WordPress.org

Plugin Directory

Changeset 1160703 for feedwordpress


Ignore:
Timestamp:
05/14/15 18:55:21 (2 years ago)
Author:
radgeek
Message:

SECURITY UPDATE AND BUGFIXES / Ver. 2015.0514.

Location:
feedwordpress/trunk
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • feedwordpress/trunk/admin-ui.php

    r960798 r1160703  
    6060        add_action('feedwordpress_check_feed_complete', 'update_feeds_finish', 10, 3); 
    6161 
     62        $link = $this->link; 
     63         
    6264        print '<div class="updated">'; 
    6365        print "<ul>"; 
    6466        $uri = $this->link->uri(); 
    6567        $displayUrl = $uri; 
    66          
     68 
    6769        // check for effects of an effective-url filter 
    6870        $effectiveUrl = $link->uri(array('fetch' => true)); 
  • feedwordpress/trunk/feedwordpress.php

    r1146506 r1160703  
    44Plugin URI: http://feedwordpress.radgeek.com/ 
    55Description: simple and flexible Atom/RSS syndication for WordPress 
    6 Version: 2015.0426 
     6Version: 2015.0514 
    77Author: Charles Johnson 
    88Author URI: http://radgeek.com/ 
     
    1212/** 
    1313 * @package FeedWordPress 
    14  * @version 2015.0426 
     14 * @version 2015.0514 
    1515 */ 
    1616 
     
    3333# -- Don't change these unless you know what you're doing... 
    3434 
    35 define ('FEEDWORDPRESS_VERSION', '2015.0426'); 
     35define ('FEEDWORDPRESS_VERSION', '2015.0514'); 
    3636define ('FEEDWORDPRESS_AUTHOR_CONTACT', 'http://radgeek.com/contact'); 
    3737 
     
    16431643 
    16441644    public function row_actions ($actions, $post) { 
    1645         if (is_syndicated($post->ID)) : 
     1645        if (is_syndicated($post->ID) && current_user_can('edit_post', $post->ID)) : 
    16461646            $link = get_delete_post_link($post->ID, '', true); 
    16471647            $eraseLink = MyPHP::url($link, array("fwp_post_delete" => "nuke")); 
  • feedwordpress/trunk/feedwordpresssyndicationpage.class.php

    r960798 r1160703  
    7171    } 
    7272 
     73    /** 
     74     * sanitize_ids: Protect id numbers from untrusted sources (POST array etc.) 
     75     * from possibility of SQLi attacks. Runs everything through an intval filter 
     76     * and then for good measure through esc_sql() 
     77     * 
     78     * @param array $link_ids An array of one or more putative link IDs 
     79     * @return array  
     80     */ 
     81    public function sanitize_ids_sql ($link_ids) { 
     82        $link_ids = array_map( 
     83            'esc_sql', 
     84            array_map( 
     85                'intval', 
     86                $link_ids 
     87            ) 
     88        ); 
     89        return $link_ids; 
     90    } /* FeedWordPressSyndicationPage::sanitize_ids_sql () */ 
     91 
     92    /** 
     93     * requested_link_ids_sql () 
     94     * 
     95     * @return string An SQL list literal containing the link IDs, sanitized 
     96     *      and escaped for direct use in MySQL queries. 
     97     * 
     98     * @uses sanitize_ids_sql() 
     99     */ 
     100    public function requested_link_ids_sql () { 
     101        // Multiple link IDs passed in link_ids[]=... . . . 
     102        $link_ids = (isset($_REQUEST['link_ids']) ? $_REQUEST['link_ids'] : array()); 
     103         
     104        // Or single in link_id=... 
     105        if (isset($_REQUEST['link_id'])) : array_push($link_ids, $_REQUEST['link_id']); endif; 
     106 
     107        // Filter for safe use in MySQL queries. 
     108        $link_ids = $this->sanitize_ids_sql($link_ids); 
     109         
     110        // Convert to MySQL list literal. 
     111        return "('".implode("', '", $link_ids)."')";     
     112    } /* FeedWordPressSyndicationPage::requested_link_ids_sql () */ 
     113     
    73114    function updates_requested () { 
    74115        global $wpdb; 
     
    85126            if (is_array(MyPHP::post('link_ids')) 
    86127            and (MyPHP::post('action')==FWP_UPDATE_CHECKED)) : 
     128                // Get single link ID or multiple link IDs from REQUEST parameters 
     129                // if available. Sanitize values for MySQL. 
     130                $link_list = $this->requested_link_ids_sql(); 
     131                 
     132                // $link_list has previously been sanitized for html by self::requested_link_ids_sql 
    87133                $targets = $wpdb->get_results(" 
    88134                SELECT * FROM $wpdb->links 
    89                 WHERE link_id IN (".implode(",",$_POST['link_ids']).") 
     135                WHERE link_id IN ${link_list} 
    90136                "); 
    91137                if (is_array($targets)) : 
     
    739785            return true; // Continue without further ado. 
    740786        endif; 
    741          
    742         $link_ids = (isset($_REQUEST['link_ids']) ? $_REQUEST['link_ids'] : array()); 
    743         if (isset($_REQUEST['link_id'])) : array_push($link_ids, $_REQUEST['link_id']); endif; 
    744      
     787 
     788        // Get single link ID or multiple link IDs from REQUEST parameters 
     789        // if available. Sanitize values for MySQL.      
     790        $link_list = $this->requested_link_ids_sql(); 
     791 
    745792        if (MyPHP::post('confirm')=='Delete'): 
    746793            if ( is_array(MyPHP::post('link_action')) ) : 
     
    836883            return true; // Continue on to Syndicated Sites listing 
    837884        else : 
     885            // $link_list has previously been sanitized for html by self::requested_link_ids_sql 
    838886            $targets = $wpdb->get_results(" 
    839887                SELECT * FROM $wpdb->links 
    840                 WHERE link_id IN (".implode(",",$link_ids).") 
     888                WHERE link_id IN ${link_list} 
    841889                "); 
    842890    ?> 
     
    908956        FeedWordPressCompatibility::validate_http_request(/*action=*/ 'feedwordpress_feeds', /*capability=*/ 'manage_links'); 
    909957     
    910         $link_ids = (isset($_REQUEST['link_ids']) ? $_REQUEST['link_ids'] : array()); 
    911         if (isset($_REQUEST['link_id'])) : array_push($link_ids, $_REQUEST['link_id']); endif; 
    912      
     958        // Get single link ID or multiple link IDs from REQUEST parameters 
     959        // if available. Sanitize values for MySQL. 
     960        $link_list = $this->requested_link_ids_sql(); 
     961 
    913962        if (MyPHP::post('confirm')=='Undelete'): 
    914963            if ( is_array(MyPHP::post('link_action')) ) : 
     
    9571006            return true; // Continue on to Syndicated Sites listing 
    9581007        else : 
     1008            // $link_list has previously been sanitized for html by self::requested_link_ids_sql 
    9591009            $targets = $wpdb->get_results(" 
    9601010                SELECT * FROM $wpdb->links 
    961                 WHERE link_id IN (".implode(",",$link_ids).") 
     1011                WHERE link_id IN ${link_list} 
    9621012                "); 
    9631013    ?> 
  • feedwordpress/trunk/readme.txt

    r1146506 r1160703  
    44Tags: syndication, aggregation, feed, atom, rss 
    55Requires at least: 3.0 
    6 Tested up to: 4.2 
    7 Stable tag: 2015.0426 
     6Tested up to: 4.2.2 
     7Stable tag: 2015.0514 
    88 
    99FeedWordPress syndicates content from feeds you choose into your WordPress weblog.  
     
    9595== Changelog == 
    9696 
     97= 2015.0514 = 
     98 
     99*   IMPORTANT SECURITY UPDATE: This version includes two important fixes for 
     100    potential security vulnerabilities reported to me through support channels. 
     101     
     102    The first is a common problem across several plugins due to an ambiguity in 
     103    the WordPress documentation and a change in the behavior of WordPress's 
     104    built-in add_query_arg() and remove_query_arg() functions 
     105    which could, under certain low-probability conditions, allow for potential 
     106    XSS attack vectors. This fixes issue # 39 
     107    reported at <https://github.com/radgeek/feedwordpress/issues/39> 
     108    Thanks to github.com/quassy 
     109     
     110    The second is a security vulnerability fixes a security vulnerability that 
     111    was reported to me privately (thanks to Adrián M. F.) which, under other 
     112    low-probability conditions, could allow for SQL insertion attacks by 
     113    a malicious user with access to login credentials, which would compromise 
     114    data security. 
     115 
     116    It is *IMPORTANT* and worth your while to upgrade FeedWordPress as soon as 
     117    possible in order to eliminate these vulnerabilities. If you have any 
     118    questions or if there is something blocking you from making the upgrade 
     119    which you need my help with, don't hesitate to get in touch. 
     120 
     121*   ADMIN UI BUGFIX: "Update Now" button in feeds setting pages should now work 
     122    once again instead of causing a PHP fatal error. See 
     123    <https://github.com/radgeek/feedwordpress/issues/46> 
     124     
     125*   SEVERAL OTHER SMALL BUG FIXES. See <https://github.com/radgeek/feedwordpress/issues/32> 
     126    <https://github.com/radgeek/feedwordpress/issues/30> 
     127    <https://github.com/radgeek/feedwordpress/issues/29> 
     128    etc. 
     129 
    97130= 2014.0805 = 
    98  
    99131 
    100132*   FILTERS AND ADD-ONS: A number of new hooks for filters and add-ons to 
  • feedwordpress/trunk/syndicatedlink.class.php

    r960798 r1160703  
    131131        $url = $this->uri(array('add_params' => true, 'fetch' => true)); 
    132132        FeedWordPress::diagnostic('updated_feeds', 'Polling feed ['.$url.']'); 
    133  
     133     
    134134        $this->fetch(); 
    135  
     135     
    136136        $new_count = NULL; 
    137137 
     
    179179 
    180180        elseif (is_object($this->simplepie)) : 
     181 
    181182            // Success; clear out error setting, if any. 
    182183            $this->update_setting('update/error', NULL); 
     
    286287                        endif; 
    287288                    endif; 
     289 
    288290                    unset($post); 
     291                     
    289292                endforeach; 
    290293            endif; 
     
    721724        )); 
    722725 
     726        // Initialize $qp (= array for added query parameters, if any) 
     727        $qp = array(); 
     728         
    723729        $link_rss = (is_object($this->link) ? $this->link->link_rss : NULL);  
    724  
     730         
     731        // $link_rss stores the URI for the subscription as stored in the feed's record. 
     732        // $uri stores the effective URI of the request including any/all added query parameters  
    725733        $uri = $link_rss; 
    726734        if (!is_null($uri) and strlen($uri) > 0 and $params['add_params']) : 
     
    730738            $qp = apply_filters('syndicated_feed_parameters', $qp, $uri, $this); 
    731739 
     740            // $qp is an array of key-value pairs stored as arrays of format [$key, $value] 
    732741            $q = array(); 
    733742            if (is_array($qp) and count($qp) > 0) : 
  • feedwordpress/trunk/syndicatedpost.class.php

    r960798 r1160703  
    118118            $this->post = NULL; 
    119119        else : 
     120 
    120121            # Note that nothing is run through esc_sql() here. 
    121122            # That's deliberate. The escaping is done at the point 
     
    127128                $this->entry->get_title(), $this 
    128129            ); 
     130 
    129131 
    130132            $this->named['author'] = apply_filters( 
     
    135137            // We look up (or create) the numeric ID for the author 
    136138            // in SyndicatedPost::add(). 
    137              
     139 
    138140            $this->post['post_content'] = apply_filters( 
    139141                'syndicated_item_content', 
     
    349351            $this->post['post_type'] = apply_filters('syndicated_post_type', $this->link->setting('syndicated post type', 'syndicated_post_type', 'post'), $this); 
    350352        endif; 
     353         
    351354    } /* SyndicatedPost::SyndicatedPost() */ 
    352355 
     
    590593     
    591594    function content ($params = array()) { 
     595 
    592596        $params = wp_parse_args($params, array( 
    593597        "full only" => false,  
     
    636640             
    637641        endif; 
     642         
    638643        return $content; 
    639644    } /* SyndicatedPost::content() */ 
     
    12141219        $tag = FeedWordPressHTML::attributeMatch($refs); 
    12151220        $url = SimplePie_Misc::absolutize_url($tag['value'], $this->_base); 
     1221 
    12161222        return $tag['prefix'] . $url . $tag['suffix']; 
    12171223    } /* function SyndicatedPost::resolve_single_relative_uri() */ 
     
    12341240                list($tag, $attr) = $pair; 
    12351241                $pattern = FeedWordPressHTML::attributeRegex($tag, $attr); 
     1242 
     1243                // FIXME: Encountered issue while testing an extremely long (= 88827 characters) item 
     1244                // Relying on preg_replace_callback() here can cause a PHP seg fault on my development 
     1245                // server. preg_match_all() causes a similar problem. Apparently this is a PCRE issue 
     1246                // Cf. discussion of similar issue <https://bugs.php.net/bug.php?id=65009> 
    12361247                $content = preg_replace_callback ( 
    12371248                    $pattern, 
     
    12391250                    $content 
    12401251                ); 
     1252 
    12411253            endforeach; 
    12421254        endif; 
Note: See TracChangeset for help on using the changeset viewer.