Changeset 3245852

Timestamp:

02/24/2025 03:45:25 PM (10 months ago)

Author:

boonebgorges

Message:

Create tag 0.8.3.

Location:

anthologize

Files:

• tags/0.8.3 (copied) (copied from anthologize/trunk)
• tags/0.8.3/anthologize.php (modified) (2 diffs)
• tags/0.8.3/includes/class-admin-main.php (modified) (2 diffs)
• tags/0.8.3/includes/class-new-project.php (modified) (3 diffs)
• tags/0.8.3/includes/class-project-organizer.php (modified) (1 diff)
• tags/0.8.3/readme.txt (modified) (1 diff)
• tags/0.8.3/vendor/composer/InstalledVersions.php (modified) (5 diffs)
• tags/0.8.3/vendor/composer/installed.php (modified) (2 diffs)
• trunk/anthologize.php (modified) (2 diffs)
• trunk/includes/class-admin-main.php (modified) (2 diffs)
• trunk/includes/class-new-project.php (modified) (3 diffs)
• trunk/includes/class-project-organizer.php (modified) (1 diff)
• trunk/readme.txt (modified) (1 diff)
• trunk/vendor/composer/InstalledVersions.php (modified) (5 diffs)
• trunk/vendor/composer/installed.php (modified) (2 diffs)

anthologize/tags/0.8.3/anthologize.php

@@ -4 +4 @@
 Plugin URI: http://anthologize.org
 Description: Use the power of WordPress to transform your content into a book.
-Version: 0.8.2
+Version: 0.8.3
 Text Domain: anthologize
 Author: One Week | One Tool
@@ -31 +31 @@
 
 if ( ! defined( 'ANTHOLOGIZE_VERSION' ) )
-    define( 'ANTHOLOGIZE_VERSION', '0.8.2' );
+    define( 'ANTHOLOGIZE_VERSION', '0.8.3' );
 
 require dirname( __FILE__ ) . '/vendor/autoload.php';

anthologize/tags/0.8.3/includes/class-admin-main.php

@@ -468 +468 @@
             if ( isset( $_GET['action'] ) ) {
                 if ( $_GET['action'] == 'delete' && $project ) {
-                    wp_delete_post( $project->ID );
+                    check_admin_referer( 'anthologize_delete_project' );
+
+                    if ( current_user_can( 'delete_post', $project->ID ) ) {
+                        wp_delete_post( $project->ID );
+                    }
                 }
 
@@ -552 +556 @@
                             $controlActions   = array();
                             $the_id           = get_the_ID();
+
+                            $delete_url = wp_nonce_url( admin_url( 'admin.php?page=anthologize&action=delete&project_id=' . $the_id ), 'anthologize_delete_project' );
+
                             $controlActions[] = '<a href="admin.php?page=anthologize_new_project&project_id=' . esc_attr( $the_id ) . '">' . __( 'Project Details', 'anthologize' ) . '</a>';
                             $controlActions[] = '<a href="admin.php?page=anthologize&action=edit&project_id=' . esc_attr( $the_id ) . '">' . __( 'Manage Parts', 'anthologize' ) . '</a>';
-                            $controlActions[] = '<a href="admin.php?page=anthologize&action=delete&project_id=' . esc_attr( $the_id ) . '" class="confirm-delete">' . __( 'Delete Project', 'anthologize' ) . '</a>';
+                            $controlActions[] = '<a href="' . esc_url( $delete_url ) . '" class="confirm-delete">' . __( 'Delete Project', 'anthologize' ) . '</a>';
                             ?>
 

anthologize/tags/0.8.3/includes/class-new-project.php

@@ -126 +126 @@
 
             if ( isset( $_POST['save_project'] ) ) {
+                check_admin_referer( 'anthologize_new_project' );
                 $this->save_project();
                 return;
@@ -159 +160 @@
                 <tr valign="top">
                     <th scope="row"><label for="project-title"><?php _e( 'Project Title', 'anthologize' ); ?></label></th>
-                    <td><input type="text" name="post_title" id="project-title" value="
                     <?php
-                    if ( $project ) {
-                        echo esc_attr( $project->post_title );}
+                    $existing_project_title = $project ? $project->post_title : '';
                     ?>
-                    "></td>
+                    <td><input type="text" name="post_title" id="project-title" value="<?php echo esc_attr( $existing_project_title ); ?>"></td>
                 </tr>
 
                 <tr valign="top">
                     <th scope="row"><label for="project-subtitle"><?php _e( 'Subtitle', 'anthologize' ); ?></label>
-                    <td><input type="text" name="anthologize_meta[subtitle]" id="project-subtitle" value="
                     <?php
-                    if ( $project && ! empty( $meta['subtitle'] ) ) {
-                        echo esc_attr( $meta['subtitle'] );}
+                    $existing_subtitle = $project ? $meta['subtitle'] : '';
                     ?>
-                    " /></td>
+                    <td><input type="text" name="anthologize_meta[subtitle]" id="project-subtitle" value="<?php echo esc_attr( $existing_subtitle ); ?>" /></td>
                 </tr>
 
@@ -195 +192 @@
 
                 <div class="anthologize-button"><input type="submit" name="save_project" value="<?php _e( 'Save Project', 'anthologize' ); ?>"></div>
-            <input type="hidden" name="project_id" value="
-            <?php
-            if ( $project ) {
-                echo esc_attr( $project->ID );}
-            ?>
-            ">
+            <?php $existing_project_id = $project ? $project->ID : ''; ?>
+            <input type="hidden" name="project_id" value="<?php echo esc_attr( $existing_project_id ); ?>">
+
+            <?php wp_nonce_field( 'anthologize_new_project' ); ?>
+
             </form>
 

anthologize/tags/0.8.3/includes/class-project-organizer.php

@@ -70 +70 @@
                     <a href="admin.php?page=anthologize_new_project&project_id=<?php echo esc_attr( $this->project_id ); ?>"><?php _e( 'Project Details', 'anthologize' ); ?></a> |
                     <a target="_blank" href="<?php echo esc_url( $this->preview_url( $this->project_id, 'anth_project' ) ); ?>"><?php _e( 'Preview Project', 'anthologize' ); ?></a> |
-                    <a href="admin.php?page=anthologize&action=delete&project_id=<?php echo esc_attr( $this->project_id ); ?>" class="confirm-delete"><?php _e( 'Delete Project', 'anthologize' ); ?></a>
+                    <a href="<?php echo esc_attr( wp_nonce_url( admin_url( 'admin.php?page=anthologize&action=delete&project_id=' . $this->project_id ), 'anthologize_delete_project' ) ); ?>" class="confirm-delete"><?php _e( 'Delete Project', 'anthologize' ); ?></a>
                 </div>
             </h2>

anthologize/tags/0.8.3/readme.txt

@@ -60 +60 @@
 
 == Changelog ==
+
+= 0.8.3 =
+* Fixed security vulnerability when deleting or creating projects
 
 = 0.8.2 =

anthologize/tags/0.8.3/vendor/composer/InstalledVersions.php

@@ -32 +32 @@
      */
     private static $installed;
+
+    /**
+     * @var bool
+     */
+    private static $installedIsLocalDir;
 
     /**
@@ -310 +315 @@
         self::$installed = $data;
         self::$installedByVendor = array();
+
+        // when using reload, we disable the duplicate protection to ensure that self::$installed data is
+        // always returned, but we cannot know whether it comes from the installed.php in __DIR__ or not,
+        // so we have to assume it does not, and that may result in duplicate data being returned when listing
+        // all installed packages for example
+        self::$installedIsLocalDir = false;
     }
 
@@ -323 +334 @@
 
         $installed = array();
+        $copiedLocalDir = false;
 
         if (self::$canGetVendors) {
+            $selfDir = strtr(__DIR__, '\\', '/');
             foreach (ClassLoader::getRegisteredLoaders() as $vendorDir => $loader) {
+                $vendorDir = strtr($vendorDir, '\\', '/');
                 if (isset(self::$installedByVendor[$vendorDir])) {
                     $installed[] = self::$installedByVendor[$vendorDir];
@@ -331 +345 @@
                     /** @var array{root: array{name: string, pretty_version: string, version: string, reference: string|null, type: string, install_path: string, aliases: string[], dev: bool}, versions: array<string, array{pretty_version?: string, version?: string, reference?: string|null, type?: string, install_path?: string, aliases?: string[], dev_requirement: bool, replaced?: string[], provided?: string[]}>} $required */
                     $required = require $vendorDir.'/composer/installed.php';
-                    $installed[] = self::$installedByVendor[$vendorDir] = $required;
-                    if (null === self::$installed && strtr($vendorDir.'/composer', '\\', '/') === strtr(__DIR__, '\\', '/')) {
-                        self::$installed = $installed[count($installed) - 1];
+                    self::$installedByVendor[$vendorDir] = $required;
+                    $installed[] = $required;
+                    if (self::$installed === null && $vendorDir.'/composer' === $selfDir) {
+                        self::$installed = $required;
+                        self::$installedIsLocalDir = true;
                     }
+                }
+                if (self::$installedIsLocalDir && $vendorDir.'/composer' === $selfDir) {
+                    $copiedLocalDir = true;
                 }
             }
@@ -351 +370 @@
         }
 
-        if (self::$installed !== array()) {
+        if (self::$installed !== array() && !$copiedLocalDir) {
             $installed[] = self::$installed;
         }

anthologize/tags/0.8.3/vendor/composer/installed.php

@@ -4 +4 @@
         'pretty_version' => '0.8.x-dev',
         'version' => '0.8.9999999.9999999-dev',
-        'reference' => 'ab984c003a2ace922d87f1e7f29d78110f401804',
+        'reference' => '1e60e8f970f44326fabf5c33edbb7df31f16ee55',
         'type' => 'project',
         'install_path' => __DIR__ . '/../../',
@@ -14 +14 @@
             'pretty_version' => '0.8.x-dev',
             'version' => '0.8.9999999.9999999-dev',
-            'reference' => 'ab984c003a2ace922d87f1e7f29d78110f401804',
+            'reference' => '1e60e8f970f44326fabf5c33edbb7df31f16ee55',
             'type' => 'project',
             'install_path' => __DIR__ . '/../../',

anthologize/trunk/anthologize.php

@@ -4 +4 @@
 Plugin URI: http://anthologize.org
 Description: Use the power of WordPress to transform your content into a book.
-Version: 0.8.2
+Version: 0.8.3
 Text Domain: anthologize
 Author: One Week | One Tool
@@ -31 +31 @@
 
 if ( ! defined( 'ANTHOLOGIZE_VERSION' ) )
-    define( 'ANTHOLOGIZE_VERSION', '0.8.2' );
+    define( 'ANTHOLOGIZE_VERSION', '0.8.3' );
 
 require dirname( __FILE__ ) . '/vendor/autoload.php';

anthologize/trunk/includes/class-admin-main.php

@@ -468 +468 @@
             if ( isset( $_GET['action'] ) ) {
                 if ( $_GET['action'] == 'delete' && $project ) {
-                    wp_delete_post( $project->ID );
+                    check_admin_referer( 'anthologize_delete_project' );
+
+                    if ( current_user_can( 'delete_post', $project->ID ) ) {
+                        wp_delete_post( $project->ID );
+                    }
                 }
 
@@ -552 +556 @@
                             $controlActions   = array();
                             $the_id           = get_the_ID();
+
+                            $delete_url = wp_nonce_url( admin_url( 'admin.php?page=anthologize&action=delete&project_id=' . $the_id ), 'anthologize_delete_project' );
+
                             $controlActions[] = '<a href="admin.php?page=anthologize_new_project&project_id=' . esc_attr( $the_id ) . '">' . __( 'Project Details', 'anthologize' ) . '</a>';
                             $controlActions[] = '<a href="admin.php?page=anthologize&action=edit&project_id=' . esc_attr( $the_id ) . '">' . __( 'Manage Parts', 'anthologize' ) . '</a>';
-                            $controlActions[] = '<a href="admin.php?page=anthologize&action=delete&project_id=' . esc_attr( $the_id ) . '" class="confirm-delete">' . __( 'Delete Project', 'anthologize' ) . '</a>';
+                            $controlActions[] = '<a href="' . esc_url( $delete_url ) . '" class="confirm-delete">' . __( 'Delete Project', 'anthologize' ) . '</a>';
                             ?>
 

anthologize/trunk/includes/class-new-project.php

@@ -126 +126 @@
 
             if ( isset( $_POST['save_project'] ) ) {
+                check_admin_referer( 'anthologize_new_project' );
                 $this->save_project();
                 return;
@@ -159 +160 @@
                 <tr valign="top">
                     <th scope="row"><label for="project-title"><?php _e( 'Project Title', 'anthologize' ); ?></label></th>
-                    <td><input type="text" name="post_title" id="project-title" value="
                     <?php
-                    if ( $project ) {
-                        echo esc_attr( $project->post_title );}
+                    $existing_project_title = $project ? $project->post_title : '';
                     ?>
-                    "></td>
+                    <td><input type="text" name="post_title" id="project-title" value="<?php echo esc_attr( $existing_project_title ); ?>"></td>
                 </tr>
 
                 <tr valign="top">
                     <th scope="row"><label for="project-subtitle"><?php _e( 'Subtitle', 'anthologize' ); ?></label>
-                    <td><input type="text" name="anthologize_meta[subtitle]" id="project-subtitle" value="
                     <?php
-                    if ( $project && ! empty( $meta['subtitle'] ) ) {
-                        echo esc_attr( $meta['subtitle'] );}
+                    $existing_subtitle = $project ? $meta['subtitle'] : '';
                     ?>
-                    " /></td>
+                    <td><input type="text" name="anthologize_meta[subtitle]" id="project-subtitle" value="<?php echo esc_attr( $existing_subtitle ); ?>" /></td>
                 </tr>
 
@@ -195 +192 @@
 
                 <div class="anthologize-button"><input type="submit" name="save_project" value="<?php _e( 'Save Project', 'anthologize' ); ?>"></div>
-            <input type="hidden" name="project_id" value="
-            <?php
-            if ( $project ) {
-                echo esc_attr( $project->ID );}
-            ?>
-            ">
+            <?php $existing_project_id = $project ? $project->ID : ''; ?>
+            <input type="hidden" name="project_id" value="<?php echo esc_attr( $existing_project_id ); ?>">
+
+            <?php wp_nonce_field( 'anthologize_new_project' ); ?>
+
             </form>
 

anthologize/trunk/includes/class-project-organizer.php

@@ -70 +70 @@
                     <a href="admin.php?page=anthologize_new_project&project_id=<?php echo esc_attr( $this->project_id ); ?>"><?php _e( 'Project Details', 'anthologize' ); ?></a> |
                     <a target="_blank" href="<?php echo esc_url( $this->preview_url( $this->project_id, 'anth_project' ) ); ?>"><?php _e( 'Preview Project', 'anthologize' ); ?></a> |
-                    <a href="admin.php?page=anthologize&action=delete&project_id=<?php echo esc_attr( $this->project_id ); ?>" class="confirm-delete"><?php _e( 'Delete Project', 'anthologize' ); ?></a>
+                    <a href="<?php echo esc_attr( wp_nonce_url( admin_url( 'admin.php?page=anthologize&action=delete&project_id=' . $this->project_id ), 'anthologize_delete_project' ) ); ?>" class="confirm-delete"><?php _e( 'Delete Project', 'anthologize' ); ?></a>
                 </div>
             </h2>

anthologize/trunk/readme.txt

@@ -60 +60 @@
 
 == Changelog ==
+
+= 0.8.3 =
+* Fixed security vulnerability when deleting or creating projects
 
 = 0.8.2 =

anthologize/trunk/vendor/composer/InstalledVersions.php

@@ -32 +32 @@
      */
     private static $installed;
+
+    /**
+     * @var bool
+     */
+    private static $installedIsLocalDir;
 
     /**
@@ -310 +315 @@
         self::$installed = $data;
         self::$installedByVendor = array();
+
+        // when using reload, we disable the duplicate protection to ensure that self::$installed data is
+        // always returned, but we cannot know whether it comes from the installed.php in __DIR__ or not,
+        // so we have to assume it does not, and that may result in duplicate data being returned when listing
+        // all installed packages for example
+        self::$installedIsLocalDir = false;
     }
 
@@ -323 +334 @@
 
         $installed = array();
+        $copiedLocalDir = false;
 
         if (self::$canGetVendors) {
+            $selfDir = strtr(__DIR__, '\\', '/');
             foreach (ClassLoader::getRegisteredLoaders() as $vendorDir => $loader) {
+                $vendorDir = strtr($vendorDir, '\\', '/');
                 if (isset(self::$installedByVendor[$vendorDir])) {
                     $installed[] = self::$installedByVendor[$vendorDir];
@@ -331 +345 @@
                     /** @var array{root: array{name: string, pretty_version: string, version: string, reference: string|null, type: string, install_path: string, aliases: string[], dev: bool}, versions: array<string, array{pretty_version?: string, version?: string, reference?: string|null, type?: string, install_path?: string, aliases?: string[], dev_requirement: bool, replaced?: string[], provided?: string[]}>} $required */
                     $required = require $vendorDir.'/composer/installed.php';
-                    $installed[] = self::$installedByVendor[$vendorDir] = $required;
-                    if (null === self::$installed && strtr($vendorDir.'/composer', '\\', '/') === strtr(__DIR__, '\\', '/')) {
-                        self::$installed = $installed[count($installed) - 1];
+                    self::$installedByVendor[$vendorDir] = $required;
+                    $installed[] = $required;
+                    if (self::$installed === null && $vendorDir.'/composer' === $selfDir) {
+                        self::$installed = $required;
+                        self::$installedIsLocalDir = true;
                     }
+                }
+                if (self::$installedIsLocalDir && $vendorDir.'/composer' === $selfDir) {
+                    $copiedLocalDir = true;
                 }
             }
@@ -351 +370 @@
         }
 
-        if (self::$installed !== array()) {
+        if (self::$installed !== array() && !$copiedLocalDir) {
             $installed[] = self::$installed;
         }

anthologize/trunk/vendor/composer/installed.php

@@ -4 +4 @@
         'pretty_version' => '0.8.x-dev',
         'version' => '0.8.9999999.9999999-dev',
-        'reference' => 'ab984c003a2ace922d87f1e7f29d78110f401804',
+        'reference' => '1e60e8f970f44326fabf5c33edbb7df31f16ee55',
         'type' => 'project',
         'install_path' => __DIR__ . '/../../',
@@ -14 +14 @@
             'pretty_version' => '0.8.x-dev',
             'version' => '0.8.9999999.9999999-dev',
-            'reference' => 'ab984c003a2ace922d87f1e7f29d78110f401804',
+            'reference' => '1e60e8f970f44326fabf5c33edbb7df31f16ee55',
             'type' => 'project',
             'install_path' => __DIR__ . '/../../',