WordPress.org

Plugin Directory

Changeset 509947


Ignore:
Timestamp:
02/24/12 15:36:48 (2 years ago)
Author:
ericmann
Message:

Fix immediate security hole. Update several deprecation warnings. Test with version 3.3.1.

Location:
absolute-privacy/trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • absolute-privacy/trunk/absolute_privacy.php

    r331551 r509947  
    66Plugin URI: http://www.johnkolbert.com/portfolio/wp-plugins/absolute-privacy 
    77Description: Give your blog absolute privacy. Forces users to register with their name and to choose a password (do not forget to enable registrations). Users cannot login until approved by an administrator. Also, gives the option to lock down your site from non-logged in viewers.  
    8 Author: John Kolbert 
    9 Version: 2.0.5 
     8Author: John Kolbert, Eric Mann 
     9Version: 2.0.6 
    1010Author URI: http://www.johnkolbert.com/ 
    1111 
  • absolute-privacy/trunk/functions.php

    r331553 r509947  
    141141                            <tr> 
    142142                                <th style="width: 120px;">Allowed Pages:</th> 
    143                                 <td><input type="text" name="allowed_pages" id="allowed_pages" style="width: 58px;" value="<?php echo $options['allowed_pages']; ?>" /></td> 
     143                                <td><input type="text" name="allowed_pages" id="allowed_pages" style="width: 58px;" value="<?php echo isset($options['allowed_pages']) ? $options['allowed_pages'] : ''; ?>" /></td> 
    144144                                <td>These pages will be accessible to non-logged in users. List page IDs separated by a comma (eg: <code>0,19,12</code>). <em>Tip:</em> Enter <code>0</code> to allow access to the home page. </td> 
    145145                            </tr> 
     
    150150                                    <input type="radio" name="rss_control" value="on" <?php if ($options['rss_control'] == "on") echo 'checked'; ?> /> RSS On &nbsp; &nbsp;<br /> 
    151151                                    <input type="radio" name="rss_control" value="headline" <?php if ($options['rss_control'] == "headline") echo 'checked'; ?> /> Limited to headlines &nbsp; &nbsp; 
    152                                     <input type="radio" name="rss_control" value="excerpt" <?php if ($options['rss_control'] == "excerpt") echo 'checked'; ?> /> Limited to <input type="text" name="rss_characters" id="rss_characters" value="<?php echo $options['rss_characters']; ?>" style="width: 32px;" />&nbsp;Characters 
     152                                    <input type="radio" name="rss_control" value="excerpt" <?php if ($options['rss_control'] == "excerpt") echo 'checked'; ?> /> Limited to <input type="text" name="rss_characters" id="rss_characters" value="<?php echo isset($options['rss_characters']) ? $options['rss_characters'] : ''; ?>" style="width: 32px;" />&nbsp;Characters 
    153153                                    <br />Viewing your website's RSS feed does not require the user to login. Thus your RSS feed is publicly accessible if it is enabled. You may disable or limit the RSS feed above. 
    154154                                </td> 
     
    178178                            <tr> 
    179179                                <th style="width: 150px;">Members Only Page:</th> 
    180                                 <td><input type="text" name="members_only_page" id="members_only_page" style="width: 58px;" value="<?php echo $options['members_only_page']; ?>" /></td> 
     180                                <td><input type="text" name="members_only_page" id="members_only_page" style="width: 58px;" value="<?php echo isset($options['members_only_page']) ? $options['members_only_page'] : ''; ?>" /></td> 
    181181                                <td>Enter the ID of your main members only page <code>Eg: 42</code> This page and all child pages will be accessible only to logged in members.</td> 
    182182                            </tr> 
     
    221221                            <tr> 
    222222                                <th>Redirect Non-logged in Users To:</th> 
    223                                 <td style="padding-top: 2.5%;"><input type="text" name="redirect_page" id="redirect_page" style="width: 28px;" value="<?php echo $options['redirect_page']; ?>" /></td> 
     223                                <td style="padding-top: 2.5%;"><input type="text" name="redirect_page" id="redirect_page" style="width: 28px;" value="<?php echo isset($options['redirect_page']) ? $options['redirect_page'] : ''; ?>" /></td> 
    224224                                <td>By default, non-logged in users will be redirected to the login form. Alternatively, you can enter a page ID here that you want non-logged in users to be redirected to instead.</td> 
    225225                            </tr> 
     
    227227                            <tr> 
    228228                                <th style="padding-top: 1%;">Block Admin Access:</th> 
    229                                 <td style="padding-top: 3%;"><input type="checkbox" name="admin_block" value="yes" <?php if ($options['admin_block'] == "yes") echo " checked "; ?> /> Yes</td> 
     229                                <td style="padding-top: 3%;"><input type="checkbox" name="admin_block" value="yes" <?php if (isset($options['admin_block']) && $options['admin_block'] == "yes") echo " checked "; ?> /> Yes</td> 
    230230                                <td>This blocks subscribers from viewing any administrative pages, such as their wp-admin profile page or the dashboard. If they try to access an administrative page they will be redirected to the homepage.</td> 
    231231                            </tr> 
     
    253253                            <tr> 
    254254                                <th>Profile Edit Page</th> 
    255                                 <td style="padding-top: 2%;"> <input type="text" size="10" name="profile_page" id="profile_page" value="<?php echo $options['profile_page']; ?>" /> 
     255                                <td style="padding-top: 2%;"> <input type="text" size="10" name="profile_page" id="profile_page" value="<?php echo isset($options['profile_page']) ? $options['profile_page'] : ''; ?>" /> 
    256256                                <td> If you've created a page for the user to edit their profile, enter its ID here <code>(eg: 42)</code>. If a user uses the password recovery tool, they will be given a temporary password with a link to this page to change it. <em>Tip:</em> Use the <code>[profilepage]</code> shortcode to create a profile page.</td> 
    257257                            </tr> 
     
    309309                            <td> 
    310310                                <ul style="font-size: 1.0em;"> 
    311                                     <li><a  style="font-weight: bold;" href="https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=TK5KDJP9N4F28" title="Donate" target="_blank">Donate to support development</a></li> 
    312311                                    <li><a href="http://www.wordpress.org/extend/plugins/absolute-privacy/" title="Rate">Rate this plugin on WP.org</a></li>                     
    313312                                </ul> 
     
    330329                                <ul style="font-size: 1.0em;"> 
    331330                                    <li><a href="http://www.johnkolbert.com/portfolio/wp-plugins/absolute-privacy/" title="Go to Plugin Homepage">Plugin Homepage</a></li> 
    332                                     <li><a href="http://www.mammothapps.com/contact/" title="Hire Me!">Hire me to customize this plugin</a></li>     
    333331                                </ul> 
    334332                            </td> 
     
    352350                                    <span style="font-size: 0.8em;">Need Help? <a href="http://www.mammothapps.com/contact/" title="Hire Me">Hire me.</a><br /> 
    353351                                    <a href="http://www.twitter.com/johnkolbert" title="Follow Me!">Follow me on Twitter!</a><br /></span> 
     352                                </p> 
     353                                <p style="text-align: center; font-size: 1.2em;">Plugin maintained by <a href="http://www.eamann.com/" title="Eric Mann">Eric Mann</a><br /> 
     354                                    <span style="font-size: 0.8em;"><a href="http://www.twitter.com/ericmann" title="Follow Me!">Follow me on Twitter!</a><br /></span> 
    354355                                </p> 
    355356                            </td> 
     
    691692    $options= get_option( ABSPRIVACY_OPTIONS ); 
    692693 
    693     if ( !is_admin() || !( is_user_logged_in() ) || $option[ 'member_lockdown' ] == 'off' ) return;  
     694    if ( !is_admin() || !( is_user_logged_in() ) || ( isset( $options[ 'member_lockdown' ] ) && $options[ 'member_lockdown' ] == 'off' ) ) return; 
    694695        //if it's not an admin page or the user isn't logged in at all, we don't need this 
    695696     
     
    697698    $capabilities = $wpdb->prefix . 'capabilities'; 
    698699      
    699     if ( $options[ 'admin_block' ] == "yes" && array_key_exists( 'subscriber', $user_role->$capabilities ) ) { 
     700    if ( isset( $options[ 'admin_block'] ) && $options[ 'admin_block' ] == "yes" && array_key_exists( 'subscriber', $user_role->$capabilities ) ) { 
    700701        $url = get_bloginfo( 'url' );  
    701702        wp_redirect( $url, 302 ); 
     
    742743 
    743744    $output = '<p><label>First Name:<br /> 
    744                 <input type="text" name="first_name" id="first_name" class="input" value="' . ( isset( $_POST[ 'first_name' ] ) ? attribute_escape( stripslashes( $_POST[ 'first_name' ] ) ) : '' ) . '" size="25" tabindex="70" /></label></p> 
     745                <input type="text" name="first_name" id="first_name" class="input" value="' . ( isset( $_POST[ 'first_name' ] ) ? esc_attr( stripslashes( $_POST[ 'first_name' ] ) ) : '' ) . '" size="25" tabindex="70" /></label></p> 
    745746                <p><label>Last Name:<br /> 
    746                 <input type="text" name="last_name" id="last_name" class="input" value="' . ( isset( $_POST[ 'last_name' ] ) ? attribute_escape( stripslashes( $_POST[ 'last_name' ] ) ) : '' ) . '" size="25" tabindex="80" /></label></p> 
     747                <input type="text" name="last_name" id="last_name" class="input" value="' . ( isset( $_POST[ 'last_name' ] ) ? esc_attr( stripslashes( $_POST[ 'last_name' ] ) ) : '' ) . '" size="25" tabindex="80" /></label></p> 
    747748             
    748749                <p><label>Password:<br /> 
     
    792793function abpr_addNewUser( $user_id ){ 
    793794 
    794     update_usermeta( $user_id, 'first_name', attribute_escape( stripslashes( $_POST[ 'first_name' ] ) ) ); 
    795     update_usermeta( $user_id, 'last_name', attribute_escape( stripslashes( $_POST[ 'last_name' ] ) ) ); 
     795    update_user_meta( $user_id, 'first_name', esc_attr( stripslashes( $_POST[ 'first_name' ] ) ) ); 
     796    update_user_meta( $user_id, 'last_name', esc_attr( stripslashes( $_POST[ 'last_name' ] ) ) ); 
    796797 
    797798    $user_role = new WP_User( $user_id ); 
     
    799800         
    800801    if ( !empty( $_POST[ 'pswd1' ] ) ) { 
    801         $_POST[ 'pswd1' ] = wp_set_password( attribute_escape( stripslashes( $_POST[ 'pswd1' ] ) ), $user_id ); 
     802        $_POST[ 'pswd1' ] = wp_set_password( esc_attr( stripslashes( $_POST[ 'pswd1' ] ) ), $user_id ); 
    802803    } 
    803804     
     
    834835function abpr_authenticateUser( $user, $username, $password ){ 
    835836    global $wpdb; 
    836      
    837         $user = get_userdatabylogin( $username );  
    838  
    839         $cap = $wpdb->prefix . "capabilities"; 
    840         if ( $user && array_key_exists( ABSPRIVACY_ROLEREF, $user->$cap ) ) {  //if the user's role is listed as "unapproved" 
    841             $user = new WP_Error( 'unapproved', __("<strong>ERROR</strong>: The administrator of this site must approve your account before you can login. You will be notified via email when it has been approved.") ); 
    842             add_filter( 'shake_error_codes', 'abpr_add_error_code' );   //make the login box shake 
    843             remove_action( 'authenticate', 'wp_authenticate_username_password', 20 );   //prevent authentication of user 
    844         } 
     837 
     838    $tempUser = get_user_by( 'login', $username ); 
     839 
     840    $cap = $wpdb->prefix . "capabilities"; 
     841    if ( $tempUser && array_key_exists( ABSPRIVACY_ROLEREF, $user->$cap ) ) {  //if the user's role is listed as "unapproved" 
     842        $user = new WP_Error( 'unapproved', __("<strong>ERROR</strong>: The administrator of this site must approve your account before you can login. You will be notified via email when it has been approved.") ); 
     843        add_filter( 'shake_error_codes', 'abpr_add_error_code' );   //make the login box shake 
     844        remove_action( 'authenticate', 'wp_authenticate_username_password', 20 );   //prevent authentication of user 
     845    } 
    845846     
    846847    return $user; 
Note: See TracChangeset for help on using the changeset viewer.