WordPress.org

Plugin Directory

Changeset 1087142


Ignore:
Timestamp:
02/11/15 13:53:09 (2 years ago)
Author:
johneckman
Message:

Updated to 2.7.1 - added nonce to admin form for CSRF protection

Location:
wpbook
Files:
4 edited
1 copied

Legend:

Unmodified
Added
Removed
  • wpbook/tags/2.7.1/README.txt

    r983878 r1087142  
    22Contributors: johneckman, davelester, BandonRandon 
    33Tags: facebook, platform, application, blog, mirror 
    4 Stable tag: 2.7 
     4Stable tag: 2.7.1 
    55Tested up to: 4.0 
    66Requires at least: 2.9.0 
     
    101101 
    102102== Changelog == 
     103 
     104= 2.7.1 =  
     105 * Added wp_nonce protection to admin form to prevent CSRF - thanks to Ryan Satterfield 
     106   from https://planetzuda.com/ for the report on the vulnerability 
    103107 
    104108= 2.7 =  
  • wpbook/tags/2.7.1/wpbook.php

    r983878 r1087142  
    66Author: John Eckman 
    77Author URI: http://johneckman.com 
    8 Version: 2.7 
    9 Stable tag: 2.7 
     8Version: 2.7.1 
     9Stable tag: 2.7.1 
    1010*/ 
    1111 
     
    209209 
    210210        // if we're posting 
    211         if (isset($_POST['fb_api_key']) && isset($_POST['fb_secret']) && isset($_POST['fb_app_url']) && isset($_POST['fb_admin_target']) 
    212                 && (!empty($_POST['fb_api_key']))  && (!empty($_POST['fb_secret'])) && (!empty($_POST['fb_app_url'])) && (!empty($_POST['fb_admin_target']))) { 
     211        if ( ! empty( $_POST ) && check_admin_referer( 'update_settings', 'wpbook_admin_nonce')  
     212                && isset($_POST['fb_api_key']) && isset($_POST['fb_secret']) && isset($_POST['fb_app_url'])  
     213                && isset($_POST['fb_admin_target']) && (!empty($_POST['fb_api_key']))   
     214                && (!empty($_POST['fb_secret'])) && (!empty($_POST['fb_app_url']))  
     215                && (!empty($_POST['fb_admin_target']))) { 
    213216            $fb_api_key = preg_replace("#[^0-9]#", "",$_POST['fb_api_key']); 
    214217            $fb_secret = $_POST['fb_secret']; 
     
    463466        } elseif (($wpbookAdminOptions['fb_api_key'] != "") && ($wpbookAdminOptions['fb_secret'] != "") && ($wpbookAdminOptions['fb_app_url'] != "")  && ($wpbookAdminOptions['fb_admin_target'] != "")){ 
    464467            $flash = ""; 
     468        } elseif (! check_admin_referer( 'update_settings', 'wpbook_admin_nonce') ) { 
     469            $flash = "Admin nonce failed";  
    465470        } else { 
    466471            $flash = "Please complete all necessary fields"; 
     
    929934 
    930935            <?php 
     936            wp_nonce_field( 'update_settings', 'wpbook_admin_nonce' ); 
    931937            echo '<p><input type="submit" value="Save" class="button-primary"'; 
    932938            echo ' name="wpbook_save_button" /></form></p>'; 
  • wpbook/trunk/README.txt

    r983878 r1087142  
    22Contributors: johneckman, davelester, BandonRandon 
    33Tags: facebook, platform, application, blog, mirror 
    4 Stable tag: 2.7 
     4Stable tag: 2.7.1 
    55Tested up to: 4.0 
    66Requires at least: 2.9.0 
     
    101101 
    102102== Changelog == 
     103 
     104= 2.7.1 =  
     105 * Added wp_nonce protection to admin form to prevent CSRF - thanks to Ryan Satterfield 
     106   from https://planetzuda.com/ for the report on the vulnerability 
    103107 
    104108= 2.7 =  
  • wpbook/trunk/wpbook.php

    r983878 r1087142  
    66Author: John Eckman 
    77Author URI: http://johneckman.com 
    8 Version: 2.7 
    9 Stable tag: 2.7 
     8Version: 2.7.1 
     9Stable tag: 2.7.1 
    1010*/ 
    1111 
     
    209209 
    210210        // if we're posting 
    211         if (isset($_POST['fb_api_key']) && isset($_POST['fb_secret']) && isset($_POST['fb_app_url']) && isset($_POST['fb_admin_target']) 
    212                 && (!empty($_POST['fb_api_key']))  && (!empty($_POST['fb_secret'])) && (!empty($_POST['fb_app_url'])) && (!empty($_POST['fb_admin_target']))) { 
     211        if ( ! empty( $_POST ) && check_admin_referer( 'update_settings', 'wpbook_admin_nonce')  
     212                && isset($_POST['fb_api_key']) && isset($_POST['fb_secret']) && isset($_POST['fb_app_url'])  
     213                && isset($_POST['fb_admin_target']) && (!empty($_POST['fb_api_key']))   
     214                && (!empty($_POST['fb_secret'])) && (!empty($_POST['fb_app_url']))  
     215                && (!empty($_POST['fb_admin_target']))) { 
    213216            $fb_api_key = preg_replace("#[^0-9]#", "",$_POST['fb_api_key']); 
    214217            $fb_secret = $_POST['fb_secret']; 
     
    463466        } elseif (($wpbookAdminOptions['fb_api_key'] != "") && ($wpbookAdminOptions['fb_secret'] != "") && ($wpbookAdminOptions['fb_app_url'] != "")  && ($wpbookAdminOptions['fb_admin_target'] != "")){ 
    464467            $flash = ""; 
     468        } elseif (! check_admin_referer( 'update_settings', 'wpbook_admin_nonce') ) { 
     469            $flash = "Admin nonce failed";  
    465470        } else { 
    466471            $flash = "Please complete all necessary fields"; 
     
    929934 
    930935            <?php 
     936            wp_nonce_field( 'update_settings', 'wpbook_admin_nonce' ); 
    931937            echo '<p><input type="submit" value="Save" class="button-primary"'; 
    932938            echo ' name="wpbook_save_button" /></form></p>'; 
Note: See TracChangeset for help on using the changeset viewer.