WordPress.org
Get WordPress

Plugin Directory

Changeset 3089989


Ignore:
Timestamp:
05/21/2024 08:06:07 AM (22 months ago)
Author:
xserverjp
Message:

v1.6.2.1 release CVE-2024-33913 fix.

Location:
xserver-migrator/trunk
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed

  • xserver-migrator/trunk/README.txt

    r3084405 r3089989  
    44Requires at least: 4.2.29
    55Tested up to: 6.5.3
    6 Stable tag: 1.6.2
     6Stable tag: 1.6.2.1
    77License: GPLv2 or later
    88License URI: http://www.gnu.org/licenses/gpl-2.0.html

  • xserver-migrator/trunk/packages/class-xserver-migrator.php

    r3084405 r3089989  
    6363        $this->archiver = new Xserver_Migrator_Archiver();
    6464        $this->ssl = new Xserver_Migrator_SSL();
     65        if ( is_admin() ) {
     66            $this->admin = new Xserver_Migrator_Admin();
     67            $this->admin->activate();
     68        }
    6569    }
    6670
     
    9599        // SSL
    96100        require_once XSERVER_MIGRATOR_PLUGIN_DIR . 'packages' . DIRECTORY_SEPARATOR . 'class-xserver-migrator-ssl.php';
     101        // Admin menu
     102        require_once XSERVER_MIGRATOR_PLUGIN_DIR . 'packages' . DIRECTORY_SEPARATOR . 'class-xserver-migrator-admin.php';
    97103        // DB dumper
    98104        require_once XSERVER_MIGRATOR_PLUGIN_DIR . 'packages' . DIRECTORY_SEPARATOR . 'database' . DIRECTORY_SEPARATOR . 'class-xserver-migrator-database-dumper.php';
     
    146152    public function execute()
    147153    {
     154        if ( ! check_ajax_referer( 'xserver_migrator_execute', '_secure', false ) ) {
     155            Xserver_Migrator_Response::error( 'Invalid access', 'archive', 403 );
     156        }
     157
    148158        // 検証
    149159        $this->validate();
     
    173183    public function get_versions_and_db_size()
    174184    {
     185        if ( ! check_ajax_referer( 'xserver_migrator_get_versions', '_secure', false ) ) {
     186            Xserver_Migrator_Response::error( 'Invalid access', 'version', 403 );
     187        }
     188
    175189        $versions = array(
    176190            'php' => Xserver_Migrator_Server::php_version(),
     
    187201    public function get_available_archive_methods()
    188202    {
     203        if ( ! check_ajax_referer( 'xserver_migrator_get_available', '_secure', false ) ) {
     204            Xserver_Migrator_Response::error( 'Invalid access', 'methods', 403 );
     205        }
     206
    189207        $methods = array(
    190208            'zip_command' => false !== Xserver_Migrator_Server::is_available_zip_command(),
     
    201219    public function get_table_prefix()
    202220    {
     221        if ( ! check_ajax_referer( 'xserver_migrator_get_table_prefix', '_secure', false ) ) {
     222            Xserver_Migrator_Response::error( 'Invalid access', 'prefix', 403 );
     223        }
     224
    203225        Xserver_Migrator_Response::success(Xserver_Migrator_Server::wordpress_table_prefix());
    204226    }
     
    209231    public function create_challenge_token()
    210232    {
     233        if ( ! check_ajax_referer( 'xserver_migrator_create_challenge_token', '_secure', false ) ) {
     234            Xserver_Migrator_Response::error( 'Invalid access', 'challenge_token', 403 );
     235        }
    211236        if ( ! isset( $_POST['action'] ) || $_POST['action'] !== 'xserver_migrator_create_challenge_token' ) {
    212             Xserver_Migrator_Response::error( 'Invalid parameter: action =' . $_POST['action'], 'challenge_token' );
    213         }
    214 
    215         $response = $this->ssl->create_file( $_POST['file_name'], $_POST['contents'] );
     237            Xserver_Migrator_Response::error( 'Invalid parameter: action =' . esc_attr($_POST['action']), 'challenge_token' );
     238        }
     239
     240        $response = $this->ssl->create_file( esc_attr($_POST['file_name']), esc_attr($_POST['contents']) );
    216241
    217242        Xserver_Migrator_Response::success( $response );
     
    223248    public function delete_challenge_token()
    224249    {
     250        if ( ! check_ajax_referer( 'xserver_migrator_delete_challenge_token', '_secure', false ) ) {
     251            Xserver_Migrator_Response::error( 'Invalid access', 'challenge_token', 403 );
     252        }
    225253        if ( ! isset( $_POST['action'] ) || $_POST['action'] !== 'xserver_migrator_delete_challenge_token' ) {
    226             Xserver_Migrator_Response::error( 'Invalid parameter: action=' . $_POST['action'], 'challenge_token' );
     254            Xserver_Migrator_Response::error( 'Invalid parameter: action=' . esc_attr($_POST['action']), 'challenge_token' );
    227255        }
    228256

  • xserver-migrator/trunk/xserver-migrator.php

    r3084405 r3089989  
    1616 * Plugin URI:        https://ja.wordpress.org/plugins/xserver-migrator
    1717 * Description:       エックスサーバー株式会社が提供するレンタルサーバーサービス「エックスサーバー」「wpX Speed」の「WordPress簡単移行機能」専用のプラグインです。
    18  * Version:           1.6.2
     18 * Version:           1.6.2.1
    1919 * Author:            XSERVER Inc.
    2020 * Author URI:        https://www.xserver.ne.jp
Note: See TracChangeset for help on using the changeset viewer.