Changeset 3370739

Timestamp:

09/30/2025 10:15:50 PM (6 months ago)

Author:

jeremyfelt

Message:

Update to version 1.2.2 from GitHub

Location:

clariti

Files:

• tags/1.2.2 (copied) (copied from clariti/trunk)
• tags/1.2.2/clariti.php (modified) (4 diffs)
• tags/1.2.2/inc/class-admin.php (modified) (6 diffs)
• tags/1.2.2/inc/class-notifier.php (modified) (7 diffs)
• tags/1.2.2/inc/class-rest-api.php (modified) (2 diffs)
• tags/1.2.2/inc/integrations/class-the-blog-fixer.php (modified) (1 diff)
• tags/1.2.2/readme.txt (modified) (3 diffs)
• trunk/clariti.php (modified) (4 diffs)
• trunk/inc/class-admin.php (modified) (6 diffs)
• trunk/inc/class-notifier.php (modified) (7 diffs)
• trunk/inc/class-rest-api.php (modified) (2 diffs)
• trunk/inc/integrations/class-the-blog-fixer.php (modified) (1 diff)
• trunk/readme.txt (modified) (3 diffs)

clariti/tags/1.2.2/clariti.php

@@ -7 +7 @@
  * Text Domain:       clariti
  * Domain Path:       /languages
- * Version:           1.2.1
+ * Version:           1.2.2
  * Requires at least: 6.0
  * Requires PHP:      7.4
@@ -20 +20 @@
  */
 add_action( 'admin_menu', array( 'Clariti\Admin', 'action_admin_menu' ) );
-add_action( 'plugin_action_links_' . plugin_basename( __FILE__ ), array( 'Clariti\Admin', 'filter_plugin_action_links' ) );
-add_action( 'rest_index', array( 'Clariti\REST_API', 'filter_rest_index' ) );
+add_filter( 'plugin_action_links_' . plugin_basename( __FILE__ ), array( 'Clariti\Admin', 'filter_plugin_action_links' ) );
+add_filter( 'rest_index', array( 'Clariti\REST_API', 'filter_rest_index' ) );
 add_action( 'rest_api_init', array( 'Clariti\REST_API', 'register_routes' ) );
 /**
@@ -76 +76 @@
  */
 function clariti_get_supported_post_types() {
-    $post_types = get_post_types( array(), 'object' );
+    $post_types = get_post_types( array(), 'objects' );
     $skipped    = array(
         'nav_menu_item',
@@ -89 +89 @@
             continue;
         }
-        // Has to public=true && show_in_rest=true.
+
+        // Post type must be public and have REST API support.
         if ( empty( $post_type->public ) || empty( $post_type->show_in_rest ) ) {
             continue;
         }
-        // Has to support 'title' and 'editor'.
+
+        // Post type must support 'title' and 'editor'.
         if ( ! post_type_supports( $post_type->name, 'title' ) || ! post_type_supports( $post_type->name, 'editor' ) ) {
             continue;

clariti/tags/1.2.2/inc/class-admin.php

@@ -95 +95 @@
         $key = self::get_api_key();
 
-        if ( ! empty( $_GET['verify'] ) && $key ) {
+        if ( ! empty( $_GET['verify'] ) && $key ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
             Notifier::action_updated_option( self::API_KEY_OPTION, $key, $key );
         }
@@ -105 +105 @@
             self::PAGE_SLUG
         );
-        if ( ! empty( $_GET['advanced'] ) || get_option( self::API_HOST_OPTION ) ) {
+        if ( ! empty( $_GET['advanced'] ) || get_option( self::API_HOST_OPTION ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
             add_settings_field(
                 self::API_HOST_OPTION,
@@ -137 +137 @@
                 <?php submit_button(); ?>
             </form>
-            <?php if ( isset( $_GET['advanced'] ) && $_GET['advanced'] ) : ?>
+            <?php if ( isset( $_GET['advanced'] ) && (int) $_GET['advanced'] ) : // phpcs:ignore WordPress.Security.NonceVerification.Recommended ?>
                 <form method="post" action="admin-post.php">
                     <table class="form-table" role="presentation">
@@ -151 +151 @@
                     <input type="hidden" name="action" value="clear_secret">
                     <input type="hidden" name="clear-secret" value="1">
+                    <?php wp_nonce_field( 'clear_secret', 'clear_secret_nonce' ); ?>
                     <?php submit_button( 'Clear Secret' ); ?>
                 </form>
@@ -267 +268 @@
      */
     public static function clear_secret(): void {
-        delete_option( Admin::API_SECRET_OPTION );
+        delete_option( self::API_SECRET_OPTION );
     }
 
@@ -276 +277 @@
      */
     public static function get_api_key(): string {
-        $value = get_option( Admin::API_KEY_OPTION, '' );
+        $value = get_option( self::API_KEY_OPTION, '' );
 
         return (string) $value;

clariti/tags/1.2.2/inc/class-notifier.php

@@ -85 +85 @@
             }
 
-            error_log( 'CLARITI:ERROR - action_added_option - ' . $exception->getMessage() );
+            error_log( 'CLARITI:ERROR - action_added_option - ' . $exception->getMessage() ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
         }
     }
@@ -138 +138 @@
             }
 
-            error_log( 'CLARITI:ERROR - action_updated_option - ' . $exception->getMessage() );
+            error_log( 'CLARITI:ERROR - action_updated_option - ' . $exception->getMessage() ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
         }
     }
@@ -246 +246 @@
      * Inform Clariti when an approved comment is updated.
      *
-     * @param integer    $id      The comment ID.
-     * @param WP_Comment $comment Comment object.
+     * @param integer     $id      The comment ID.
+     * @param \WP_Comment $comment Comment object.
      */
     public static function action_wp_insert_comment( $id, $comment ) {
@@ -393 +393 @@
             self::send_clariti_payload( $payload );
         } catch ( \Exception $exception ) {
-            error_log( 'CLARITI:ERROR - action_updated_option - ' . $exception->getMessage() );
+            error_log( 'CLARITI:ERROR - action_updated_option - ' . $exception->getMessage() ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
         }
     }
@@ -407 +407 @@
         } elseif ( get_option( Admin::API_HOST_OPTION, '' ) ) {
             $host = get_option( Admin::API_HOST_OPTION, '' );
-        } elseif ( ! empty( $_POST[ Admin::API_HOST_OPTION ] ) && ! Admin::is_valid_api_host( $_POST[ Admin::API_HOST_OPTION ] ) ) {
-            $host = $_POST[ Admin::API_HOST_OPTION ];
+        } elseif ( ! empty( $_POST[ Admin::API_HOST_OPTION ] ) && ! Admin::is_valid_api_host( sanitize_text_field( wp_unslash( $_POST[ Admin::API_HOST_OPTION ] ) ) ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing
+            $host = sanitize_text_field( wp_unslash( $_POST[ Admin::API_HOST_OPTION ] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing
         } else {
             $host = self::API_HOST_DEFAULT;
@@ -456 +456 @@
 
         if ( $response instanceof \WP_Error ) {
-            throw new \Exception( $response->get_error_message() );
+            throw new \Exception( esc_html( $response->get_error_message() ) );
         }
 
         $data = json_decode( $response['body'], true );
 
-        if ( ! $data || is_wp_error( $data ) ) {
+        if ( ! $data || ! is_array( $data ) ) {
             throw new \Exception( 'Could not read response from Clariti' );
         }
 
-        if ( false === ( (bool) $data['ok'] ?? false ) ) {
+        if ( false === (bool) ( $data['ok'] ?? false ) ) {
             // If Clariti replies with a 601 error code, clear the secret and
             // prevent further requests until a new API key is added.
-            if ( 601 === ( (int) $data['error']['code'] ?? null ) ) {
+            if ( 601 === (int) ( $data['error']['code'] ?? null ) ) {
                 Admin::clear_secret();
             }
 
-            throw new \Exception( "{$data['error']['code']} - {$data['error']['message']}" );
+            throw new \Exception( esc_html( "{$data['error']['code']} - {$data['error']['message']}" ) );
         }
 
@@ -527 +527 @@
      */
     public static function clear_secret_option() {
+        check_admin_referer( 'clear_secret', 'clear_secret_nonce' );
+
+        if ( ! current_user_can( Admin::CAPABILITY ) ) {
+            wp_die( esc_html__( 'You are not authorized to perform this action.', 'clariti' ) );
+        }
+
         Admin::clear_secret();
         Admin::send_admin_notification( 'clariti-updated-option', 'clariti-updated-option-success', 'Clariti Secret cleared!', 'success' );

clariti/tags/1.2.2/inc/class-rest-api.php

@@ -41 +41 @@
      * Filters the REST API index to include our own data.
      *
-     * @param WP_REST_Response $response Existing response object.
+     * @param \WP_REST_Response $response Existing response object.
      * @return object
      */
@@ -164 +164 @@
         }
 
-        $key = admin::get_api_key();
+        $key = Admin::get_api_key();
 
         return array(

clariti/tags/1.2.2/inc/integrations/class-the-blog-fixer.php

@@ -18 +18 @@
      * Fires after an operation has been performed on a post.
      *
-     * @param object $po   Post operation object.
-     * @param object $post Post.
+     * @param object   $po   Post operation object.
+     * @param \WP_Post $post Post.
      */
     public static function action_tbf_after_post_operation_execution( $po, $post ) {

clariti/tags/1.2.2/readme.txt

@@ -4 +4 @@
 Requires at least: 6.0
 Tested up to: 6.8
-Stable tag: 1.2.1
+Stable tag: 1.2.2
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -28 +28 @@
 == Frequently Asked Questions ==
 
-= Where do I report security bugs found in this plugin? =
+= Where do I report security bugs? =
 
-Please report security bugs found in the source code of the Clariti plugin through the [Patchstack Vulnerability Disclosure  Program](https://patchstack.com/database/vdp/ce756ba9-6201-4854-bf28-499d3c2422fd). The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin.
+Please report security bugs found in the source code of the Clariti plugin to security@clariti.com.
 
 == Installation ==
@@ -49 +49 @@
 
 == Changelog ==
+
+= 1.2.2 (September 30, 2025) =
+
+* Fix an issue where a secondary key used in the connection to Clariti could be deleted by an authenticated user.
+* Improve nonce verification.
 
 = 1.2.1 (April 2, 2024) =

clariti/trunk/clariti.php

@@ -7 +7 @@
  * Text Domain:       clariti
  * Domain Path:       /languages
- * Version:           1.2.1
+ * Version:           1.2.2
  * Requires at least: 6.0
  * Requires PHP:      7.4
@@ -20 +20 @@
  */
 add_action( 'admin_menu', array( 'Clariti\Admin', 'action_admin_menu' ) );
-add_action( 'plugin_action_links_' . plugin_basename( __FILE__ ), array( 'Clariti\Admin', 'filter_plugin_action_links' ) );
-add_action( 'rest_index', array( 'Clariti\REST_API', 'filter_rest_index' ) );
+add_filter( 'plugin_action_links_' . plugin_basename( __FILE__ ), array( 'Clariti\Admin', 'filter_plugin_action_links' ) );
+add_filter( 'rest_index', array( 'Clariti\REST_API', 'filter_rest_index' ) );
 add_action( 'rest_api_init', array( 'Clariti\REST_API', 'register_routes' ) );
 /**
@@ -76 +76 @@
  */
 function clariti_get_supported_post_types() {
-    $post_types = get_post_types( array(), 'object' );
+    $post_types = get_post_types( array(), 'objects' );
     $skipped    = array(
         'nav_menu_item',
@@ -89 +89 @@
             continue;
         }
-        // Has to public=true && show_in_rest=true.
+
+        // Post type must be public and have REST API support.
         if ( empty( $post_type->public ) || empty( $post_type->show_in_rest ) ) {
             continue;
         }
-        // Has to support 'title' and 'editor'.
+
+        // Post type must support 'title' and 'editor'.
         if ( ! post_type_supports( $post_type->name, 'title' ) || ! post_type_supports( $post_type->name, 'editor' ) ) {
             continue;

clariti/trunk/inc/class-admin.php

@@ -95 +95 @@
         $key = self::get_api_key();
 
-        if ( ! empty( $_GET['verify'] ) && $key ) {
+        if ( ! empty( $_GET['verify'] ) && $key ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
             Notifier::action_updated_option( self::API_KEY_OPTION, $key, $key );
         }
@@ -105 +105 @@
             self::PAGE_SLUG
         );
-        if ( ! empty( $_GET['advanced'] ) || get_option( self::API_HOST_OPTION ) ) {
+        if ( ! empty( $_GET['advanced'] ) || get_option( self::API_HOST_OPTION ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
             add_settings_field(
                 self::API_HOST_OPTION,
@@ -137 +137 @@
                 <?php submit_button(); ?>
             </form>
-            <?php if ( isset( $_GET['advanced'] ) && $_GET['advanced'] ) : ?>
+            <?php if ( isset( $_GET['advanced'] ) && (int) $_GET['advanced'] ) : // phpcs:ignore WordPress.Security.NonceVerification.Recommended ?>
                 <form method="post" action="admin-post.php">
                     <table class="form-table" role="presentation">
@@ -151 +151 @@
                     <input type="hidden" name="action" value="clear_secret">
                     <input type="hidden" name="clear-secret" value="1">
+                    <?php wp_nonce_field( 'clear_secret', 'clear_secret_nonce' ); ?>
                     <?php submit_button( 'Clear Secret' ); ?>
                 </form>
@@ -267 +268 @@
      */
     public static function clear_secret(): void {
-        delete_option( Admin::API_SECRET_OPTION );
+        delete_option( self::API_SECRET_OPTION );
     }
 
@@ -276 +277 @@
      */
     public static function get_api_key(): string {
-        $value = get_option( Admin::API_KEY_OPTION, '' );
+        $value = get_option( self::API_KEY_OPTION, '' );
 
         return (string) $value;

clariti/trunk/inc/class-notifier.php

@@ -85 +85 @@
             }
 
-            error_log( 'CLARITI:ERROR - action_added_option - ' . $exception->getMessage() );
+            error_log( 'CLARITI:ERROR - action_added_option - ' . $exception->getMessage() ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
         }
     }
@@ -138 +138 @@
             }
 
-            error_log( 'CLARITI:ERROR - action_updated_option - ' . $exception->getMessage() );
+            error_log( 'CLARITI:ERROR - action_updated_option - ' . $exception->getMessage() ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
         }
     }
@@ -246 +246 @@
      * Inform Clariti when an approved comment is updated.
      *
-     * @param integer    $id      The comment ID.
-     * @param WP_Comment $comment Comment object.
+     * @param integer     $id      The comment ID.
+     * @param \WP_Comment $comment Comment object.
      */
     public static function action_wp_insert_comment( $id, $comment ) {
@@ -393 +393 @@
             self::send_clariti_payload( $payload );
         } catch ( \Exception $exception ) {
-            error_log( 'CLARITI:ERROR - action_updated_option - ' . $exception->getMessage() );
+            error_log( 'CLARITI:ERROR - action_updated_option - ' . $exception->getMessage() ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
         }
     }
@@ -407 +407 @@
         } elseif ( get_option( Admin::API_HOST_OPTION, '' ) ) {
             $host = get_option( Admin::API_HOST_OPTION, '' );
-        } elseif ( ! empty( $_POST[ Admin::API_HOST_OPTION ] ) && ! Admin::is_valid_api_host( $_POST[ Admin::API_HOST_OPTION ] ) ) {
-            $host = $_POST[ Admin::API_HOST_OPTION ];
+        } elseif ( ! empty( $_POST[ Admin::API_HOST_OPTION ] ) && ! Admin::is_valid_api_host( sanitize_text_field( wp_unslash( $_POST[ Admin::API_HOST_OPTION ] ) ) ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing
+            $host = sanitize_text_field( wp_unslash( $_POST[ Admin::API_HOST_OPTION ] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing
         } else {
             $host = self::API_HOST_DEFAULT;
@@ -456 +456 @@
 
         if ( $response instanceof \WP_Error ) {
-            throw new \Exception( $response->get_error_message() );
+            throw new \Exception( esc_html( $response->get_error_message() ) );
         }
 
         $data = json_decode( $response['body'], true );
 
-        if ( ! $data || is_wp_error( $data ) ) {
+        if ( ! $data || ! is_array( $data ) ) {
             throw new \Exception( 'Could not read response from Clariti' );
         }
 
-        if ( false === ( (bool) $data['ok'] ?? false ) ) {
+        if ( false === (bool) ( $data['ok'] ?? false ) ) {
             // If Clariti replies with a 601 error code, clear the secret and
             // prevent further requests until a new API key is added.
-            if ( 601 === ( (int) $data['error']['code'] ?? null ) ) {
+            if ( 601 === (int) ( $data['error']['code'] ?? null ) ) {
                 Admin::clear_secret();
             }
 
-            throw new \Exception( "{$data['error']['code']} - {$data['error']['message']}" );
+            throw new \Exception( esc_html( "{$data['error']['code']} - {$data['error']['message']}" ) );
         }
 
@@ -527 +527 @@
      */
     public static function clear_secret_option() {
+        check_admin_referer( 'clear_secret', 'clear_secret_nonce' );
+
+        if ( ! current_user_can( Admin::CAPABILITY ) ) {
+            wp_die( esc_html__( 'You are not authorized to perform this action.', 'clariti' ) );
+        }
+
         Admin::clear_secret();
         Admin::send_admin_notification( 'clariti-updated-option', 'clariti-updated-option-success', 'Clariti Secret cleared!', 'success' );

clariti/trunk/inc/class-rest-api.php

@@ -41 +41 @@
      * Filters the REST API index to include our own data.
      *
-     * @param WP_REST_Response $response Existing response object.
+     * @param \WP_REST_Response $response Existing response object.
      * @return object
      */
@@ -164 +164 @@
         }
 
-        $key = admin::get_api_key();
+        $key = Admin::get_api_key();
 
         return array(

clariti/trunk/inc/integrations/class-the-blog-fixer.php

@@ -18 +18 @@
      * Fires after an operation has been performed on a post.
      *
-     * @param object $po   Post operation object.
-     * @param object $post Post.
+     * @param object   $po   Post operation object.
+     * @param \WP_Post $post Post.
      */
     public static function action_tbf_after_post_operation_execution( $po, $post ) {

clariti/trunk/readme.txt

@@ -4 +4 @@
 Requires at least: 6.0
 Tested up to: 6.8
-Stable tag: 1.2.1
+Stable tag: 1.2.2
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -28 +28 @@
 == Frequently Asked Questions ==
 
-= Where do I report security bugs found in this plugin? =
+= Where do I report security bugs? =
 
-Please report security bugs found in the source code of the Clariti plugin through the [Patchstack Vulnerability Disclosure  Program](https://patchstack.com/database/vdp/ce756ba9-6201-4854-bf28-499d3c2422fd). The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin.
+Please report security bugs found in the source code of the Clariti plugin to security@clariti.com.
 
 == Installation ==
@@ -49 +49 @@
 
 == Changelog ==
+
+= 1.2.2 (September 30, 2025) =
+
+* Fix an issue where a secondary key used in the connection to Clariti could be deleted by an authenticated user.
+* Improve nonce verification.
 
 = 1.2.1 (April 2, 2024) =