Changeset 2866065

Timestamp:

02/16/2023 12:46:23 AM (3 years ago)

Author:

natereist

Message:

Tagging version 1.4.6

Location:

protected-posts-logout-button

Files:

• tags/1.4.6 (copied) (copied from protected-posts-logout-button/trunk)
• tags/1.4.6/pplb_logout_button.php (copied) (copied from protected-posts-logout-button/trunk/pplb_logout_button.php) (4 diffs)
• tags/1.4.6/readme.txt (copied) (copied from protected-posts-logout-button/trunk/readme.txt) (2 diffs)
• tags/1.4.6/templates/pplb-options.php (copied) (copied from protected-posts-logout-button/trunk/templates/pplb-options.php)
• trunk/pplb_logout_button.php (modified) (4 diffs)
• trunk/readme.txt (modified) (2 diffs)

protected-posts-logout-button/tags/1.4.6/pplb_logout_button.php

@@ -2 +2 @@
 /*
     Plugin Name: Protected Posts Logout Button
-    Plugin URI: http://omfgitsnater.com/protected-posts-logout-button/
+    Plugin URI: http://mindutopia.com
     Description: A plugin built to add a logout button automatically to protected posts.
-    Version: 1.4.5
+    Version: 1.4.6
     Author: Nate Reist
-    Author URI: http://omfgitsnater.com
+    Author URI: http://mindutopia.com
 */
 
@@ -155 +155 @@
         */
         function pplb_options_save(){
-            if ( isset( $_POST['pplb_action'] ) ) {
+            if ( isset( $_POST['pplb_action'] ) && current_user_can( 'manage_options' ) ) {
 //              pplb_nonce
                 if ( array_key_exists( 'pplb_nonce', $_POST ) && ! wp_verify_nonce( $_POST['pplb_nonce'], 'pplb_update' ) ) {
@@ -162 +162 @@
                     //update the option.
                     $options = array();
-                    $options['pplb_alert'] = ( array_key_exists('pplb_alert', $_POST) ) ? $_POST['pplb_alert']: 'no';
+                    $options['pplb_alert'] = ( array_key_exists('pplb_alert', $_POST ) && $_POST['pplb_alert'] === 'yes' ) ? 'yes': 'no';
                     $options['pplb_message'] = esc_js( $_POST['pplb_message'] );
-                    $options['pplb_debug'] = ( array_key_exists('pplb_debug', $_POST) ) ? $_POST['pplb_debug']: 0;
+                    $options['pplb_debug'] = ( array_key_exists('pplb_debug', $_POST ) ) ? 1 : 0;
                     $options['pplb_button_class'] = esc_attr($_POST['pplb_button_class']);
                     $options['pplb_button_text'] = !empty($_POST['pplb_button_text']) ? esc_attr($_POST['pplb_button_text']) : 'logout';
@@ -171 +171 @@
                     update_option('pplb_options', $options);
                     
-                    $expire = ( isset( $_POST['pplb_pass_expires'] ) && !empty( $_POST['pplb_pass_expires'] ) ) ? $_POST['pplb_pass_expires']: false;
+                    $expire = ( array_key_exists( 'pplb_pass_expires', $_POST ) && absint( $_POST['pplb_pass_expires'] ) ) ? absint( $_POST['pplb_pass_expires'] ): false;
                     update_option('pplb_pass_expires', $expire );
                     
-                    $filter = isset($_POST['pplb_button_filter']) ? $_POST['pplb_button_filter']: 'yes';
+                    $filter = ( array_key_exists( 'pplb_button_filter', $_POST ) && $_POST['pplb_button_filter'] === 'no' ) ? 'no' : 'yes';
                     update_option( 'pplb_button_filter', $filter );
-                    $position = isset($_POST['pplb_button_position']) ? $_POST['pplb_button_position']: 'before';
+                    $position = array_key_exists( 'pplb_button_position', $_POST ) && $_POST['pplb_button_position'] === 'after' ? 'after' : 'before';
                     update_option( 'pplb_button_position', $position );
                     $redirect = add_query_arg( array( 'message' => 1 ) );

protected-posts-logout-button/tags/1.4.6/readme.txt

@@ -5 +5 @@
 Requires at least: 2.8
 Tested up to: 6.1.1
-Stable tag: 1.4.5
+Stable tag: 1.4.6
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -51 +51 @@
 
 == Changelog ==
+= 1.4.6 =
+* Fixed vulnerabilities in option saving function, not allowing unescaped user input and checking user role 
+
 = 1.4.5 =
 * Tested with Wordpress 6.1.1

protected-posts-logout-button/trunk/pplb_logout_button.php

@@ -2 +2 @@
 /*
     Plugin Name: Protected Posts Logout Button
-    Plugin URI: http://omfgitsnater.com/protected-posts-logout-button/
+    Plugin URI: http://mindutopia.com
     Description: A plugin built to add a logout button automatically to protected posts.
-    Version: 1.4.5
+    Version: 1.4.6
     Author: Nate Reist
-    Author URI: http://omfgitsnater.com
+    Author URI: http://mindutopia.com
 */
 
@@ -155 +155 @@
         */
         function pplb_options_save(){
-            if ( isset( $_POST['pplb_action'] ) ) {
+            if ( isset( $_POST['pplb_action'] ) && current_user_can( 'manage_options' ) ) {
 //              pplb_nonce
                 if ( array_key_exists( 'pplb_nonce', $_POST ) && ! wp_verify_nonce( $_POST['pplb_nonce'], 'pplb_update' ) ) {
@@ -162 +162 @@
                     //update the option.
                     $options = array();
-                    $options['pplb_alert'] = ( array_key_exists('pplb_alert', $_POST) ) ? $_POST['pplb_alert']: 'no';
+                    $options['pplb_alert'] = ( array_key_exists('pplb_alert', $_POST ) && $_POST['pplb_alert'] === 'yes' ) ? 'yes': 'no';
                     $options['pplb_message'] = esc_js( $_POST['pplb_message'] );
-                    $options['pplb_debug'] = ( array_key_exists('pplb_debug', $_POST) ) ? $_POST['pplb_debug']: 0;
+                    $options['pplb_debug'] = ( array_key_exists('pplb_debug', $_POST ) ) ? 1 : 0;
                     $options['pplb_button_class'] = esc_attr($_POST['pplb_button_class']);
                     $options['pplb_button_text'] = !empty($_POST['pplb_button_text']) ? esc_attr($_POST['pplb_button_text']) : 'logout';
@@ -171 +171 @@
                     update_option('pplb_options', $options);
                     
-                    $expire = ( isset( $_POST['pplb_pass_expires'] ) && !empty( $_POST['pplb_pass_expires'] ) ) ? $_POST['pplb_pass_expires']: false;
+                    $expire = ( array_key_exists( 'pplb_pass_expires', $_POST ) && absint( $_POST['pplb_pass_expires'] ) ) ? absint( $_POST['pplb_pass_expires'] ): false;
                     update_option('pplb_pass_expires', $expire );
                     
-                    $filter = isset($_POST['pplb_button_filter']) ? $_POST['pplb_button_filter']: 'yes';
+                    $filter = ( array_key_exists( 'pplb_button_filter', $_POST ) && $_POST['pplb_button_filter'] === 'no' ) ? 'no' : 'yes';
                     update_option( 'pplb_button_filter', $filter );
-                    $position = isset($_POST['pplb_button_position']) ? $_POST['pplb_button_position']: 'before';
+                    $position = array_key_exists( 'pplb_button_position', $_POST ) && $_POST['pplb_button_position'] === 'after' ? 'after' : 'before';
                     update_option( 'pplb_button_position', $position );
                     $redirect = add_query_arg( array( 'message' => 1 ) );

protected-posts-logout-button/trunk/readme.txt

@@ -5 +5 @@
 Requires at least: 2.8
 Tested up to: 6.1.1
-Stable tag: 1.4.5
+Stable tag: 1.4.6
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -51 +51 @@
 
 == Changelog ==
+= 1.4.6 =
+* Fixed vulnerabilities in option saving function, not allowing unescaped user input and checking user role 
+
 = 1.4.5 =
 * Tested with Wordpress 6.1.1