WordPress.org

Plugin Directory

Changeset 324796


Ignore:
Timestamp:
12/20/10 22:03:41 (3 years ago)
Author:
MrWiblog
Message:

Added nonce fields for security.

Location:
voucherpress/trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • voucherpress/trunk/readme.txt

    r324789 r324796  
    126126= 1.2 (2010/12/20) = 
    127127 
    128 Changed templates to work at 150dpi to overcome memory limit problem. Also added code to temporarily increase PHP memory limit to 64mb while a voucher is being rendered. Fixed activation bug caused by WordPress breaking the Plugin Register plugin. Upgraded to recent version of TCPDF. Allowed CSV download for all vouchers, not just ones requiring an email address. 
     128Changed templates to work at 150dpi to overcome memory limit problem. Also added code to temporarily increase PHP memory limit to 64mb while a voucher is being rendered. Fixed activation bug caused by WordPress breaking the Plugin Register plugin. Upgraded to recent version of TCPDF. Allowed CSV download for all vouchers, not just ones requiring an email address. Added nonce fields for security. 
    129129 
    130130= 1.1.2 (2010/11/20) = 
  • voucherpress/trunk/voucherpress.php

    r324789 r324796  
    518518        } 
    519519        echo ' 
    520         <p><a href="admin.php?page=vouchers&amp;download=emails">' . __( "Download all registered email addresses", "voucherpress" ) . '</a></p> 
     520        <p><a href="' . wp_nonce_url( "admin.php?page=vouchers&amp;download=emails", "voucherpress_download_csv" ) . '">' . __( "Download all registered email addresses", "voucherpress" ) . '</a></p> 
    521521        </div>'; 
    522522     
     
    658658    <p><input type="button" name="preview" id="previewbutton" class="button" value="' . __( "Preview", "voucherpress" ) . '" /> 
    659659    <input type="submit" name="save" id="savebutton" class="button-primary" value="' . __( "Save", "voucherpress" ) . '" /> 
    660     <input type="hidden" name="template" id="template" value="1" /></p> 
     660    <input type="hidden" name="template" id="template" value="1" />'; 
     661    wp_nonce_field( "voucherpress_create" ); 
     662    echo '</p> 
    661663     
    662664    </form> 
     
    686688        if ( $voucher->downloads > 0 ) { 
    687689            echo __( "Downloads:", "voucherpress" ) . " " . $voucher->downloads; 
    688             echo ' | <a href="admin.php?page=vouchers&amp;download=emails&amp;voucher=' . $voucher->id . '">' . __( "CSV", "voucherpress" ) . '</a>'; 
     690            echo ' | <a href="' . wp_nonce_url( "admin.php?page=vouchers&amp;download=emails&amp;voucher=" . $voucher->id, "voucherpress_download_csv" ) . '">' . __( "CSV", "voucherpress" ) . '</a>'; 
    689691            echo ' | '; 
    690692        } 
     
    950952        <p><input type="button" name="preview" id="previewbutton" class="button" value="' . __( "Preview", "voucherpress" ) . '" /> 
    951953        <input type="submit" name="save" id="savebutton" class="button-primary" value="' . __( "Save", "voucherpress" ) . '" /> 
    952         <input type="hidden" name="template" id="template" value="' . $voucher->template . '" /></p> 
     954        <input type="hidden" name="template" id="template" value="' . $voucher->template . '" />'; 
     955        wp_nonce_field( "voucherpress_edit" ); 
     956        echo '</p> 
    953957         
    954958        </form> 
     
    10061010    { 
    10071011        // if updating templates 
    1008         if ( @$_POST["action"] == "update" ) 
     1012        if ( wp_verify_nonce(@$_POST["_wpnonce"], 'voucherpress_edit_template') && @$_POST["action"] == "update" ) 
    10091013        { 
    10101014            // loop templates 
     
    10321036        { 
    10331037 
    1034             if ( @$_FILES && is_array( $_FILES ) && count( $_FILES ) > 0 && $_FILES["file"]["name"] != "" && (int)$_FILES["file"]["size"] > 0 ) 
     1038            if ( wp_verify_nonce(@$_POST["_wpnonce"], 'voucherpress_add_template') && @$_FILES && is_array( $_FILES ) && count( $_FILES ) > 0 && $_FILES["file"]["name"] != "" && (int)$_FILES["file"]["size"] > 0 ) 
    10351039            { 
    10361040                // check the GD functions exist 
     
    10661070                            echo ' 
    10671071                            <div id="message" class="error"> 
    1068                                 <p><strong>' . __( "Sorry, the template file you uploaded was not in the correct format (JPEG), or was not the correct size (2362 x 1063 pixels). Please upload a correct template file.", "voucherpress" ) . '</strong></p> 
     1072                                <p><strong>' . __( "Sorry, the template file you uploaded was not in the correct format (JPEG), or was not the correct size (1181 x 532 pixels). Please upload a correct template file.", "voucherpress" ) . '</strong></p> 
    10691073                            </div> 
    10701074                            '; 
     
    11141118     
    11151119    <p><input type="submit" class="button-primary" value="' . __( "Add template", "voucherpress" ) . '" /> 
    1116     <input type="hidden" name="action" value="add" /></p> 
     1120    <input type="hidden" name="action" value="add" />'; 
     1121    wp_nonce_field( "voucherpress_add_template" ); 
     1122    echo '</p> 
    11171123     
    11181124    </form> 
     
    11551161        echo ' 
    11561162        <p><input type="submit" class="button-primary" value="' . __( "Save templates", "voucherpress" ) . '" /> 
    1157         <input type="hidden" name="action" value="update" /></p> 
     1163        <input type="hidden" name="action" value="update" />'; 
     1164        wp_nonce_field( "voucherpress_edit_template" ); 
     1165        echo '</p> 
    11581166        </form> 
    11591167        '; 
     
    14201428function voucherpress_check_download() { 
    14211429    // download all unique email addresses 
    1422     if ( ( @$_GET["page"] == "vouchers" ) && @$_GET["download"] == "emails" && @$_GET["voucher"] == "" ) { 
     1430    if ( wp_verify_nonce(@$_GET["_wpnonce"], 'voucherpress_download_csv') && ( @$_GET["page"] == "vouchers" ) && @$_GET["download"] == "emails" && @$_GET["voucher"] == "" ) { 
    14231431        if ( !voucherpress_download_emails() ) { 
    14241432            wp_die( __("Sorry, the list could not be downloaded. Please click back and try again.", "voucherpress" ) ); 
     
    14261434    } 
    14271435    // download unique email addresses for a voucher 
    1428     if ( ( @$_GET["page"] == "vouchers" ) && @$_GET["download"] == "emails" && @$_GET["voucher"] != "" ) { 
     1436    if ( wp_verify_nonce(@$_GET["_wpnonce"], 'voucherpress_download_csv') && ( @$_GET["page"] == "vouchers" ) && @$_GET["download"] == "emails" && @$_GET["voucher"] != "" ) { 
    14291437        if ( !voucherpress_download_emails($_GET["voucher"]) ) { 
    14301438            wp_die( __("Sorry, the list could not be downloaded. Please click back and try again.", "voucherpress" ) ); 
     
    14421450// listen for creation of a voucher 
    14431451function voucherpress_check_create_voucher() { 
    1444     if ( @$_GET["page"] == "vouchers-create" && @$_GET["preview"] == "" && @$_POST && is_array( $_POST ) && count( $_POST ) > 0 ) { 
     1452    if ( wp_verify_nonce(@$_POST["_wpnonce"], 'voucherpress_create') && @$_GET["page"] == "vouchers-create" && @$_GET["preview"] == "" && @$_POST && is_array( $_POST ) && count( $_POST ) > 0 ) { 
    14451453        $require_email = 0; 
    14461454        if ( isset( $_POST["requireemail"] ) && $_POST["requireemail"] == "1" ) { $require_email = 1; } 
     
    14861494// listen for editing of a voucher 
    14871495function voucherpress_check_edit_voucher() { 
    1488     if ( @$_GET["page"] == "vouchers" && @$_GET["preview"] == "" && @$_POST && is_array( $_POST ) && count( $_POST ) > 0 ) { 
     1496    if ( wp_verify_nonce(@$_POST["_wpnonce"], 'voucherpress_edit') && @$_GET["page"] == "vouchers" && @$_GET["preview"] == "" && @$_POST && is_array( $_POST ) && count( $_POST ) > 0 ) { 
    14891497        if ( isset( $_POST["delete"] ) ) { 
    14901498            $done = voucherpress_delete_voucher( $_GET["id"] ); 
     
    17061714     
    17071715    // if the imagesize could be fetched and is JPG, PNG or GIF 
    1708     if ( $imagetype == 2 && $width == 2362 && $height == 1063 ) 
     1716    if ( $imagetype == 2 && $width == 1181 && $height == 532 ) 
    17091717    { 
    17101718 
     
    17141722        $path = ABSPATH . "/wp-content/plugins/voucherpress/templates/"; 
    17151723         
    1716         // move the temporary file to the full-size image (2362 x 1063 px @ 72dpi) 
     1724        // move the temporary file to the full-size image (1181 x 532 px @ 150dpi) 
    17171725        $fullpath = $path . $id . ".jpg"; 
    17181726        move_uploaded_file( $file, $fullpath ); 
Note: See TracChangeset for help on using the changeset viewer.