Changeset 3172020

Timestamp:

10/19/2024 03:39:56 PM (17 months ago)

Author:

eemitch

Message:

• Security Fix for a reflecte cross-site scripting (XSS) issue
• Security improvements to back-end navigation tabs.

Location:

simple-file-list

Files:

• tags/6.1.13 (added)
• tags/6.1.13/Simple-File-List.pdf (added)
• tags/6.1.13/css (added)
• tags/6.1.13/css/admin5.css (added)
• tags/6.1.13/css/index.html (added)
• tags/6.1.13/css/styles-flex.css (added)
• tags/6.1.13/css/styles-table.css (added)
• tags/6.1.13/css/styles-theme-dark.css (added)
• tags/6.1.13/css/styles-theme-light.css (added)
• tags/6.1.13/css/styles-tiles.css (added)
• tags/6.1.13/css/styles-upload-form.css (added)
• tags/6.1.13/css/styles-upload-theme-light.css (added)
• tags/6.1.13/css/styles.css (added)
• tags/6.1.13/ee-admin-page.php (added)
• tags/6.1.13/ee-list-display.php (added)
• tags/6.1.13/ee-simple-file-list.php (added)
• tags/6.1.13/images (added)
• tags/6.1.13/images/Mitchell-Bennis-Head-Shot.jpg (added)
• tags/6.1.13/images/SFL-Pro-Admin-List.jpg (added)
• tags/6.1.13/images/icon-128x128.png (added)
• tags/6.1.13/images/icon-256x256.png (added)
• tags/6.1.13/images/index.html (added)
• tags/6.1.13/images/sending.gif (added)
• tags/6.1.13/images/thumbnails (added)
• tags/6.1.13/images/thumbnails/!default.svg (added)
• tags/6.1.13/images/thumbnails/!default_image.jpg (added)
• tags/6.1.13/images/thumbnails/!default_pdf.jpg (added)
• tags/6.1.13/images/thumbnails/!default_video.jpg (added)
• tags/6.1.13/images/thumbnails/3gp.svg (added)
• tags/6.1.13/images/thumbnails/ai.svg (added)
• tags/6.1.13/images/thumbnails/aif.svg (added)
• tags/6.1.13/images/thumbnails/aiff.svg (added)
• tags/6.1.13/images/thumbnails/apk.svg (added)
• tags/6.1.13/images/thumbnails/avi.svg (added)
• tags/6.1.13/images/thumbnails/bmp.svg (added)
• tags/6.1.13/images/thumbnails/cr2.svg (added)
• tags/6.1.13/images/thumbnails/dmg.svg (added)
• tags/6.1.13/images/thumbnails/doc.svg (added)
• tags/6.1.13/images/thumbnails/docx.svg (added)
• tags/6.1.13/images/thumbnails/eps.svg (added)
• tags/6.1.13/images/thumbnails/flv.svg (added)
• tags/6.1.13/images/thumbnails/folder.svg (added)
• tags/6.1.13/images/thumbnails/gz.svg (added)
• tags/6.1.13/images/thumbnails/indd.svg (added)
• tags/6.1.13/images/thumbnails/iso.svg (added)
• tags/6.1.13/images/thumbnails/jpeg.svg (added)
• tags/6.1.13/images/thumbnails/jpg.svg (added)
• tags/6.1.13/images/thumbnails/m4v.svg (added)
• tags/6.1.13/images/thumbnails/midi.svg (added)
• tags/6.1.13/images/thumbnails/mov.svg (added)
• tags/6.1.13/images/thumbnails/mp3.svg (added)
• tags/6.1.13/images/thumbnails/mp4.svg (added)
• tags/6.1.13/images/thumbnails/mpeg.svg (added)
• tags/6.1.13/images/thumbnails/mpg.svg (added)
• tags/6.1.13/images/thumbnails/pdf.svg (added)
• tags/6.1.13/images/thumbnails/png.svg (added)
• tags/6.1.13/images/thumbnails/pps.svg (added)
• tags/6.1.13/images/thumbnails/ppsx.svg (added)
• tags/6.1.13/images/thumbnails/ppt.svg (added)
• tags/6.1.13/images/thumbnails/pptx.svg (added)
• tags/6.1.13/images/thumbnails/psd.svg (added)
• tags/6.1.13/images/thumbnails/tar.svg (added)
• tags/6.1.13/images/thumbnails/tgz.svg (added)
• tags/6.1.13/images/thumbnails/tif.svg (added)
• tags/6.1.13/images/thumbnails/tiff.svg (added)
• tags/6.1.13/images/thumbnails/txt.svg (added)
• tags/6.1.13/images/thumbnails/wav.svg (added)
• tags/6.1.13/images/thumbnails/wma.svg (added)
• tags/6.1.13/images/thumbnails/wmv.svg (added)
• tags/6.1.13/images/thumbnails/xls.svg (added)
• tags/6.1.13/images/thumbnails/xlsx.svg (added)
• tags/6.1.13/images/thumbnails/zip.svg (added)
• tags/6.1.13/includes (added)
• tags/6.1.13/includes/ee-admin-footer.php (added)
• tags/6.1.13/includes/ee-admin-header.php (added)
• tags/6.1.13/includes/ee-class.php (added)
• tags/6.1.13/includes/ee-email-settings.php (added)
• tags/6.1.13/includes/ee-extension-settings.php (added)
• tags/6.1.13/includes/ee-functions.php (added)
• tags/6.1.13/includes/ee-get-pro.php (added)
• tags/6.1.13/includes/ee-index-template.html (added)
• tags/6.1.13/includes/ee-list-display-flex.php (added)
• tags/6.1.13/includes/ee-list-display-table.php (added)
• tags/6.1.13/includes/ee-list-display-tiles.php (added)
• tags/6.1.13/includes/ee-list-settings.php (added)
• tags/6.1.13/includes/ee-plugin-author.php (added)
• tags/6.1.13/includes/ee-plugin-extension-SFL-PRO.php (added)
• tags/6.1.13/includes/ee-plugin-extension-SFLM.php (added)
• tags/6.1.13/includes/ee-upload-settings.php (added)
• tags/6.1.13/includes/index.html (added)
• tags/6.1.13/includes/sending.gif (added)
• tags/6.1.13/index.html (added)
• tags/6.1.13/js (added)
• tags/6.1.13/js/ee-back.js (added)
• tags/6.1.13/js/ee-edit-file.js (added)
• tags/6.1.13/js/ee-footer.js (added)
• tags/6.1.13/js/ee-head.js (added)
• tags/6.1.13/js/index.html (added)
• tags/6.1.13/languages (added)
• tags/6.1.13/languages/ee-simple-file-list-cs_CZ.mo (added)
• tags/6.1.13/languages/ee-simple-file-list-cs_CZ.po (added)
• tags/6.1.13/languages/ee-simple-file-list-da_DK.mo (added)
• tags/6.1.13/languages/ee-simple-file-list-da_DK.po (added)
• tags/6.1.13/languages/ee-simple-file-list-de_DE.mo (added)
• tags/6.1.13/languages/ee-simple-file-list-de_DE.po (added)
• tags/6.1.13/languages/ee-simple-file-list-es_ES.mo (added)
• tags/6.1.13/languages/ee-simple-file-list-es_ES.po (added)
• tags/6.1.13/languages/ee-simple-file-list-es_MX.mo (added)
• tags/6.1.13/languages/ee-simple-file-list-es_MX.po (added)
• tags/6.1.13/languages/ee-simple-file-list-fr_BE.mo (added)
• tags/6.1.13/languages/ee-simple-file-list-fr_BE.po (added)
• tags/6.1.13/languages/ee-simple-file-list-fr_CA.mo (added)
• tags/6.1.13/languages/ee-simple-file-list-fr_CA.po (added)
• tags/6.1.13/languages/ee-simple-file-list-fr_FR.mo (added)
• tags/6.1.13/languages/ee-simple-file-list-fr_FR.po (added)
• tags/6.1.13/languages/ee-simple-file-list-it_IT.mo (added)
• tags/6.1.13/languages/ee-simple-file-list-it_IT.po (added)
• tags/6.1.13/languages/ee-simple-file-list-nl_NL.mo (added)
• tags/6.1.13/languages/ee-simple-file-list-nl_NL.po (added)
• tags/6.1.13/languages/ee-simple-file-list-pt_BR.mo (added)
• tags/6.1.13/languages/ee-simple-file-list-pt_BR.po (added)
• tags/6.1.13/languages/ee-simple-file-list-pt_PT.mo (added)
• tags/6.1.13/languages/ee-simple-file-list-pt_PT.po (added)
• tags/6.1.13/languages/ee-simple-file-list-sv_SE.mo (added)
• tags/6.1.13/languages/ee-simple-file-list-sv_SE.po (added)
• tags/6.1.13/languages/ee-simple-file-list.pot (added)
• tags/6.1.13/languages/index.html (added)
• tags/6.1.13/readme.txt (added)
• tags/6.1.13/security.txt (added)
• tags/6.1.13/uploader (added)
• tags/6.1.13/uploader/ee-class-uploads.php (added)
• tags/6.1.13/uploader/ee-uploader.js (added)
• trunk/ee-admin-page.php (modified) (3 diffs)
• trunk/ee-simple-file-list.php (modified) (2 diffs)
• trunk/includes/ee-class.php (modified) (1 diff)
• trunk/includes/ee-email-settings.php (modified) (1 diff)
• trunk/readme.txt (modified) (3 diffs)

simple-file-list/trunk/ee-admin-page.php

@@ -27 +27 @@
 
     // Get the new tab's query string value. We will only use values to display tabs that we are expecting.
-    if( isset( $_GET[ 'tab' ] ) ) { $active_tab = esc_js(sanitize_text_field($_GET[ 'tab' ])); } else { $active_tab = 'file_list'; }
+    if( isset( $_GET['tab'] ) ) {
+        $active_tab = sanitize_text_field( $_GET['tab'] ); // Sanitize input
+    } else {
+        $active_tab = 'file_list'; // Default tab
+    }
     
     $eeOutput .= '
@@ -36 +40 @@
     // File List
     $eeOutput .= '
-    
     <span class="nav-tab-wrapper-left">
-    
-    <a href="?page=' . eeSFL_BASE_PluginSlug . '&tab=file_list" class="nav-tab ';  
-    if($active_tab == 'file_list') {$eeOutput .= ' eeActiveTab '; }    
-    $active_tab == 'file_list' ? 'nav-tab-active' : '';
-    $eeOutput .= $active_tab . '">' . __('File List', 'ee-simple-file-list') . '</a>';
-    
+    <a href="?page=' . esc_attr(eeSFL_BASE_PluginSlug) . '&tab=file_list" class="nav-tab ' . ($active_tab == 'file_list' ? 'nav-tab-active eeActiveTab' : '') . '">' . __('File List', 'ee-simple-file-list') . '</a>';
     
     // Settings
-    $eeOutput .= '
-    <a href="?page=' . eeSFL_BASE_PluginSlug . '&tab=settings" class="nav-tab ';   
-    if($active_tab == 'settings') {$eeOutput .= ' eeActiveTab '; }  
-    $active_tab == 'settings' ? 'nav-tab-active' : ''; 
-    $eeOutput .= $active_tab . '">' . __('List Settings', 'ee-simple-file-list') . '</a>
-    
-    <a href="?page=' . eeSFL_BASE_PluginSlug . '&tab=pro" class="nav-tab ';   
-    if($active_tab == 'pro') {$eeOutput .= ' eeActiveTab '; }  
-    $active_tab == 'pro' ? 'nav-tab-active' : ''; 
-    $eeOutput .= $active_tab . '">' . __('Upgrade Version', 'ee-simple-file-list') . '</a>
-    
-    
-    </span>
-    <span class="nav-tab-wrapper-right">
-    
-    
-    <a href="?page=' . eeSFL_BASE_PluginSlug . '&tab=author" class="nav-tab ';   
-    if($active_tab == 'author') {$eeOutput .= ' eeActiveTab '; }  
-    $active_tab == 'author' ? 'nav-tab-active' : ''; 
-    $eeOutput .= $active_tab . '">' . __('Author', 'ee-simple-file-list') . '</a>';
-    
-    // Link to Support Form
-    $eeOutput .= '
-    <a href="https://simplefilelist.com/get-support/" class="nav-tab" target="_blank">' . __('Get Help', 'ee-simple-file-list') . ' &rarr;</a>
-    
-    </span>
-    
-    </h2>'; // END Main Tabs   
+    $eeOutput .= '
+    <a href="?page=' . esc_attr(eeSFL_BASE_PluginSlug) . '&tab=settings" class="nav-tab ' . ($active_tab == 'settings' ? 'nav-tab-active eeActiveTab' : '') . '">' . __('List Settings', 'ee-simple-file-list') . '</a>';
+    
+    // Pro Upgrade
+    $eeOutput .= '
+    <a href="?page=' . esc_attr(eeSFL_BASE_PluginSlug) . '&tab=pro" class="nav-tab ' . ($active_tab == 'pro' ? 'nav-tab-active eeActiveTab' : '') . '">' . __('Upgrade Version', 'ee-simple-file-list') . '</a>
+    </span>';
+    
+    // Right Tabs -------
+    $eeOutput .= '
+    <span class="nav-tab-wrapper-right">
+    <a href="?page=' . esc_attr(eeSFL_BASE_PluginSlug) . '&tab=author" class="nav-tab ' . ($active_tab == 'author' ? 'nav-tab-active eeActiveTab' : '') . '">' . __('Author', 'ee-simple-file-list') . '</a>';
+    
+    // Link to Support Form
+    $eeOutput .= '
+    <a href="https://simplefilelist.com/get-support/" class="nav-tab" target="_blank">' . __('Get Help', 'ee-simple-file-list') . ' &rarr;</a>
+    </span>
+    </h2>';
+    // END Main Tabs
+   
     
     
@@ -168 +158 @@
         
         // Sub Tabs
-        if( isset( $_GET[ 'subtab' ] ) ) { $active_subtab = esc_js(sanitize_text_field($_GET['subtab'])); } else { $active_subtab = 'list_settings'; }
-            
-        $eeOutput .= '
-        
-        <h2 class="nav-tab-wrapper">
-        <div class="ee-nav-sub-tabs">';
+        if( isset( $_GET['subtab'] ) ) {
+            $active_subtab = sanitize_text_field( $_GET['subtab'] ); // Sanitize input
+        } else {
+            $active_subtab = 'list_settings'; // Default subtab
+        }
+        
+        $eeOutput .= '
+        <h2 class="nav-tab-wrapper">
+        <div class="ee-nav-sub-tabs">';
         
         // List Settings
-        $eeOutput .= '<a href="?page=' . eeSFL_BASE_PluginSlug . '&tab=settings&subtab=list_settings" class="nav-tab ';  
-        if($active_subtab == 'list_settings') {$eeOutput .= '  eeActiveTab ';}    
-        $active_subtab == 'list_settings' ? 'nav-tab-active' : '';    
-        $eeOutput .= $active_subtab . '">' . __('File List Settings', 'ee-simple-file-list') . '</a>';
-        
-        // Uploader Settings
-        $eeOutput .= '<a href="?page=' . eeSFL_BASE_PluginSlug . '&tab=settings&subtab=uploader_settings" class="nav-tab ';  
-        if($active_subtab == 'uploader_settings') {$eeOutput .= '  eeActiveTab ';}    
-        $active_subtab == 'uploader_settings' ? 'nav-tab-active' : '';    
-        $eeOutput .= $active_subtab . '">' . __('File Upload Settings', 'ee-simple-file-list') . '</a>';
-        
-        // Notifications Settings
-        $eeOutput .= '<a href="?page=' . eeSFL_BASE_PluginSlug . '&tab=settings&subtab=email_settings" class="nav-tab ';  
-        if($active_subtab == 'email_settings') {$eeOutput .= '  eeActiveTab ';}    
-        $active_subtab == 'email_settings' ? 'nav-tab-active' : '';    
-        $eeOutput .= $active_subtab . '">' . __('Notification Settings', 'ee-simple-file-list') . '</a>';
-        
-        // Extension Settings (Coming Soon)
-        $eeOutput .= '<a href="?page=' . eeSFL_BASE_PluginSlug . '&tab=settings&subtab=extension_settings" class="nav-tab ';  
-        if($active_subtab == 'extension_settings') {$eeOutput .= '  eeActiveTab ';}    
-        $active_subtab == 'extension_settings' ? 'nav-tab-active' : '';    
-        $eeOutput .= $active_subtab . '">' . __('Extension Settings', 'ee-simple-file-list') . '</a>';
-        
-        // END Subtabs
+        $eeOutput .= '<a href="?page=' . esc_attr(eeSFL_BASE_PluginSlug) . '&tab=settings&subtab=list_settings" class="nav-tab ' . ($active_subtab == 'list_settings' ? 'nav-tab-active' : '') . '">' . __('File List Settings', 'ee-simple-file-list') . '</a>';
+        
+        // Uploader Settings
+        $eeOutput .= '<a href="?page=' . esc_attr(eeSFL_BASE_PluginSlug) . '&tab=settings&subtab=uploader_settings" class="nav-tab ' . ($active_subtab == 'uploader_settings' ? 'nav-tab-active' : '') . '">' . __('File Upload Settings', 'ee-simple-file-list') . '</a>';
+        
+        // Notifications Settings
+        $eeOutput .= '<a href="?page=' . esc_attr(eeSFL_BASE_PluginSlug) . '&tab=settings&subtab=email_settings" class="nav-tab ' . ($active_subtab == 'email_settings' ? 'nav-tab-active' : '') . '">' . __('Notification Settings', 'ee-simple-file-list') . '</a>';
+        
+        // Extension Settings (Coming Soon)
+        $eeOutput .= '<a href="?page=' . esc_attr(eeSFL_BASE_PluginSlug) . '&tab=settings&subtab=extension_settings" class="nav-tab ' . ($active_subtab == 'extension_settings' ? 'nav-tab-active' : '') . '">' . __('Extension Settings', 'ee-simple-file-list') . '</a>';
+        
+        // End Subtabs
+
         $eeOutput .= '
         

simple-file-list/trunk/ee-simple-file-list.php

@@ -9 +9 @@
 Description: A Basic File List Manager with File Uploader
 Author: Mitchell Bennis
-Version: 6.1.11
+Version: 6.1.13
 Author URI: http://simplefilelist.com
 License: GPLv2 or later
@@ -20 +20 @@
 // CONSTANTS
 define('eeSFL_BASE_DevMode', FALSE);
-define('eeSFL_BASE_Version', '6.1.11'); // Plugin version
+define('eeSFL_BASE_Version', '6.1.13'); // Plugin version
 define('eeSFL_BASE_PluginName', 'Simple File List');
 define('eeSFL_BASE_PluginSlug', 'ee-simple-file-list');

simple-file-list/trunk/includes/ee-class.php

@@ -1581 +1581 @@
     
     
-    // Get the current URL
+    // Get the current URL securely
     public function eeSFL_GetThisURL($eeIncludeQuery = TRUE) {
-        
-        // Find what is contained in the address bar?
-        // Example: https://mywebsite.com/wordpress/wp-admin/admin.php?page=ee-simple-file-list-pro&eeFolder=WTEA_Curriculum&eeListID=1&ee=1
-        
+    
         $eeProtocol = ''; $eeHost = ''; $eeSubFolder = ''; $eeArguments = '';
-        
+    
         // If HTTP_HOST is empty, use site_url()
         if( empty($_SERVER['HTTP_HOST']) ) {
-            
-            $eeHost = site_url(); // This will contain the path to the WP core files, plus slash
-            
+    
+            $eeHost = esc_url( site_url() ); // This will contain the path to the WP core files, plus slash
+    
             if( strpos($_SERVER['REQUEST_URI'], '?') !== FALSE ) { 
-                $eeArray = explode('?', $_SERVER['REQUEST_URI']);
-                if(!empty($eeArray[1])) { $eeArguments = $eeArray[1]; }
-            }
-        
+                $eeArray = explode('?', sanitize_text_field($_SERVER['REQUEST_URI'])); // Sanitize input
+                if(!empty($eeArray[1])) { 
+                    $eeArguments = sanitize_text_field($eeArray[1]); // Sanitize query string arguments
+                }
+            }
+    
         } else {
-            
+    
             $eeProtocol = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://"; // Protocol
-            $eeHost = $_SERVER['HTTP_HOST']; // Host
-            
-            // Get folder path
+            $eeHost = sanitize_text_field($_SERVER['HTTP_HOST']); // Sanitize Host
+    
+            // Get folder path and sanitize the URI
             if( strpos($_SERVER['REQUEST_URI'], '?') !== false ) {
-                
-                $eeArray = explode('?', $_SERVER['REQUEST_URI']);
-                if(!empty($eeArray[0])) { $eeSubFolder = $eeArray[0]; }
-                if(!empty($eeArray[1])) { $eeArguments = $eeArray[1]; }
-            
+    
+                $eeArray = explode('?', sanitize_text_field($_SERVER['REQUEST_URI'])); // Sanitize input
+                if(!empty($eeArray[0])) { 
+                    $eeSubFolder = sanitize_text_field($eeArray[0]); // Sanitize path
+                }
+                if(!empty($eeArray[1])) { 
+                    $eeArguments = sanitize_text_field($eeArray[1]); // Sanitize query string arguments
+                }
+    
             } else {
-                $eeSubFolder = $_SERVER['REQUEST_URI']; // Just a folder path or a single slash
-            }
-        }
-        
+                $eeSubFolder = sanitize_text_field($_SERVER['REQUEST_URI']); // Sanitize the folder path
+            }
+        }
+    
         // Reassemble the URL
         $eeURL = $eeProtocol . $eeHost . $eeSubFolder;
-        
+    
         // Re-Add the Query if Needed
-        if($eeIncludeQuery === TRUE) { 
+        if($eeIncludeQuery === TRUE && !empty($eeArguments)) { 
             $eeURL .= '?' . $eeArguments;
-            $eeURL = remove_query_arg('eeReScan', $eeURL); // Don't want this
-        }
-    
-        return $eeURL;
-    }
+            $eeURL = esc_url( remove_query_arg('eeReScan', $eeURL) ); // Ensure the URL is escaped and sanitized
+        }
+    
+        return esc_url( $eeURL ); // Return safely escaped URL
+    }
+
 
 

simple-file-list/trunk/includes/ee-email-settings.php

@@ -61 +61 @@
 $eeOutput .= '
 
-<form action="' . admin_url() . '?page=' . eeSFL_BASE_PluginSlug . '&tab=settings&subtab=email_settings" method="post" id="eeSFL_Settings">
+<form action="' . $eeURL . '" method="post" id="eeSFL_Settings">
 <input type="hidden" name="eePost" value="TRUE" />';    
 $eeOutput .= wp_nonce_field( 'ee-simple-file-list-settings', 'ee-simple-file-list-settings-nonce', TRUE, FALSE);

simple-file-list/trunk/readme.txt

@@ -2 +2 @@
 Contributors: eemitch
 Donate link: http://simplefilelist.com
-Tags: file list, file sharing, upload files, exchange files, manage files
+Tags: file list, file sharing, file upload form, upload files, exchange files, host files, zip files, dropbox, ftp
 Requires at least: 5.0
-Requires PHP: 7.4
-Tested up to: 6.6
-Stable tag: 6.1.11
+Requires PHP: 7
+Tested up to: 6.4
+Stable tag: 6.1.13
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -225 +225 @@
 == Upgrade Notice ==
 
-* 6.1.11 - Improvements
+* 6.1.13 - Security Fixes
 
 
@@ -236 +236 @@
 
 == Changelog ==
+
+= 6.1.13 =
+* Security Fix for a reflecte cross-site scripting (XSS) issue
+* Security improvements to back-end navigation tabs.
 
 = 6.1.11 =