Merge pull request #716 from udx/latest

Latest -> v3.0

changelog.txt

@@ -1,4 +1,7 @@
 == Changelog ==
+= 3.4.1 =
+FIX - improve security while processing AJAX requests in Admin Panel
+
 = 3.4.0 =
 * ENHANCEMENT - removed `udx/lib-settings` package dependency for security reasons. 
 * ENHANCEMENT - removed `udx/lib-utility` package dependency for security reasons.

changes.md

@@ -1,3 +1,6 @@
+#### 3.4.1
+FIX - improve security while processing AJAX requests in Admin Panel
+
 #### 3.4.0
 * ENHANCEMENT - removed `udx/lib-settings` package dependency for security reasons. 
 * ENHANCEMENT - removed `udx/lib-utility` package dependency for security reasons.

lib/classes/class-ajax.php

@@ -48,6 +48,8 @@ public function __construct() {
        * @author peshkov@UD
        */
       public function request() {
+        check_ajax_referer('sm_inline_sync');
+
         global $doing_manual_sync;
 
         $response = array(

lib/classes/class-bootstrap.php

@@ -1216,6 +1216,9 @@ public function admin_init() {
 
         /* Attachment or upload page */
         wp_register_script('wp-stateless-uploads-js', $this->path('static/scripts/wp-stateless-uploads.js', 'url'), array('jquery'), self::$version);
+        wp_localize_script('wp-stateless-uploads-js', 'stateless_upload', [
+          'inline_sync_nonce' => wp_create_nonce('sm_inline_sync'),
+        ]);
 
         /* Setup wizard styles. */
         wp_register_style('wp-stateless-setup-wizard', $this->path('static/styles/wp-stateless-setup-wizard.css', 'url'), array(), self::$version);

lib/classes/class-errors.php

@@ -181,7 +181,10 @@ public function admin_notices() {
         wp_localize_script( "ud-dismiss", "_ud_vars", array(
             "ajaxurl" => admin_url( 'admin-ajax.php' ),
         ) );
-
+        wp_localize_script( "sateless-error-notice-js", "stateless_error_notice_vars", array(
+          "dismiss_nonce" => wp_create_nonce( 'stateless_notice_dismiss' ),
+          "enable_action_nonce" => wp_create_nonce( 'stateless_enable_notice_button_action' ),
+        ) );
 
         //** Don't show the message if the user has no enough permissions. */
         if ( ! function_exists( 'wp_get_current_user' ) ) {
@@ -248,20 +251,24 @@ public function admin_notices() {
        * dismiss the notice ajax callback
        * @throws \Exception
        */
-      public function dismiss_notices(){
+      public function dismiss_notices() {
+        check_ajax_referer('stateless_notice_dismiss');
+
         $response = array(
           'success' => '0',
           'error' => __( 'There was an error in request.', $this->domain ),
         );
+
         $error = false;
 
-        if( empty($_POST['key']) && strpos($_POST['key'], 'dismissed_notice_') !== false ) {
+        $option_key = isset($_POST['key']) ? sanitize_key($_POST['key']) : '';
+
+        if ( strpos($option_key, 'dismissed_') !== 0 ) {
           $response['error'] = __( 'Invalid key', $this->domain );
           $error = true;
         }
-        else {
-          $option_key = sanitize_key($_POST['key']);
-          update_option( $option_key, time() );
+
+        if ( !$error && update_option( $option_key, time() ) ) {
           $response['success'] = '1';
           $response['error'] = null;
         }
@@ -274,6 +281,8 @@ public function dismiss_notices(){
        * @throws \Exception
        */
       public function stateless_enable_notice_button_action(){
+        check_ajax_referer('stateless_enable_notice_button_action');
+
         $response = array(
           'success' => '1',
         );

readme.txt

@@ -5,8 +5,8 @@ Tags: google, google cloud, google cloud storage, cdn, uploads, media, stateless
 License: GPLv2 or later
 Requires PHP: 8.0
 Requires at least: 5.0
-Tested up to: 6.4.2
-Stable tag: 3.4.0
+Tested up to: 6.4.3
+Stable tag: 3.4.1
 
 Upload and serve your WordPress media files from Google Cloud Storage.
 
@@ -112,6 +112,9 @@ Before upgrading to WP-Stateless 3.2.0, please, make sure you use PHP 7.2 or abo
 Before upgrading to WP-Stateless 3.0, please, make sure you tested it on your development environment.
 
 == Changelog ==
+= 3.4.1 =
+FIX - improve security while processing AJAX requests in Admin Panel
+
 = 3.4.0 =
 * ENHANCEMENT - removed `udx/lib-settings` package dependency for security reasons. 
 * ENHANCEMENT - removed `udx/lib-utility` package dependency for security reasons.

static/scripts/error-notice.js

@@ -15,6 +15,7 @@ jQuery( document ).ready( function ($) {
     var data = {
       action: 'stateless_enable_notice_button_action',
       key: _this.data('key'),
+      _ajax_nonce: stateless_error_notice_vars.enable_action_nonce ?? '',
     }
 
     jQuery.post( ajaxurl, data, function ( result_data ) {
@@ -41,6 +42,7 @@ jQuery( document ).ready( function ($) {
     var data = {
       action: 'stateless_notice_dismiss',
       key: _this.data('key'),
+      _ajax_nonce: stateless_error_notice_vars.dismiss_nonce ?? '',
     }
 
     jQuery.post( ajaxurl, data, function ( result_data ) {

static/scripts/wp-stateless-uploads.js

@@ -19,7 +19,8 @@ jQuery(document).ready(function(){
         data: {
           action: that.data('type') == 'image' ? "stateless_process_image" : "stateless_process_file",
           id: that.data('id'),
-          size: that.data('size')
+          size: that.data('size'),
+          _ajax_nonce: stateless_upload.inline_sync_nonce ?? '',
         }
       })
       .done(function( response ) {

vendor/composer/installed.json

@@ -264,16 +264,16 @@
         },
         {
             "name": "udx/lib-ud-api-client",
-            "version": "1.2.2",
-            "version_normalized": "1.2.2.0",
+            "version": "1.2.3",
+            "version_normalized": "1.2.3.0",
             "source": {
                 "type": "git",
                 "url": "[email protected]:udx/lib-ud-api-client",
-                "reference": "1.2.2"
+                "reference": "1.2.3"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://github.com/udx/lib-ud-api-client/archive/1.2.2.zip"
+                "url": "https://github.com/udx/lib-ud-api-client/archive/1.2.3.zip"
             },
             "require": {
                 "php": ">=5.3"
@@ -310,16 +310,16 @@
         },
         {
             "name": "udx/lib-wp-bootstrap",
-            "version": "1.3.1",
-            "version_normalized": "1.3.1.0",
+            "version": "1.3.2",
+            "version_normalized": "1.3.2.0",
             "source": {
                 "type": "git",
                 "url": "[email protected]:udx/lib-wp-bootstrap",
-                "reference": "1.3.1"
+                "reference": "1.3.2"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://github.com/udx/lib-wp-bootstrap/archive/1.3.1.zip"
+                "url": "https://github.com/udx/lib-wp-bootstrap/archive/1.3.2.zip"
             },
             "require": {
                 "php": ">=5.3"

vendor/composer/installed.php

@@ -3,7 +3,7 @@
         'name' => 'wpcloud/wp-stateless',
         'pretty_version' => 'dev-latest',
         'version' => 'dev-latest',
-        'reference' => '4e811ffcf935c543ab66a31c9562301a405d988d',
+        'reference' => '4485e93b09271c7d1d632d20406de711e4d8b391',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -50,18 +50,18 @@
             ),
         ),
         'udx/lib-ud-api-client' => array(
-            'pretty_version' => '1.2.2',
-            'version' => '1.2.2.0',
-            'reference' => '1.2.2',
+            'pretty_version' => '1.2.3',
+            'version' => '1.2.3.0',
+            'reference' => '1.2.3',
             'type' => 'library',
             'install_path' => __DIR__ . '/../udx/lib-ud-api-client',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
         'udx/lib-wp-bootstrap' => array(
-            'pretty_version' => '1.3.1',
-            'version' => '1.3.1.0',
-            'reference' => '1.3.1',
+            'pretty_version' => '1.3.2',
+            'version' => '1.3.2.0',
+            'reference' => '1.3.2',
             'type' => 'library',
             'install_path' => __DIR__ . '/../udx/lib-wp-bootstrap',
             'aliases' => array(),
@@ -70,7 +70,7 @@
         'wpcloud/wp-stateless' => array(
             'pretty_version' => 'dev-latest',
             'version' => 'dev-latest',
-            'reference' => '4e811ffcf935c543ab66a31c9562301a405d988d',
+            'reference' => '4485e93b09271c7d1d632d20406de711e4d8b391',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

vendor/udx/lib-ud-api-client/changes.md

@@ -1,3 +1,7 @@
+### 1.2.3
+
+* Improve security while processing AJAX requests in Admin Panel.
+
 ### 1.2.2
 
 * Remove dependency from `udx/lib-utility`.

vendor/udx/lib-ud-api-client/gruntfile.js

@@ -2,7 +2,7 @@
  * Build Plugin.
  *
  * @author potanin@UD
- * @version 1.2.2
+ * @version 1.2.3
  * @param grunt
  */
 module.exports = function( grunt ) {

vendor/udx/lib-ud-api-client/lib/classes/class-bootstrap.php

@@ -18,7 +18,7 @@ class Bootstrap extends Scaffold {
       /**
        *
        */
-      public static $version = '1.2.2';
+      public static $version = '1.2.3';
 
       /**
        *