Plugin Directory

Changeset 3035169 for wp-stateless


Ignore:
Timestamp:
02/13/2024 03:19:14 PM (14 months ago)
Author:
obolgun
Message:

release 3.4.1

Location:
wp-stateless/trunk
Files:
19 edited

Legend:

Unmodified
Added
Removed
  • wp-stateless/trunk/changelog.txt

    r3023726 r3035169  
    11== Changelog ==
     2= 3.4.1 =
     3FIX - improve security while processing AJAX requests in Admin Panel
     4
    25= 3.4.0 =
    36* ENHANCEMENT - removed `udx/lib-settings` package dependency for security reasons.
  • wp-stateless/trunk/changes.md

    r3023726 r3035169  
     1#### 3.4.1
     2FIX - improve security while processing AJAX requests in Admin Panel
     3
    14#### 3.4.0
    25* ENHANCEMENT - removed `udx/lib-settings` package dependency for security reasons.
  • wp-stateless/trunk/lib/classes/class-ajax.php

    r2724810 r3035169  
    4949       */
    5050      public function request() {
     51        check_ajax_referer('sm_inline_sync');
     52
    5153        global $doing_manual_sync;
    5254
  • wp-stateless/trunk/lib/classes/class-bootstrap.php

    r3023726 r3035169  
    12171217        /* Attachment or upload page */
    12181218        wp_register_script('wp-stateless-uploads-js', $this->path('static/scripts/wp-stateless-uploads.js', 'url'), array('jquery'), self::$version);
     1219        wp_localize_script('wp-stateless-uploads-js', 'stateless_upload', [
     1220          'inline_sync_nonce' => wp_create_nonce('sm_inline_sync'),
     1221        ]);
    12191222
    12201223        /* Setup wizard styles. */
  • wp-stateless/trunk/lib/classes/class-errors.php

    r3023726 r3035169  
    182182            "ajaxurl" => admin_url( 'admin-ajax.php' ),
    183183        ) );
    184 
     184        wp_localize_script( "sateless-error-notice-js", "stateless_error_notice_vars", array(
     185          "dismiss_nonce" => wp_create_nonce( 'stateless_notice_dismiss' ),
     186          "enable_action_nonce" => wp_create_nonce( 'stateless_enable_notice_button_action' ),
     187        ) );
    185188
    186189        //** Don't show the message if the user has no enough permissions. */
     
    249252       * @throws \Exception
    250253       */
    251       public function dismiss_notices(){
     254      public function dismiss_notices() {
     255        check_ajax_referer('stateless_notice_dismiss');
     256
    252257        $response = array(
    253258          'success' => '0',
    254259          'error' => __( 'There was an error in request.', $this->domain ),
    255260        );
     261
    256262        $error = false;
    257263
    258         if( empty($_POST['key']) && strpos($_POST['key'], 'dismissed_notice_') !== false ) {
     264        $option_key = isset($_POST['key']) ? sanitize_key($_POST['key']) : '';
     265
     266        if ( strpos($option_key, 'dismissed_') !== 0 ) {
    259267          $response['error'] = __( 'Invalid key', $this->domain );
    260268          $error = true;
    261269        }
    262         else {
    263           $option_key = sanitize_key($_POST['key']);
    264           update_option( $option_key, time() );
     270
     271        if ( !$error && update_option( $option_key, time() ) ) {
    265272          $response['success'] = '1';
    266273          $response['error'] = null;
     
    275282       */
    276283      public function stateless_enable_notice_button_action(){
     284        check_ajax_referer('stateless_enable_notice_button_action');
     285
    277286        $response = array(
    278287          'success' => '1',
  • wp-stateless/trunk/readme.txt

    r3023726 r3035169  
    66Requires PHP: 8.0
    77Requires at least: 5.0
    8 Tested up to: 6.4.2
    9 Stable tag: 3.4.0
     8Tested up to: 6.4.3
     9Stable tag: 3.4.1
    1010
    1111Upload and serve your WordPress media files from Google Cloud Storage.
     
    113113
    114114== Changelog ==
     115= 3.4.1 =
     116FIX - improve security while processing AJAX requests in Admin Panel
     117
    115118= 3.4.0 =
    116119* ENHANCEMENT - removed `udx/lib-settings` package dependency for security reasons.
  • wp-stateless/trunk/static/scripts/error-notice.js

    r2378210 r3035169  
    1616      action: 'stateless_enable_notice_button_action',
    1717      key: _this.data('key'),
     18      _ajax_nonce: stateless_error_notice_vars.enable_action_nonce ?? '',
    1819    }
    1920
     
    4243      action: 'stateless_notice_dismiss',
    4344      key: _this.data('key'),
     45      _ajax_nonce: stateless_error_notice_vars.dismiss_nonce ?? '',
    4446    }
    4547
  • wp-stateless/trunk/static/scripts/wp-stateless-uploads.js

    r2378210 r3035169  
    2020          action: that.data('type') == 'image' ? "stateless_process_image" : "stateless_process_file",
    2121          id: that.data('id'),
    22           size: that.data('size')
     22          size: that.data('size'),
     23          _ajax_nonce: stateless_upload.inline_sync_nonce ?? '',
    2324        }
    2425      })
  • wp-stateless/trunk/vendor/composer/installed.json

    r3023726 r3035169  
    265265        {
    266266            "name": "udx/lib-ud-api-client",
    267             "version": "1.2.2",
    268             "version_normalized": "1.2.2.0",
     267            "version": "1.2.3",
     268            "version_normalized": "1.2.3.0",
    269269            "source": {
    270270                "type": "git",
    271271                "url": "git@github.com:udx/lib-ud-api-client",
    272                 "reference": "1.2.2"
    273             },
    274             "dist": {
    275                 "type": "zip",
    276                 "url": "https://github.com/udx/lib-ud-api-client/archive/1.2.2.zip"
     272                "reference": "1.2.3"
     273            },
     274            "dist": {
     275                "type": "zip",
     276                "url": "https://github.com/udx/lib-ud-api-client/archive/1.2.3.zip"
    277277            },
    278278            "require": {
     
    311311        {
    312312            "name": "udx/lib-wp-bootstrap",
    313             "version": "1.3.1",
    314             "version_normalized": "1.3.1.0",
     313            "version": "1.3.2",
     314            "version_normalized": "1.3.2.0",
    315315            "source": {
    316316                "type": "git",
    317317                "url": "git@github.com:udx/lib-wp-bootstrap",
    318                 "reference": "1.3.1"
    319             },
    320             "dist": {
    321                 "type": "zip",
    322                 "url": "https://github.com/udx/lib-wp-bootstrap/archive/1.3.1.zip"
     318                "reference": "1.3.2"
     319            },
     320            "dist": {
     321                "type": "zip",
     322                "url": "https://github.com/udx/lib-wp-bootstrap/archive/1.3.2.zip"
    323323            },
    324324            "require": {
  • wp-stateless/trunk/vendor/composer/installed.php

    r3023726 r3035169  
    44        'pretty_version' => 'dev-latest',
    55        'version' => 'dev-latest',
    6         'reference' => '4e811ffcf935c543ab66a31c9562301a405d988d',
     6        'reference' => '4485e93b09271c7d1d632d20406de711e4d8b391',
    77        'type' => 'wordpress-plugin',
    88        'install_path' => __DIR__ . '/../../',
     
    5151        ),
    5252        'udx/lib-ud-api-client' => array(
    53             'pretty_version' => '1.2.2',
    54             'version' => '1.2.2.0',
    55             'reference' => '1.2.2',
     53            'pretty_version' => '1.2.3',
     54            'version' => '1.2.3.0',
     55            'reference' => '1.2.3',
    5656            'type' => 'library',
    5757            'install_path' => __DIR__ . '/../udx/lib-ud-api-client',
     
    6060        ),
    6161        'udx/lib-wp-bootstrap' => array(
    62             'pretty_version' => '1.3.1',
    63             'version' => '1.3.1.0',
    64             'reference' => '1.3.1',
     62            'pretty_version' => '1.3.2',
     63            'version' => '1.3.2.0',
     64            'reference' => '1.3.2',
    6565            'type' => 'library',
    6666            'install_path' => __DIR__ . '/../udx/lib-wp-bootstrap',
     
    7171            'pretty_version' => 'dev-latest',
    7272            'version' => 'dev-latest',
    73             'reference' => '4e811ffcf935c543ab66a31c9562301a405d988d',
     73            'reference' => '4485e93b09271c7d1d632d20406de711e4d8b391',
    7474            'type' => 'wordpress-plugin',
    7575            'install_path' => __DIR__ . '/../../',
  • wp-stateless/trunk/vendor/udx/lib-ud-api-client/changes.md

    r3023726 r3035169  
     1### 1.2.3
     2
     3* Improve security while processing AJAX requests in Admin Panel.
     4
    15### 1.2.2
    26
  • wp-stateless/trunk/vendor/udx/lib-ud-api-client/gruntfile.js

    r3023726 r3035169  
    33 *
    44 * @author potanin@UD
    5  * @version 1.2.2
     5 * @version 1.2.3
    66 * @param grunt
    77 */
  • wp-stateless/trunk/vendor/udx/lib-ud-api-client/lib/classes/class-bootstrap.php

    r3023726 r3035169  
    1919       *
    2020       */
    21       public static $version = '1.2.2';
     21      public static $version = '1.2.3';
    2222   
    2323      /**
  • wp-stateless/trunk/vendor/udx/lib-ud-api-client/lib/classes/class-update-checker.php

    r3011578 r3035169  
    350350          $plugins = get_plugins();
    351351          $name = isset( $plugins[$this->name] ) ? $plugins[$this->name]['Name'] : $this->name;
     352          $nonce = wp_create_nonce( 'ud_api_dismiss' );
    352353         
    353354          if ( isset( $response->errors['no_key'] ) && $response->errors['no_key'] == 'no_key' && isset( $response->errors['no_subscription'] ) && $response->errors['no_subscription'] == 'no_subscription' ) {
     
    356357            $show_no_key_error = $this->check_dismiss_time( $no_key_dismissed );
    357358            if( $show_no_key_error ) {
    358                 $this->errors[] = sprintf( __( 'A license key for %s could not be found. Maybe you forgot to enter a license key when setting up %s, or the key was deactivated in your account. You can reactivate or purchase a license key from your account <a href="%s" target="_blank">Licences</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_key" href="#">dismiss</a>.', $this->text_domain ), $name, $name, $this->renew_license_url, sanitize_key( $name ) );
     359                $this->errors[] = sprintf( __( 'A license key for %s could not be found. Maybe you forgot to enter a license key when setting up %s, or the key was deactivated in your account. You can reactivate or purchase a license key from your account <a href="%s" target="_blank">Licences</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_key" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $name, $this->renew_license_url, sanitize_key( $name ), $nonce );
    359360            }
    360361
     
    362363            $show_no_subscription_error = $this->check_dismiss_time( $no_subscription_dismissed );
    363364            if( $show_no_subscription_error ) {
    364                 $this->errors[] = sprintf( __( 'A subscription for %s could not be found. You can purchase a subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) );
     365                $this->errors[] = sprintf( __( 'A subscription for %s could not be found. You can purchase a subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce );
    365366            }
    366367
     
    370371            $show_exp_license_error = $this->check_dismiss_time( $exp_license_dismissed );
    371372            if( $show_exp_license_error ) {
    372                 $this->errors[] = sprintf( __( 'The license key for %s has expired. You can reactivate or get a license key from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_exp_license" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) );
     373                $this->errors[] = sprintf( __( 'The license key for %s has expired. You can reactivate or get a license key from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_exp_license" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce );
    373374            }
    374375
     
    378379            $show_hold_subscription_error = $this->check_dismiss_time( $hold_subscription_dismissed );
    379380            if( $show_hold_subscription_error ) {
    380                 $this->errors[] = sprintf( __( 'The subscription for %s is on-hold. You can reactivate the subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_hold_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) );
     381                $this->errors[] = sprintf( __( 'The subscription for %s is on-hold. You can reactivate the subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_hold_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce );
    381382            }
    382383
     
    386387            $show_cancelled_subscription_error = $this->check_dismiss_time( $cancelled_subscription_dismissed );
    387388            if( $show_cancelled_subscription_error ) {
    388                 $this->errors[] = sprintf( __( 'The subscription for %s has been cancelled. You can renew the subscription from your account <a href="%s" target="_blank">dashboard</a>. A new license key will be emailed to you after your order has been completed. <a class="dismiss-error dismiss" data-key="dismissed_error_%s_cancelled_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) );
     389                $this->errors[] = sprintf( __( 'The subscription for %s has been cancelled. You can renew the subscription from your account <a href="%s" target="_blank">dashboard</a>. A new license key will be emailed to you after your order has been completed. <a class="dismiss-error dismiss" data-key="dismissed_error_%s_cancelled_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce );
    389390            }
    390391
     
    394395            $show_exp_subscription_error = $this->check_dismiss_time( $exp_subscription_dismissed );
    395396            if( $show_exp_subscription_error ) {
    396                 $this->errors[] = sprintf( __( 'The subscription for %s has expired. You can reactivate the subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_exp_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) ) ;
     397                $this->errors[] = sprintf( __( 'The subscription for %s has expired. You can reactivate the subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_exp_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce ) ;
    397398            }
    398399
     
    402403            $show_suspended_subscription_error = $this->check_dismiss_time( $suspended_subscription_dismissed );
    403404            if( $show_suspended_subscription_error ) {
    404                 $this->errors[] = sprintf( __( 'The subscription for %s has been suspended. You can reactivate the subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_suspended_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) ) ;
     405                $this->errors[] = sprintf( __( 'The subscription for %s has been suspended. You can reactivate the subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_suspended_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce ) ;
    405406            }
    406407
     
    410411            $show_pending_subscription_error = $this->check_dismiss_time( $pending_subscription_dismissed );
    411412            if( $show_pending_subscription_error ) {
    412                 $this->errors[] = sprintf( __( 'The subscription for %s is still pending. You can check on the status of the subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_pending_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) ) ;
     413                $this->errors[] = sprintf( __( 'The subscription for %s is still pending. You can check on the status of the subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_pending_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce ) ;
    413414            }
    414415
     
    418419            $show_trash_subscription_error = $this->check_dismiss_time( $trash_subscription_dismissed );
    419420            if( $show_trash_subscription_error ) {
    420                 $this->errors[] = sprintf( __( 'The subscription for %s has been placed in the trash and will be deleted soon. You can get a new subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_trash_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) ) ;
     421                $this->errors[] = sprintf( __( 'The subscription for %s has been placed in the trash and will be deleted soon. You can get a new subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_trash_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce ) ;
    421422            }
    422423
     
    426427            $show_no_subscription_error = $this->check_dismiss_time( $no_subscription_dismissed );
    427428            if( $show_no_subscription_error ) {
    428                 $this->errors[] = sprintf( __( 'A subscription for %s could not be found. You can get a subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) );
     429                $this->errors[] = sprintf( __( 'A subscription for %s could not be found. You can get a subscription from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce );
    429430            }
    430431
     
    434435            $show_no_activation_error = $this->check_dismiss_time( $no_activation_dismissed );
    435436            if( $show_no_activation_error ) {
    436                 $this->errors[] = sprintf( __( '%s has not been activated. Go to the settings page and enter the license key and license email to activate %s. <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_activation" href="#">dismiss</a>.', $this->text_domain ), $name, $name, sanitize_key( $name ) ) ;
     437                $this->errors[] = sprintf( __( '%s has not been activated. Go to the settings page and enter the license key and license email to activate %s. <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_activation" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $name, sanitize_key( $name ), $nonce ) ;
    437438            }
    438439
     
    442443            $show_no_key_error = $this->check_dismiss_time( $no_key_dismissed );
    443444            if( $show_no_key_error ) {
    444                 $this->errors[] = sprintf( __( 'A license key for %s could not be found. Maybe you forgot to enter a license key when setting up %s, or the key was deactivated in your account. You can reactivate or get a license key from your account <a href="%s" target="_blank">Licences</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_key" href="#">dismiss</a>.', $this->text_domain ), $name, $name, $this->renew_license_url, sanitize_key( $name ) );
     445                $this->errors[] = sprintf( __( 'A license key for %s could not be found. Maybe you forgot to enter a license key when setting up %s, or the key was deactivated in your account. You can reactivate or get a license key from your account <a href="%s" target="_blank">Licences</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_no_key" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $name, $this->renew_license_url, sanitize_key( $name ), $nonce );
    445446            }
    446447
     
    450451            $show_download_revoked_error = $this->check_dismiss_time( $download_revoked_dismissed );
    451452            if( $show_download_revoked_error ) {
    452                 $this->errors[] = sprintf( __( 'Download permission for %s has been revoked possibly due to a license key or subscription expiring. You can reactivate or get a license key from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_download_revoked" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) ) ;
     453                $this->errors[] = sprintf( __( 'Download permission for %s has been revoked possibly due to a license key or subscription expiring. You can reactivate or get a license key from your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_download_revoked" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce ) ;
    453454            }
    454455
     
    458459            $show_switched_subscription_error = $this->check_dismiss_time( $switched_subscription_dismissed );
    459460            if( $show_switched_subscription_error ) {
    460                 $this->errors[] = sprintf( __( 'You changed the subscription for %s, so you will need to enter your new API License Key in the settings page. The License Key should have arrived in your email inbox, if not you can get it by logging into your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_switched_subscription" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ) ) ;
     461                $this->errors[] = sprintf( __( 'You changed the subscription for %s, so you will need to enter your new API License Key in the settings page. The License Key should have arrived in your email inbox, if not you can get it by logging into your account <a href="%s" target="_blank">dashboard</a> | <a class="dismiss-error dismiss" data-key="dismissed_error_%s_switched_subscription" data-nonce="%s" href="#">dismiss</a>.', $this->text_domain ), $name, $this->renew_license_url, sanitize_key( $name ), $nonce ) ;
    461462            }
    462463
     
    500501                            action: 'ud_api_dismiss',
    501502                            key: _this.data('key'),
     503                            _ajax_nonce: _this.data('nonce'),
    502504                        }
    503505
     
    542544         */
    543545        public function dismiss_notices(){
     546          check_ajax_referer('ud_api_dismiss');
     547
    544548          $response = array(
    545549              'success' => '0',
    546550              'error' => __( 'There was an error in request.', $this->text_domain ),
    547551          );
     552
    548553          $error = false;
    549554
    550           if( empty($_POST['key']) ) {
    551             $response['error'] = __( 'Invalid key', $this->text_domain );
     555          $option_key = isset($_POST['key']) ? sanitize_key($_POST['key']) : '';
     556
     557          if ( strpos($option_key, 'dismissed_') !== 0 ) {
     558            $response['error'] = __( 'Invalid key', $this->domain );
    552559            $error = true;
    553560          }
    554 
    555           if ( ! $error && update_option( ( $_POST['key'] ), time() ) ) {
     561 
     562          if ( !$error && update_option( $option_key, time() ) ) {
    556563            $response['success'] = '1';
    557           }
    558 
     564            $response['error'] = null;
     565          }
     566 
    559567          wp_send_json( $response );
    560568        }
  • wp-stateless/trunk/vendor/udx/lib-ud-api-client/package.json

    r3023726 r3035169  
    11{
    22  "name": "lib-ud-api-client",
    3   "version": "1.2.2",
     3  "version": "1.2.3",
    44  "description": "UD Client for WooCommerce API Manager",
    55  "repository": {
  • wp-stateless/trunk/vendor/udx/lib-wp-bootstrap/changes.md

    r3023726 r3035169  
     1### 1.3.2
     2
     3* Improve security while processing AJAX requests in Admin Panel.
     4
    15### 1.3.1
    26
  • wp-stateless/trunk/vendor/udx/lib-wp-bootstrap/lib/classes/class-errors.php

    r3011578 r3035169  
    157157        $messages = apply_filters( 'ud:messages:admin_notices', $this->messages, $this->args );
    158158        $warnings = apply_filters( 'ud:warnings:admin_notices', $this->warnings, $this->args );
     159
     160        $nonce = wp_create_nonce('ud_dismiss');
    159161       
    160162        if( !empty( $errors ) || !empty( $messages ) || !empty( $warnings ) ) {
     
    180182          $message = sprintf( __( '<p><b>%s</b> has the following warnings:</p> %s', $this->domain ), $this->name, $message );
    181183          if( $this->dismiss ) {
    182             $this->action_links[ 'warnings' ][] = '<a class="dismiss-warning dismiss" data-key="dismissed_warning_' . sanitize_key( $this->name ).'" href="#">' . __( 'Dismiss this warning', $this->domain ) . '</a>';
     184            $this->action_links[ 'warnings' ][] =
     185              '<a class="dismiss-warning dismiss" ' .
     186              'data-key="dismissed_warning_' . sanitize_key( $this->name ) .
     187              '" data-nonce="' . $nonce . '" href="#">' .
     188              __( 'Dismiss this warning', $this->domain ) . '</a>';
    183189          }
    184190          if( !empty( $this->action_links[ 'warnings' ] ) && is_array( $this->action_links[ 'warnings' ] ) ) {
     
    200206            }
    201207            if( $this->dismiss ) {
    202               $this->action_links[ 'messages' ][] = '<a class="dismiss-notice dismiss" data-key="dismissed_notice_' . sanitize_key( $this->name ).'" href="#">' . __( 'Dismiss this notice', $this->domain ) . '</a>';
     208              $this->action_links[ 'messages' ][] =
     209                '<a class="dismiss-notice dismiss" ' .
     210                'data-key="dismissed_notice_' . sanitize_key( $this->name ).'" ' .
     211                'data-nonce="' . $nonce . '" href="#">' .
     212                __( 'Dismiss this notice', $this->domain ) . '</a>';
    203213            }
    204214            $message .= '<p>' . implode( ' | ', $this->action_links[ 'messages' ] ) . '</p>';
     
    222232       * @throws \Exception
    223233       */
    224       public function dismiss_notices(){
     234      public function dismiss_notices() {
     235        check_ajax_referer('ud_dismiss');
     236
    225237        $response = array(
    226238          'success' => '0',
    227239          'error' => __( 'There was an error in request.', $this->domain ),
    228240        );
     241
    229242        $error = false;
    230243
    231         if( empty($_POST['key']) ) {
     244        $option_key = isset($_POST['key']) ? sanitize_key($_POST['key']) : '';
     245
     246        if ( strpos($option_key, 'dismissed_') !== 0 ) {
    232247          $response['error'] = __( 'Invalid key', $this->domain );
    233248          $error = true;
    234249        }
    235250
    236         if ( ! $error && update_option( ( $_POST['key'] ), time() ) ) {
     251        if ( !$error && update_option( $option_key, time() ) ) {
    237252          $response['success'] = '1';
     253          $response['error'] = null;
    238254        }
    239255
  • wp-stateless/trunk/vendor/udx/lib-wp-bootstrap/static/scripts/ud-dismiss.js

    r2013894 r3035169  
    1212      action: 'ud_dismiss',
    1313      key: _this.data('key'),
     14      _ajax_nonce: _this.data('nonce'),
    1415    }
    1516
  • wp-stateless/trunk/wp-stateless-media.php

    r3023726 r3035169  
    55 * Description: Upload and serve your WordPress media files from Google Cloud Storage.
    66 * Author: UDX
    7  * Version: 3.4.0
     7 * Version: 3.4.1
    88 * Text Domain: stateless-media
    99 * Author URI: https://www.udx.io
Note: See TracChangeset for help on using the changeset viewer.