Changeset 1847887
- Timestamp:
- 03/27/2018 05:43:51 PM (8 years ago)
- Location:
- read-and-understood/trunk
- Files:
-
- 2 edited
-
class_wp_rnu.php (modified) (21 diffs)
-
readme.txt (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
read-and-understood/trunk/class_wp_rnu.php
r1846382 r1847887 5 5 Plugin URI: https://bo.wordpress.org/plugins/read-and-understood/ 6 6 Description: Records acknowledgements that specific users have read specific postings (or not). 7 Version: 2. 37 Version: 2.4 8 8 Author: Peter Mantos; Mantos I.T. Consulting Inc. 9 9 Author URI: http://mantos.com … … 28 28 * REV : WHEN : WHO : WHAT 29 29 * =====+=============+================+=================================================== 30 * 2.4 : 26-Mar-2018 : P.Mantos 31 * : : : Functionally equivalent to version 2.3 and equally secure. Modified to 32 * : : : conform to undocumented coding style preferences of Wordpress security team 33 * : : : which includes sanitizing all POST variables on same line of code whether used 34 * : : : to set another another variable or not. Added line at beginning of functions to 35 * : : : convert global $_POST variables to $FILTERED_POST. 36 * : : : TODO: remove the now redundant sanitization (filtering) of $FILTERED_POST 37 * =====+=============+================+=================================================== 30 38 * 2.3 : 23-Mar-2018 : P.Mantos 31 39 * : : : Better sanitization of arguments coming in from POST and written to DB 32 40 * : : : Better job using nonce. 33 * : : : Uses relative address for plugin_url34 41 * =====+=============+================+=================================================== 35 42 * 2.2 : 03-Feb-2018 : P.Mantos … … 96 103 defined('ABSPATH') or die('No script kiddies please!'); 97 104 if (! defined('READ_AND_UNDERSTOOD_PLUGIN_VERSION')) 98 define('READ_AND_UNDERSTOOD_PLUGIN_VERSION', '2. 3');105 define('READ_AND_UNDERSTOOD_PLUGIN_VERSION', '2.4'); 99 106 class class_wp_rnu 100 107 { … … 180 187 global $post; 181 188 global $current_user; 189 $FILTERED_POST = self::filter_either($_POST); // Sanitize $_POST varibales immediately 190 182 191 $username_validation_error_msg = ""; 183 if (null != (filter_var($ _POST['rnu_submit'],FILTER_SANITIZE_STRING ))) { // the user has requested a acknowledgement using the form submit, which was not intercepted by JavaScript192 if (null != (filter_var($FILTERED_POST['rnu_submit'],FILTER_SANITIZE_STRING ))) { // the user has requested a acknowledgement using the form submit, which was not intercepted by JavaScript 184 193 } 185 194 // load in any RNU variables posted; specifically want to preserve Username if just acknowledged … … 187 196 $rnu_user_id = 0; // by default 188 197 $rnu_username = ''; // by default 189 foreach ($ _POST as $opt_name => $opt_val) {198 foreach ($FILTERED_POST as $opt_name => $opt_val) { 190 199 if (strpos($opt_name, $this->shortname) === 0) { 191 200 $$opt_name = filter_var($opt_val, FILTER_SANITIZE_STRING); // double $$ means set the variable that is named ... to the value … … 350 359 // 'wp_ajax_rnu_action', and 'wp_ajax-nopriv_rnu_action' using add_action in the _counstruct subroutine. 351 360 // The output (echo) of this callback is then passed back to javascript via the 'response' parameter. 352 $rnu_username = $_POST['rnu_username']; 361 $FILTERED_POST = self::filter_either($_POST); 362 $rnu_username = $FILTERED_POST['rnu_username']; 353 363 $rnu_username = trim(filter_var($rnu_username, FILTER_SANITIZE_STRING)); 354 364 if ($rnu_username == '') { … … 379 389 { 380 390 global $wpdb; // this is how you get access to the database 381 382 $rnu_user_id = intval(filter_var($_POST['rnu_user_id'],FILTER_SANITIZE_STRING)); 383 $rnu_post_id = intval(filter_var($_POST['rnu_post_id'],FILTER_SANITIZE_STRING)); 384 $rnu_username = $_POST['rnu_username']; 391 $FILTERED_POST = self::filter_either($_POST); 392 393 $rnu_user_id = intval(filter_var($FILTERED_POST['rnu_user_id'],FILTER_SANITIZE_STRING)); 394 $rnu_post_id = intval(filter_var($FILTERED_POST['rnu_post_id'],FILTER_SANITIZE_STRING)); 395 $rnu_username = $FILTERED_POST['rnu_username']; 385 396 $rnu_username = trim(filter_var($rnu_username, FILTER_SANITIZE_STRING)); 386 397 if (($rnu_username != '') && ($rnu_post_id > 0) && ($rnu_user_id >= 0)) { … … 399 410 public function rnu_add_notification($username_validation_error_msg, $rnu_user_id, $rnu_post_id, $rnu_username) 400 411 { 401 if ($this->hasBeenAcked($rnu_user_id, $rnu_post_id, $rnu_username)) { 412 $FILTERED_POST = self::filter_either($_POST); 413 if ($this->hasBeenAcked($rnu_user_id, $rnu_post_id, $rnu_username)) { 402 414 $rnu_form .= '<div class="hidden_acknowledgement_msg" style="visibility:visible;display:block" name="rnu_acknowledged_msg";><font color="green">You have acknowledged this posting.</font></div>'; 403 415 $java_text = ''; … … 405 417 } else { 406 418 $rnu_button_label = __('READ AND UNDERSTOOD', 'read-and-understood-locale'); 407 //echo "<pre>"; 408 //print_r($_POST); 409 //echo "</pre>"; 410 if (! null != (filter_var($_POST['rnu_submit'],FILTER_SANITIZE_STRING ))) { // the user has not requested an acknowledgement using the form submit, allow the form 419 if (! null != (filter_var($FILTERED_POST['rnu_submit'],FILTER_SANITIZE_STRING ))) { // the user has not requested an acknowledgement using the form submit, allow the form 411 420 $rnu_form = '<form id="rnuform" name="rnuform" method="post">'; 412 421 if ($rnu_username == '') { … … 456 465 } 457 466 $style = "visibility:hidden;display:none"; // default: do NOT show acknowledgement block 458 if (null != (filter_var($ _POST['rnu_submit'],FILTER_SANITIZE_STRING ))) { // the user has requested a acknowledgement using the form submit467 if (null != (filter_var($FILTERED_POST['rnu_submit'],FILTER_SANITIZE_STRING ))) { // the user has requested a acknowledgement using the form submit 459 468 $rnu_username_validation_pattern = trim(htmlspecialchars(stripslashes(get_option($this->shortname . '_username_validation_pattern', '')))); 460 469 $rnu_username_validation_title = trim(htmlspecialchars(stripslashes(get_option($this->shortname . '_username_validation_title', '')))); … … 500 509 } 501 510 global $wpdb; 511 $FILTERED_POST = self::filter_either($_POST); 512 502 513 $rnu_ack_tablename = $wpdb->prefix . "rnu_acknowledgements"; 503 514 $date_error_msg = ''; // no errors detected , yet … … 509 520 // See if the user has posted us some information 510 521 // If they did, this hidden field will be set to 'Y' 511 if (null != (filter_var($ _POST['rnu_ExportBtn'], FILTER_SANITIZE_STRING )) || null != (filter_var($_POST['rnu_PurgeBtn'],FILTER_SANITIZE_STRING ))) {522 if (null != (filter_var($FILTERED_POST['rnu_ExportBtn'], FILTER_SANITIZE_STRING )) || null != (filter_var($FILTERED_POST['rnu_PurgeBtn'],FILTER_SANITIZE_STRING ))) { 512 523 // load in any RnU variables posted 513 foreach ($ _POST as $opt_name => $opt_val) {524 foreach ($FILTERED_POST as $opt_name => $opt_val) { 514 525 if (strpos($opt_name, $shortname) === 0) { 515 526 $$opt_name = filter_var($opt_val, FILTER_SANITIZE_STRING ); // double $$ means set the variable that is named ... to the value … … 531 542 // export is handled using a different function since it needs to output html headers 532 543 // purge is handled here 533 if (null != (filter_var($ _POST['rnu_PurgeBtn'],FILTER_SANITIZE_STRING )) && ($date_error_msg == '')) {534 if (null != (filter_var($ _POST['rnu_records_to_be_purged_count'],FILTER_SANITIZE_STRING )) && ($rnu_records_to_be_purged_count != 0)) {544 if (null != (filter_var($FILTERED_POST['rnu_PurgeBtn'],FILTER_SANITIZE_STRING )) && ($date_error_msg == '')) { 545 if (null != (filter_var($FILTERED_POST['rnu_records_to_be_purged_count'],FILTER_SANITIZE_STRING )) && ($rnu_records_to_be_purged_count != 0)) { 535 546 // if the dates have changed between the original purge and the confirmation, skip the deletion 536 547 $purge_start_date = htmlspecialchars(stripslashes(get_option($shortname . '_start_date', ''))); // was saved when user pressed purge 1st time … … 573 584 // See if the user has posted us some information 574 585 // If they did, this hidden field will be set to 'Y' 575 if (null != (filter_var($_POST[$hidden_field_name],FILTER_SANITIZE_STRING )) && $_POST[$hidden_field_name] == 'Y') { 576 if (null != (filter_var($_POST["Submit"],FILTER_SANITIZE_STRING )) && strcmp(filter_var($_POST["Submit"],FILTER_SANITIZE_STRING ), esc_attr('Save Changes')) == 0) { 577 // echo "<pre>"; 578 // print_r($_POST); 579 // echo "</pre>"; 580 foreach ($_POST as $opt_name => $opt_val) { 581 echo "$opt_name = $opt_val <br />"; 586 if (null != (filter_var($FILTERED_POST[$hidden_field_name],FILTER_SANITIZE_STRING )) && $FILTERED_POST[$hidden_field_name] == 'Y') { 587 if (null != (filter_var($FILTERED_POST["Submit"],FILTER_SANITIZE_STRING )) && strcmp(filter_var($FILTERED_POST["Submit"],FILTER_SANITIZE_STRING ), esc_attr('Save Changes')) == 0) { 588 foreach ($FILTERED_POST as $opt_name => $opt_val) { 582 589 if (strpos($opt_name, $shortname) === 0) { 583 590 update_option($opt_name, filter_var($opt_val,FILTER_SANITIZE_STRING )); … … 588 595 $this->rnudb_clearCategories();// Need to delete all rnu categories from database 589 596 $opt_name = $shortname . "_category"; 590 if (is_array($_POST[$opt_name])) { 591 if (null != (filter_var_array($_POST[$opt_name],FILTER_SANITIZE_STRING ))) { 592 foreach ($_POST[$opt_name] as $selectedOption) { 593 echo "<pre>";echo $selectedOption;echo "</pre>"; 594 $this->rnudb_addCategory(filter_var($selectedOption, FILTER_SANITIZE_STRING )); // 'Go ahead and add category ' . $selectedOption."\n"; 597 if (is_array($FILTERED_POST[$opt_name])) { 598 if (null != (filter_var_array($FILTERED_POST[$opt_name],FILTER_SANITIZE_STRING ))) { 599 foreach ($FILTERED_POST[$opt_name] as $selectedOption) { 600 $this->rnudb_addCategory(filter_var($selectedOption, FILTER_SANITIZE_STRING )); // 'Go ahead and add category ' . $selectedOption."\n"; 595 601 } 596 602 } else { … … 599 605 // Check boxes: 600 606 $opt_name = $shortname . "_require_login"; 601 if (null != (filter_var($ _POST[$opt_name],FILTER_SANITIZE_STRING ))) {607 if (null != (filter_var($FILTERED_POST[$opt_name],FILTER_SANITIZE_STRING ))) { 602 608 $opt_val = "YES"; 603 609 } else { … … 608 614 echo '<div class="updated"><p><strong>' . __('settings saved.', 'read-and-understood-locale') . '</strong></p></div>'; 609 615 } // end of Save Changes 610 if (null != (filter_var($ _POST["Submit"],FILTER_SANITIZE_STRING )) && strcmp(filter_var($_POST["Submit"],FILTER_SANITIZE_STRING ), esc_attr('Validate Username')) == 0) {611 if (!null != (filter_var($ _POST['rnu_update_setting'],FILTER_SANITIZE_STRING ))) die("<br><br>Hmm .. looks like you didn't send any credentials.. No CSRF for you! ");612 if (!wp_verify_nonce(filter_var($ _POST['rnu_update_setting'],FILTER_SANITIZE_STRING ),'rnu-update-setting')) die("<br><br>Hmm .. looks like you didn't send any credentials.. No can do for you! ");613 $rnu_username_validation_pattern = filter_var($ _POST["rnu_username_validation_pattern"],FILTER_SANITIZE_STRING );614 $rnu_username = filter_var($ _POST["rnu_username"],FILTER_SANITIZE_STRING );616 if (null != (filter_var($FILTERED_POST["Submit"],FILTER_SANITIZE_STRING )) && strcmp(filter_var($FILTERED_POST["Submit"],FILTER_SANITIZE_STRING ), esc_attr('Validate Username')) == 0) { 617 if (!null != (filter_var($FILTERED_POST['rnu_update_setting'],FILTER_SANITIZE_STRING ))) die("<br><br>Hmm .. looks like you didn't send any credentials.. No CSRF for you! "); 618 if (!wp_verify_nonce(filter_var($FILTERED_POST['rnu_update_setting'],FILTER_SANITIZE_STRING ),'rnu-update-setting')) die("<br><br>Hmm .. looks like you didn't send any credentials.. No can do for you! "); 619 $rnu_username_validation_pattern = filter_var($FILTERED_POST["rnu_username_validation_pattern"],FILTER_SANITIZE_STRING ); 620 $rnu_username = filter_var($FILTERED_POST["rnu_username"],FILTER_SANITIZE_STRING ); 615 621 if (preg_match("/^" . $rnu_username_validation_pattern . "$/", $rnu_username)) { // server side validation, in case JavaScript was off 616 622 echo '<div class="updated"><p><strong>' . __('Username') . ': "' . $rnu_username . '" ' . __('matches the pattern') . ': ' . $rnu_username_validation_pattern . '</strong></p></div>'; … … 875 881 } 876 882 883 function filter_either($original_variable, $filter_type = FILTER_SANITIZE_STRING) { 884 /* This recursive function serves to sanitize varibles, particuly the $_POST variables. 885 * However, it can be used with any variable and can optionally include any of the 886 * options and flags associated with the filter_var or filter_array functions. 887 888 Some Possible options and flags: 889 FILTER_FLAG_NO_ENCODE_QUOTES - Do not encode quotes 890 FILTER_FLAG_STRIP_LOW - Remove characters with ASCII value < 32 891 FILTER_FLAG_STRIP_HIGH - Remove characters with ASCII value > 127 892 FILTER_FLAG_ENCODE_LOW - Encode characters with ASCII value < 32 893 FILTER_FLAG_ENCODE_HIGH - Encode characters with ASCII value > 127 894 FILTER_FLAG_ENCODE_AMP - Encode the "&" character to & 895 */ 896 if (isset($original_variable) ) { 897 if (is_array($original_variable)) { 898 foreach ($original_variable as $inner_child => $inner_value) { 899 $original_variable[$inner_child] = self::filter_either($inner_value); 900 } 901 } else { 902 $original_variable = (filter_var($original_variable,$filter_type ) ); // Actual sanitize done here!!! 903 } 904 } 905 return $original_variable; 906 } 907 877 908 function wpse9876_download_csv() 909 878 910 { 879 911 global $wpdb; 912 $FILTERED_POST = self::filter_either($_POST); 880 913 $debug_csv = false; 881 914 if ($debug_csv) … … 894 927 wp_register_script('read-and-understood-scripts', plugins_url('js/rnu_javascript.js', __FILE__ )); 895 928 wp_enqueue_script('read-and-understood-scripts'); 896 if (isset($ _POST['rnu_ExportBtn'])) {897 foreach ($ _POST as $opt_name => $opt_val) {929 if (isset($FILTERED_POST['rnu_ExportBtn'])) { 930 foreach ($FILTERED_POST as $opt_name => $opt_val) { 898 931 if (strpos($opt_name, $this->shortname) === 0) { 899 932 $$opt_name = filter_var($opt_val,FILTER_SANITIZE_STRING ); // double $$ means set the variable that is named ... to the value … … 1089 1122 { 1090 1123 global $wpdb; 1124 $FILTERED_POST = self::filter_either($_POST); 1125 1091 1126 $rnu_ack_tablename = $wpdb->prefix . "rnu_acknowledgements"; 1092 1127 $this->export_warning_msg = ""; // resets the export warning … … 1102 1137 wp_enqueue_script('read-and-understood-scripts'); 1103 1138 1104 if (null != (filter_var($ _POST['rnu_ExportBtn'],FILTER_SANITIZE_STRING ))) {1105 foreach ($ _POST as $opt_name => $opt_val) {1139 if (null != (filter_var($FILTERED_POST['rnu_ExportBtn'],FILTER_SANITIZE_STRING ))) { 1140 foreach ($FILTERED_POST as $opt_name => $opt_val) { 1106 1141 if (strpos($opt_name, $this->shortname) === 0) { 1107 1142 $$opt_name = filter_var($opt_val,FILTER_SANITIZE_STRING ); // double $$ means set the variable that is named ... to the value -
read-and-understood/trunk/readme.txt
r1846382 r1847887 5 5 Requires at least: 3.0 6 6 7 Stable tag: 2. 37 Stable tag: 2.4 8 8 9 9 Tested up to: 4.9.4 … … 13 13 License URI: http://www.gnu.org/licenses/gpl-2.0.html 14 14 15 Tags: Acknowledgment, Acknowledgement, Ac countability, Mantos, Acknowledge, Read, Understood, Understand, Memo15 Tags: Acknowledgment, Acknowledgement, Acknowlegement, Accountability, Mantos, Acknowledge, Acknowlege, Read, Understood, Understand, Memo 16 16 17 17 == Upgrade Notice == 18 V2.4 No functional changes or security improvements. Changed to conform to undocumented coding-style preferences. 19 18 20 V2.3 Better sanitization of arguments coming in from POST and written to DB 19 21 Better job using nonce. … … 154 156 == Changelog == 155 157 158 = 2.4 = 159 * No functional changes or security improvements. Changed to conform to undocumented coding-style preferences. 160 156 161 = 2.3 = 157 162 * (Security) Better sanitization of arguments coming in from POST and written to DB
Note: See TracChangeset
for help on using the changeset viewer.