diff --git a/changelog.txt b/changelog.txt index 95b8ea6db..83b427e71 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,4 +1,7 @@ == Changelog == += 3.4.1 = +FIX - improve security while processing AJAX requests in Admin Panel + = 3.4.0 = * ENHANCEMENT - removed `udx/lib-settings` package dependency for security reasons. * ENHANCEMENT - removed `udx/lib-utility` package dependency for security reasons. diff --git a/changes.md b/changes.md index cc6decffb..e8821c80d 100644 --- a/changes.md +++ b/changes.md @@ -1,3 +1,6 @@ +#### 3.4.1 +FIX - improve security while processing AJAX requests in Admin Panel + #### 3.4.0 * ENHANCEMENT - removed `udx/lib-settings` package dependency for security reasons. * ENHANCEMENT - removed `udx/lib-utility` package dependency for security reasons. diff --git a/lib/classes/class-ajax.php b/lib/classes/class-ajax.php index 56bee4513..cf83e44e7 100644 --- a/lib/classes/class-ajax.php +++ b/lib/classes/class-ajax.php @@ -48,6 +48,8 @@ public function __construct() { * @author peshkov@UD */ public function request() { + check_ajax_referer('sm_inline_sync'); + global $doing_manual_sync; $response = array( diff --git a/lib/classes/class-bootstrap.php b/lib/classes/class-bootstrap.php index 1cbe611a4..dab3d83a2 100644 --- a/lib/classes/class-bootstrap.php +++ b/lib/classes/class-bootstrap.php @@ -1216,6 +1216,9 @@ public function admin_init() { /* Attachment or upload page */ wp_register_script('wp-stateless-uploads-js', $this->path('static/scripts/wp-stateless-uploads.js', 'url'), array('jquery'), self::$version); + wp_localize_script('wp-stateless-uploads-js', 'stateless_upload', [ + 'inline_sync_nonce' => wp_create_nonce('sm_inline_sync'), + ]); /* Setup wizard styles. */ wp_register_style('wp-stateless-setup-wizard', $this->path('static/styles/wp-stateless-setup-wizard.css', 'url'), array(), self::$version); diff --git a/lib/classes/class-errors.php b/lib/classes/class-errors.php index d5099c9d9..b2b27026f 100644 --- a/lib/classes/class-errors.php +++ b/lib/classes/class-errors.php @@ -181,7 +181,10 @@ public function admin_notices() { wp_localize_script( "ud-dismiss", "_ud_vars", array( "ajaxurl" => admin_url( 'admin-ajax.php' ), ) ); - + wp_localize_script( "sateless-error-notice-js", "stateless_error_notice_vars", array( + "dismiss_nonce" => wp_create_nonce( 'stateless_notice_dismiss' ), + "enable_action_nonce" => wp_create_nonce( 'stateless_enable_notice_button_action' ), + ) ); //** Don't show the message if the user has no enough permissions. */ if ( ! function_exists( 'wp_get_current_user' ) ) { @@ -248,20 +251,24 @@ public function admin_notices() { * dismiss the notice ajax callback * @throws \Exception */ - public function dismiss_notices(){ + public function dismiss_notices() { + check_ajax_referer('stateless_notice_dismiss'); + $response = array( 'success' => '0', 'error' => __( 'There was an error in request.', $this->domain ), ); + $error = false; - if( empty($_POST['key']) && strpos($_POST['key'], 'dismissed_notice_') !== false ) { + $option_key = isset($_POST['key']) ? sanitize_key($_POST['key']) : ''; + + if ( strpos($option_key, 'dismissed_') !== 0 ) { $response['error'] = __( 'Invalid key', $this->domain ); $error = true; } - else { - $option_key = sanitize_key($_POST['key']); - update_option( $option_key, time() ); + + if ( !$error && update_option( $option_key, time() ) ) { $response['success'] = '1'; $response['error'] = null; } @@ -274,6 +281,8 @@ public function dismiss_notices(){ * @throws \Exception */ public function stateless_enable_notice_button_action(){ + check_ajax_referer('stateless_enable_notice_button_action'); + $response = array( 'success' => '1', ); diff --git a/readme.txt b/readme.txt index 25f30227e..ff8238722 100644 --- a/readme.txt +++ b/readme.txt @@ -5,8 +5,8 @@ Tags: google, google cloud, google cloud storage, cdn, uploads, media, stateless License: GPLv2 or later Requires PHP: 8.0 Requires at least: 5.0 -Tested up to: 6.4.2 -Stable tag: 3.4.0 +Tested up to: 6.4.3 +Stable tag: 3.4.1 Upload and serve your WordPress media files from Google Cloud Storage. @@ -112,6 +112,9 @@ Before upgrading to WP-Stateless 3.2.0, please, make sure you use PHP 7.2 or abo Before upgrading to WP-Stateless 3.0, please, make sure you tested it on your development environment. == Changelog == += 3.4.1 = +FIX - improve security while processing AJAX requests in Admin Panel + = 3.4.0 = * ENHANCEMENT - removed `udx/lib-settings` package dependency for security reasons. * ENHANCEMENT - removed `udx/lib-utility` package dependency for security reasons. diff --git a/static/scripts/error-notice.js b/static/scripts/error-notice.js index 19931d0bc..1eb5b7254 100644 --- a/static/scripts/error-notice.js +++ b/static/scripts/error-notice.js @@ -15,6 +15,7 @@ jQuery( document ).ready( function ($) { var data = { action: 'stateless_enable_notice_button_action', key: _this.data('key'), + _ajax_nonce: stateless_error_notice_vars.enable_action_nonce ?? '', } jQuery.post( ajaxurl, data, function ( result_data ) { @@ -41,6 +42,7 @@ jQuery( document ).ready( function ($) { var data = { action: 'stateless_notice_dismiss', key: _this.data('key'), + _ajax_nonce: stateless_error_notice_vars.dismiss_nonce ?? '', } jQuery.post( ajaxurl, data, function ( result_data ) { diff --git a/static/scripts/wp-stateless-uploads.js b/static/scripts/wp-stateless-uploads.js index 266260b8d..bfdcfc769 100644 --- a/static/scripts/wp-stateless-uploads.js +++ b/static/scripts/wp-stateless-uploads.js @@ -19,7 +19,8 @@ jQuery(document).ready(function(){ data: { action: that.data('type') == 'image' ? "stateless_process_image" : "stateless_process_file", id: that.data('id'), - size: that.data('size') + size: that.data('size'), + _ajax_nonce: stateless_upload.inline_sync_nonce ?? '', } }) .done(function( response ) { diff --git a/wp-stateless-media.php b/wp-stateless-media.php index 9808ff211..7fde37c46 100644 --- a/wp-stateless-media.php +++ b/wp-stateless-media.php @@ -4,7 +4,7 @@ * Plugin URI: https://stateless.udx.io/ * Description: Upload and serve your WordPress media files from Google Cloud Storage. * Author: UDX - * Version: 3.4.0 + * Version: 3.4.1 * Text Domain: stateless-media * Author URI: https://www.udx.io *