WordPress.org
Get WordPress

Plugin Directory

Changeset 3451457


Ignore:
Timestamp:
02/01/2026 03:40:27 PM (8 weeks ago)
Author:
jackdewey
Message:

1.6.4

  • Fixed potential security issue
Location:
tune-library/trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • tune-library/trunk/readme.txt

    r3369267 r3451457  
    44Tags: iTunes, music, collection, list, XML, AJAX
    55Requires at least: 2.7
    6 Tested up to: 6.8.2
    7 Stable tag: 1.6.3
     6Tested up to: 6.9
     7Stable tag: 1.6.4
    88
    99Import your iTunes music list into Wordpress and display your song collection on any page.
     
    2828
    2929== Changelog ==
     30
     31= 1.6.4 =
     32* Fixed potential security issue
    3033
    3134= 1.6.3 =

  • tune-library/trunk/tune-library.php

    r3369267 r3451457  
    44Plugin URI: https://ylefebvre.github.io/wordpress-plugins/tune-library/
    55Description: A plugin that can be used to import an iTunes Library into a MySQl database and display the contents of the collection on a Wordpress Page.
    6 Version: 1.6.3
     6Version: 1.6.4
    77Author: Yannick Lefebvre
    88Author URI: https://ylefebvre.github.io/
     
    175175
    176176            if ( isset( $_POST['importitunes'] ) ) {
     177
     178                // ADD: Capability check and nonce validation
     179                if ( !current_user_can( 'manage_options' ) ) {
     180                    die( __( 'Unauthorized' ) );
     181                }
     182
     183                check_admin_referer( 'tunelibrarypp-config' );
     184
    177185                echo "<div id='message' class='updated fade'>";
    178186                $options  = get_option('TuneLibraryPP');
     
    218226                echo '</div>';
    219227            } elseif ( isset( $_POST['importcsv'] ) ) {
     228
     229                // ADD: Capability check and nonce validation
     230                if ( !current_user_can( 'manage_options' ) ) {
     231                    die( __( 'Unauthorized' ) );
     232                }
     233
     234                check_admin_referer( 'tunelibrarypp-config' );
     235
    220236                global $wpdb;
    221237                $row = 0;
     
    233249                        if (!$skiprow) {
    234250                            if ( count( $data ) == 5 ) {
    235                                 $wpdb->insert( $wpdb->get_blog_prefix() . "tracks", array( 'title' => $data[0], 'artist' => $data[1], 'albumartist' => $data[2], 'album' => $data[3], 'tracknum' => $data[4] ) );
     251                                $wpdb->insert( $wpdb->get_blog_prefix() . "tracks", array( 'title' => sanitize_text_field( $data[0] ), 'artist' => sanitize_text_field( $data[1] ), 'albumartist' => sanitize_text_field( $data[2] ), 'album' => sanitize_text_field( $data[3] ), 'tracknum' => intval( $data[4] ) ) );
    236252                            }
    237253                        }
     
    308324                    <input type="hidden" name="action" value="tune_lib_admin" />
    309325                    <input type="hidden" name="MAX_FILE_SIZE" value="128000000" />
     326
    310327                    <table class="form-table" style="width:100%;">
    311328                    <?php

  • tune-library/trunk/writeNodes.php

    r1724383 r3451457  
    1515       
    1616        foreach($tracks as $track){
    17             echo "<li><a href='#'> ".$track->album."</a>
     17            echo "<li><a href='#'> ". esc_html( $track->album )."</a>
    1818                <ul>
    1919                    <li parentId='album::".urlencode($itemData)."::".urlencode($track->album)."'><a href='#'>Loading...</a></li>
     
    2929       
    3030        foreach($tracks as $track){
    31             echo "<li><a href='#'> ".$track->album."</a>
     31            echo "<li><a href='#'> ". esc_html( $track->album )."</a>
    3232                <ul>
    3333                    <li parentId='albumvarious::".urlencode($itemData)."::".urlencode($track->album)."'><a href='#'>Loading...</a></li>
     
    6767                echo '<li class="dhtmlgoodies_sheet.gif"><a href="#" disabled></a> ';
    6868                if ( isset( $track['diskid'] ) && ( 1 != $track['diskid'] || count( $disk_id_array ) > 1 ) ) {
    69                     echo $track['diskid'] . ' - ';
     69                    echo intval( $track['diskid'] ) . ' - ';
    7070                }
    71                 echo $track['tracknum'] . ' - ' . $track['title'] . '</li>';
     71                echo intval( $track['tracknum'] ) . ' - ' . esc_html( $track['title'] ) . '</li>';
    7272            } else {
    73                 echo "<li class='dhtmlgoodies_sheet.gif'><a href='#' disabled></a> " . $track['title'] . '</li>';
     73                echo "<li class='dhtmlgoodies_sheet.gif'><a href='#' disabled></a> " . esc_html( $track['title'] ) . '</li>';
    7474            }
    7575        }
     
    109109                echo '<li class="dhtmlgoodies_sheet.gif"><a href="#" disabled></a> ';
    110110                if ( isset( $track['diskid'] ) && ( 1 != $track['diskid'] || count( $disk_id_array ) > 1 ) ) {
    111                     echo $track['diskid'] . ' - ';
     111                    echo intval( $track['diskid'] ) . ' - ';
    112112                }
    113                 echo $track['tracknum'] . ' - ' . $track['artist'] . ' - ' . $track['title'] . '</li>';
     113                echo intval( $track['tracknum'] ) . ' - ' . esc_html( $track['artist'] ) . ' - ' . esc_html( $track['title'] ) . '</li>';
    114114            } else {
    115                 echo '<li class="dhtmlgoodies_sheet.gif"><a href="#" disabled></a> ' . $track['title'] . '</li>';
     115                echo '<li class="dhtmlgoodies_sheet.gif"><a href="#" disabled></a> ' . esc_html( $track['title'] ) . '</li>';
    116116            }
    117117        }
Note: See TracChangeset for help on using the changeset viewer.