shown by PHP 8.3 is removed: PHP Deprecated: Creation of dynamic property URE_Editor::$hide_pro_banner is deprecated in /wp-content/plugins/user-role-editor/includes/classes/editor.php on line 166
-* Fix: Notice shown by PHP 8.3 is removed: PHP Deprecated: Creation of dynamic property URE_Role_View::$caps_to_remove is deprecated in /wp-content/plugins/user-role-editor/includes/classes/role-view.php on line 23
-* Fix: Notice shown by PHP 8.3 is removed: PHP Deprecated: Function utf8_decode() is deprecated in /wp-content/plugins/user-role-editor-pro/includes/classes/editor.php on line 984
 File changelog.txt contains the full list of changes.
 …
 == Upgrade Notice ==
+= [4.64.2] 19.02.2023 =
+* Update: URE_Advertisement: rand() is replaced with wp_rand().
+* Update: URE_Ajax_Proccessor: json_encode() is replaced with wp_json_encode().
+* Update: User_Role_Editor::load_translation(): load_plugin_textdomain() is called with the 2nd parameter value false, instead of deprecated ''.
+* Update: URE_Lib::is_right_admin_path(): parse_url() is replaced with wp_parse_url().
+* Update: URE_Lib::user_is_admin() does not call WP_User::has_cap() to enhance performance.
+* Update: Plugin version was added to CSS loaded to the "Users", "Users->User Role Editor", "Settings->User Role Editor" pages.
+* Update: All JavaScript files are loaded in footer now.
+* Fix: "Users->Add New Users". Unneeded extra '<table></table>' HTML tags was removed (thanks to Alejandro A. for this bug report).
+= [4.64.4] 15.12.2024 =
+* Security Fix: Users - "Add Role", "Revoke Role" buttons: Cross-Site request forgery to privilege escalation was possible due to missed nonce validation. This issue was discovered and responsibly reported by vgo0.

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: