Context Navigation

← Previous Changeset
Next Changeset →

Changeset 2804133

Timestamp:

10/25/2022 09:43:23 PM (3 years ago)

Author:

resmushit

Message:

release 0.4.7 : CSRF protection

Location:

resmushit-image-optimizer/trunk

Files:

: 5 edited

classes/resmushitUI.class.php (modified) (10 diffs)
js/script.js (modified) (8 diffs)
readme.txt (modified) (2 diffs)
resmushit.php (modified) (9 diffs)
resmushit.settings.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

resmushit-image-optimizer/trunk/classes/resmushitUI.class.php

-                      r2784230
+                      r2804133
+        }
         echo wp_kses_post("<div class='rsmt-bulk'><div class='non-optimized-wrapper $additionnalClassNeedOptimization'><h3 class='icon_message warning'>");
+        echo wp_kses_post("<div class='rsmt-bulk' data-csrf='" . wp_create_nonce( 'bulk_process_image' ) . "'><div class='non-optimized-wrapper $additionnalClassNeedOptimization'><h3 class='icon_message warning'>");
         if(get_option('resmushit_cron') && get_option('resmushit_cron') == 1) {
             echo  wp_kses_post("<em>$countNonOptimizedPictures "
 …
             )));
         echo wp_kses("</p><p class='submit' id='bulk-resize-examine-button'><button class='button-primary' onclick='resmushit_bulk_resize(\"bulk_resize_image_list\");'>", $allowed_html);
+        echo wp_kses("</p><p class='submit' id='bulk-resize-examine-button'><button class='button-primary' onclick='resmushit_bulk_resize(\"bulk_resize_image_list\", \"" . wp_create_nonce( 'bulk_resize' ) . "\");'>", $allowed_html);
         if(get_option('resmushit_cron') && get_option('resmushit_cron') == 1) {
 …
             'value'      => array(),
             'class'      => array(),
+            'name'      => array()
+            'name'      => array(),
+            'data-csrf'      => array(),
         )));
 …
             . __('Warning! By clicking the button below, you will restore all the original pictures, as before reSmush.it Image Optimizer installation. You will not have your pictures optimized! We strongly advice to be sure to have a complete backup of your website before performing this action', 'resmushit-image-optimizer')
             . '</strong></p><p>'
             . '<input type="button" value="'. __('Restore ALL my original pictures', 'resmushit-image-optimizer') .'" class="rsmt-trigger--restore-backup-files button media-button  select-mode-toggle-button" name="resmushit" class="button wp-smush-send" />'
+            . '<input type="button" data-csrf="'. wp_create_nonce( 'restore_library' ) .'" value="'. __('Restore ALL my original pictures', 'resmushit-image-optimizer') .'" class="rsmt-trigger--restore-backup-files button media-button  select-mode-toggle-button" name="resmushit" class="button wp-smush-send" />'
             . '</div>', $allowed_html);
         self::fullWidthPanelEndWrapper();
 …
                     'class'      => array(),
                     'name'      => array(),
+                    'data-csrf'      => array()
                 )));
                 echo wp_kses("<div class='rsmt-alert'>"
 …
                 . sprintf( __( 'We have found %s files ready to be removed', 'resmushit-image-optimizer' ), count(detect_unsmushed_files()) )
                 . '</p><p>'
                 . '<input type="button" value="'. __('Remove backup files', 'resmushit-image-optimizer') .'" class="rsmt-trigger--remove-backup-files button media-button  select-mode-toggle-button" name="resmushit" class="button wp-smush-send" />'
+                . '<input type="button" value="'. __('Remove backup files', 'resmushit-image-optimizer') .'" data-csrf="'. wp_create_nonce( 'remove_backup' ) .'" class="rsmt-trigger--remove-backup-files button media-button  select-mode-toggle-button" name="resmushit" class="button wp-smush-send" />'
                 . "</div>", $allowed_html);
+            }
 …
             $attachment_resmushit_disabled = 'checked';
         $output = '<input type="checkbox" data-attachment-id="'. $id .'"" class="rsmt-trigger--disabled-checkbox" '. $attachment_resmushit_disabled .'  />';
+        $output = '<input type="checkbox" data-attachment-id="'. $id .'"" data-csrf="'. wp_create_nonce( 'single_attachment' ) .'"" class="rsmt-trigger--disabled-checkbox" '. $attachment_resmushit_disabled .'  />';
         if($return)
 …
             'input' => array(
                 'type'      => array(),
                 'data-attachment-id'      => array(),
+                'data-*'      => array(),
                 'checked'   => array(),
         ));
 …
+        }
         else if(reSmushit::getAttachmentQuality($attachment_id) != reSmushit::getPictureQualitySetting())
             $output = '<input type="button" value="'. __('Optimize', 'resmushit-image-optimizer') .'" class="rsmt-trigger--optimize-attachment button media-button  select-mode-toggle-button" name="resmushit" data-attachment-id="'. $attachment_id .'" class="button wp-smush-send" />';
+            $output = '<input type="button" data-csrf="' . wp_create_nonce( 'single_attachment' ) . '" value="'. __('Optimize', 'resmushit-image-optimizer') .'" class="rsmt-trigger--optimize-attachment button media-button  select-mode-toggle-button" name="resmushit" data-attachment-id="'. $attachment_id .'" class="button wp-smush-send" />';
         else{
             $statistics = reSmushit::getStatistics($attachment_id);
             $output = __('Reduced by', 'resmushit-image-optimizer') . " ". $statistics['total_saved_size_nice'] ." (". $statistics['percent_reduction'] . ' ' . __('saved', 'resmushit-image-optimizer') . ")";
             $output .= '<input type="button" value="'. __('Force re-optimize', 'resmushit-image-optimizer') .'" class="rsmt-trigger--optimize-attachment button media-button  select-mode-toggle-button" name="resmushit" data-attachment-id="'. $attachment_id .'" class="button wp-smush-send" />';
+            $output .= '<input type="button" data-csrf="' . wp_create_nonce( 'single_attachment' ) . '" value="'. __('Force re-optimize', 'resmushit-image-optimizer') .'" class="rsmt-trigger--optimize-attachment button media-button  select-mode-toggle-button" name="resmushit" data-attachment-id="'. $attachment_id .'" class="button wp-smush-send" />';
+        }
 …
                 'class'      => array(),
                 'name'      => array(),
                 'data-attachment-id'      => array(),
+                'data-*'      => array(),
                 'checked'   => array(),
         )));

resmushit-image-optimizer/trunk/js/script.js

-                      r2528324
+                      r2804133
 function resmushit_bulk_process(bulk, item){
     var error_occured = false;
+    var csrf_token = jQuery('.rsmt-bulk').attr('data-csrf');
     jQuery.post(
         ajaxurl, {
             action: 'resmushit_bulk_process_image',
+            data: bulk[item]
+            data: bulk[item],
+            csrf: csrf_token
         },
         function(response) {
 …
  * @param string the id of the html element into which results will be appended
  */
 function resmushit_bulk_resize(container_id) {
+function resmushit_bulk_resize(container_id, csrf_token) {
     container = jQuery('#'+container_id);
     container.html('<div id="bulk_resize_target">');
 …
             jQuery.post(
                 ajaxurl,
                 { action: 'resmushit_bulk_get_images' },
+                { action: 'resmushit_bulk_get_images', csrf: csrf_token },
                 function(response) {
+                    var images = JSON.parse(response);
+                    if (images.nonoptimized.length > 0) {
+                    var images = JSON.parse(response);
+                    if (images.hasOwnProperty('error')) {
+                        target.html('<div>' + images.error + '.</div>');
+                    } else if (images.hasOwnProperty('nonoptimized') && images.nonoptimized.length > 0) {
                         bulkTotalimages = images.nonoptimized.length;
                         target.html('<div class="loading--bulk"><span class="loader"></span><br />' + bulkTotalimages + ' attachment(s) found, starting optimization...</div>');
 …
  */
 function updateStatistics() {
+    var csrf_token = jQuery('.rsmt-bulk').attr('data-csrf');
     jQuery.post(
         ajaxurl, {
+            action: 'resmushit_update_statistics'
+            action: 'resmushit_update_statistics',
+            csrf: csrf_token
         },
         function(response) {
 …
         var disabledState = jQuery(current).is(':checked');
         var postID = jQuery(current).attr('data-attachment-id');
+        var csrfToken = jQuery(current).attr('data-csrf');
         jQuery.post(
             ajaxurl, {
                 action: 'resmushit_update_disabled_state',
                 data: {id: postID, disabled: disabledState}
+                data: {id: postID, disabled: disabledState, csrf: csrfToken}
             },
             function(response) {
 …
         var disabledState = jQuery(current).is(':checked');
         var postID = jQuery(current).attr('data-attachment-id');
+        var csrf_token = jQuery(current).attr('data-csrf');
         jQuery.post(
             ajaxurl, {
                 action: 'resmushit_optimize_single_attachment',
                 data: {id: postID}
+                data: {id: postID, csrf: csrf_token}
             },
             function(response) {
 …
             jQuery(current).val('Removing backups...');
             jQuery(current).prop('disabled', true);
+            var csrf_token = jQuery(current).attr('data-csrf');
             jQuery.post(
                 ajaxurl, {
+                    action: 'resmushit_remove_backup_files'
+                    action: 'resmushit_remove_backup_files',
+                    csrf: csrf_token
                 },
                 function(response) {
 …
             jQuery(current).val('Restoring backups...');
             jQuery(current).prop('disabled', true);
+            var csrf_token = jQuery(current).attr('data-csrf');
             jQuery.post(
                 ajaxurl, {
+                    action: 'resmushit_restore_backup_files'
+                    action: 'resmushit_restore_backup_files',
+                    csrf: csrf_token
                 },
                 function(response) {

resmushit-image-optimizer/trunk/readme.txt

-                      r2784230
+                      r2804133
 Tags: image, optimizer, image optimization, resmush.it, smush, jpg, png, gif, optimization, compression, Compress, Images, Pictures, Reduce Image Size, Smush, Smush.it
 Requires at least: 4.0.0
 Tested up to: 6.0.2
 Stable tag: 0.4.6
+Tested up to: 6.0.3
+Stable tag: 0.4.7
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 The FREE Image Optimizer which will compress your pictures and improve your SEO & performances by using reSmush.it, the 10+ billion images API optimizer.
+The FREE Image Optimizer which will compress your pictures and improve your SEO & performances by using reSmush.it, the 20+ billion images API optimizer.
 == Description ==
 …
 == Changelog ==
+= 0.4.7 =
+* Security fixes : CSRF protection for Ajax Calls
 = 0.4.6 =

resmushit-image-optimizer/trunk/resmushit.php

-                      r2784230
+                      r2804133
  * Plugin URI:        https://wordpress.org/plugins/resmushit-image-optimizer/
  * Description:       Image Optimization API. Provides image size optimization
  * Version:           0.4.6
  * Timestamp:         2022.09.13
+ * Version:           0.4.7
+ * Timestamp:         2022.10.25
  * Author:            reSmush.it
  * Author URI:        https://resmush.it
 …
 require('resmushit.inc.php');
+require_once( ABSPATH . 'wp-includes/pluggable.php' );
 /**
+*
 …
 */
 function resmushit_bulk_get_images() {
+    if ( !isset($_REQUEST['csrf']) || ! wp_verify_nonce( $_REQUEST['csrf'], 'bulk_resize' ) ) {
+        wp_send_json(json_encode(array('error' => 'Invalid CSRF token')));
+        die();
+    }
     if(!is_super_admin() && !current_user_can('administrator')) {
         wp_send_json(json_encode(array('error' => 'User must be at least administrator to retrieve these data')));
 …
 */
 function resmushit_update_disabled_state() {
+    if ( !isset($_REQUEST['data']['csrf']) || ! wp_verify_nonce( $_REQUEST['data']['csrf'], 'single_attachment' ) ) {
+        wp_send_json(json_encode(array('error' => 'Invalid CSRF token')));
+        die();
+    }
     if(!is_super_admin() && !current_user_can('administrator')) {
         wp_send_json(json_encode(array('error' => 'User must be at least administrator to retrieve these data')));
 …
 */
 function resmushit_optimize_single_attachment() {
+    if ( !isset($_REQUEST['data']['csrf']) || ! wp_verify_nonce( $_REQUEST['data']['csrf'], 'single_attachment' ) ) {
+        wp_send_json(json_encode(array('error' => 'Invalid CSRF token')));
+        die();
+    }
     if(!is_super_admin() && !current_user_can('administrator')) {
         wp_send_json(json_encode(array('error' => 'User must be at least administrator to retrieve these data')));
 …
 */
 function resmushit_bulk_process_image() {
+    if ( !isset($_REQUEST['csrf']) || ! wp_verify_nonce( $_REQUEST['csrf'], 'bulk_process_image' ) ) {
+        wp_send_json(json_encode(array('error' => 'Invalid CSRF token')));
+        die();
+    }
     if(!is_super_admin() && !current_user_can('administrator')) {
         wp_send_json(json_encode(array('error' => 'User must be at least administrator to retrieve these data')));
 …
 */
 function resmushit_update_statistics() {
+    if ( !isset($_REQUEST['csrf']) || ! wp_verify_nonce( $_REQUEST['csrf'], 'bulk_process_image' ) ) {
+        wp_send_json(json_encode(array('error' => 'Invalid CSRF token')));
+        die();
+    }
     if(!is_super_admin() && !current_user_can('administrator')) {
         wp_send_json(json_encode(array('error' => 'User must be at least administrator to retrieve these data')));
 …
 function resmushit_remove_backup_files() {
     $return = array('success' => 0);
+    if ( !isset($_REQUEST['csrf']) || ! wp_verify_nonce( $_REQUEST['csrf'], 'remove_backup' ) ) {
+        wp_send_json(json_encode(array('error' => 'Invalid CSRF token')));
+        die();
+    }
     if(!is_super_admin() && !current_user_can('administrator')) {
         wp_send_json(json_encode(array('error' => 'User must be at least administrator to retrieve these data')));
 …
 */
 function resmushit_restore_backup_files() {
+    if ( !isset($_REQUEST['csrf']) || ! wp_verify_nonce( $_REQUEST['csrf'], 'restore_library' ) ) {
+        wp_send_json(json_encode(array('error' => 'Invalid CSRF token')));
+        die();
+    }
     if(!is_super_admin() && !current_user_can('administrator')) {
         wp_send_json(json_encode(array('error' => 'User must be at least administrator to retrieve these data')));

resmushit-image-optimizer/trunk/resmushit.settings.php

r2784230	r2804133
2	2
3	3	define('RESMUSHIT_ENDPOINT', 'http://api.resmush.it/');
4		define('RESMUSHIT_VERSION', '0.4.6');
	4	define('RESMUSHIT_VERSION', '0.4.7');
5	5	define('RESMUSHIT_DEFAULT_QLTY', '92');
6	6	define('RESMUSHIT_TIMEOUT', '10');

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: