WordPress.org

Plugin Directory

Changeset 650397 for simple-login-log


Ignore:
Timestamp:
01/09/13 21:41:55 (16 months ago)
Author:
maxchirkov
Message:

Committing version 0.9.4

  • Numerous vulnerability fixes - highly advised to upgrade!
Location:
simple-login-log/trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • simple-login-log/trunk/readme.txt

    r597178 r650397  
    44Tags: login, log, users 
    55Requires at least: 3.0 
    6 Tested up to: 3.3.2 
    7 Stable tag: 0.9.3 
     6Tested up to: 3.5 
     7Stable tag: 0.9.4 
    88 
    99This plugin keeps a log of WordPress user logins. Offers user and date filtering, and export features. 
     
    4040 
    4141== Changelog == 
     42 
     43**Version 0.9.4 - Highly Advised!** 
     44 
     45- Numerous vulnerability fixes! 
    4246 
    4347**Version 0.9.3** 
  • simple-login-log/trunk/simple-login-log.php

    r597178 r650397  
    55  Description: This plugin keeps a log of WordPress user logins. Offers user filtering and export features. 
    66  Author: Max Chirkov 
    7   Version: 0.9.3 
     7  Version: 0.9.4 
    88  Author URI: http://SimpleRealtyTheme.com 
    99 */ 
     
    2626    { 
    2727        global $wpdb; 
    28         $this->table = $wpdb->prefix . $this->table; 
     28 
     29        if ( is_multisite() ) 
     30        { 
     31            // get main site's table prefix 
     32            $main_prefix = $wpdb->get_blog_prefix(1); 
     33            $this->table = $main_prefix . $this->table; 
     34        } 
     35        else 
     36        { 
     37            // non-multisite - regular table name 
     38            $this->table = $wpdb->prefix . $this->table; 
     39        } 
    2940        $this->opt = get_option($this->opt_name); 
    3041 
     
    3243        $this->installed_ver = get_option( "sll_db_ver" ); 
    3344 
    34         //Check if download was initiated 
    35         $download = @esc_attr( $_GET['download-login-log'] ); 
    36         if($download) 
    37         { 
    38             $where = ( isset($_GET['where']) ) ? $_GET['where'] : false; 
    39             $this->export_to_CSV($where); 
    40         } 
     45 
    4146 
    4247 
     
    5055        //Init login actions 
    5156        add_action( 'init', array(&$this, 'init_login_actions') ); 
     57 
     58        //Init CSV Export 
     59        add_action('admin_init', array(&$this, 'init_csv_export') ); 
    5260 
    5361        //Style the log table 
     
    402410 
    403411        $data[$this->data_labels['Login']] = ( 1 == $this->login_success ) ? $this->data_labels['Successful'] : $this->data_labels['Failed']; 
    404         if ( isset( $_REQUEST['redirect_to'] ) ) { $data[$this->data_labels['Login Redirect']] = $_REQUEST['redirect_to']; } 
    405         $data[$this->data_labels['User Agent']] = $_SERVER['HTTP_USER_AGENT']; 
     412        if ( isset( $_REQUEST['redirect_to'] ) ) { $data[$this->data_labels['Login Redirect']] = esc_attr( $_REQUEST['redirect_to'] ); } 
     413        $data[$this->data_labels['User Agent']] = esc_attr( $_SERVER['HTTP_USER_AGENT'] ); 
    406414 
    407415        $serialized_data = serialize($data); 
     
    446454        if( isset($_GET['filter']) && '' != $_GET['filter'] ) 
    447455        { 
    448             $where['filter'] = "(user_login LIKE '%{$_GET['filter']}%' OR ip LIKE '%{$_GET['filter']}%')"; 
     456            $filter = esc_attr( $_GET['filter'] ); 
     457            $where['filter'] = "(user_login LIKE '%{$filter}%' OR ip LIKE '%{$filter}%')"; 
    449458        } 
    450459        if( isset($_GET['user_role']) && '' != $_GET['user_role'] ) 
    451460        { 
    452             $where['user_role'] = "user_role = '{$_GET['user_role']}'"; 
     461            $user_role = esc_attr( $_GET['user_role'] ); 
     462            $where['user_role'] = "user_role = '{$user_role}'"; 
    453463        } 
    454464        if( isset($_GET['result']) && '' != $_GET['result'] ) 
    455465        { 
    456             $where['result'] = "login_result = '{$_GET['result']}'"; 
     466            $result = esc_attr( $_GET['result'] ); 
     467            $where['result'] = "login_result = '{$result}'"; 
    457468        } 
    458469        if( isset($_GET['datefilter']) && '' != $_GET['datefilter'] ) 
    459470        { 
    460             $year = substr($_GET['datefilter'], 0, 4); 
    461             $month = substr($_GET['datefilter'], -2); 
     471            $datefilter = esc_attr( $_GET['datefilter'] ); 
     472            $year = substr($datefilter, 0, 4); 
     473            $month = substr($datefilter, -2); 
    462474            $where['datefilter'] = "YEAR(time) = {$year} AND MONTH(time) = {$month}"; 
    463475        } 
     
    527539 
    528540            echo '<form method="get" id="export-login-log">'; 
     541            if ( function_exists('wp_nonce_field') ) 
     542                wp_nonce_field('ssl_export_log'); 
     543 
    529544            echo '<input type="hidden" name="page" value="login_log" />'; 
    530545            echo '<input type="hidden" name="download-login-log" value="true" />'; 
     
    532547            echo '</form>'; 
    533548            //if filtered results - add export filtered results button 
    534             if( $where = $this->make_where_query() ){ 
    535  
     549            $where = false; 
     550            if( isset( $_GET['filter'] ) || isset( $_GET['user_role'] ) || isset( $_GET['datefilter'] ) || isset( $_GET['result'] ) ) 
     551            { 
     552                $where = array(); 
     553                foreach($_GET as $k => $v) 
     554                { 
     555                    $where[$k] = @esc_attr($v); 
     556                } 
    536557                echo '<form method="get" id="export-login-log">'; 
     558                if ( function_exists('wp_nonce_field') ) 
     559                    wp_nonce_field('ssl_export_log'); 
     560 
    537561                echo '<input type="hidden" name="page" value="login_log" />'; 
    538562                echo '<input type="hidden" name="download-login-log" value="true" />'; 
     
    576600 
    577601 
     602    function init_csv_export() 
     603    { 
     604        //Check if download was initiated 
     605        $download = @esc_attr( $_GET['download-login-log'] ); 
     606        if($download) 
     607        { 
     608 
     609            $where = ( isset($_GET['where']) && '' != $_GET['where'] ) ? $_GET['where'] : false; 
     610            $where = maybe_unserialize( $where ); 
     611 
     612            if( is_array($where) && !empty($where) ) 
     613            { 
     614                foreach($where as $k => $v) 
     615                { 
     616                    $_GET[$k] = esc_attr($v); 
     617                } 
     618            } 
     619 
     620            check_admin_referer( 'ssl_export_log' ); 
     621            $this->export_to_CSV( $this->make_where_query() ); 
     622        } 
     623    } 
     624 
     625 
    578626    function export_to_CSV($where = false){ 
    579627        global $wpdb; 
     
    581629        //if $where is set, then contemplate WHERE sql query 
    582630        if( $where ){ 
    583             $where = unserialize($where); 
    584631 
    585632            if( is_array($where) && !empty($where) ) 
Note: See TracChangeset for help on using the changeset viewer.