WordPress.org
Get WordPress

Plugin Directory

Changeset 3260469


Ignore:
Timestamp:
03/23/2025 11:52:15 PM (10 months ago)
Author:
scheeeli
Message:
  • Due to security concerns from the WordPress plugin review team, I have removed the ability to insert evaluated PHP expressions into reports except for values of the global current_user object.
Location:
elisqlreports
Files:
2 edited
3 copied

Legend:

Unmodified
Added
Removed

  • elisqlreports/tags/5.25.11/index.php

    r3257808 r3260469  
    66Author URI: https://supersecurehosting.com/
    77Description: Create and save SQL queries, run them from the Reports tab in your Admin, place them on the Dashboard for certain User Roles, or place them on Pages and Posts using the shortcode. And keep your database safe with scheduled backups.
    8 Version: 5.25.10
     8Version: 5.25.11
    99*/
    1010foreach (array("plugins_url", "get_option", "add_filter", "add_action", "add_shortcode", "register_activation_hook") as $func)
     
    398398function ELISQLREPORTS_eval($SQL) {
    399399    global $current_user, $wpdb;
    400     if (@preg_match_all('/<\?php[\s]*(.+?)[\s]*\?>/i', $SQL, $found)) {
     400    $regex = '/<\?php\s*+(\$current_user->[\[\]\w]++)\s*+\?>/i';
     401    if (@preg_match_all($regex, $SQL, $found)) {
    401402        if (isset($found[1]) && is_array($found[1]) && count($found[1])) {
    402403            foreach ($found[1] as $php_code)
    403404                eval("\$found[2][] = $php_code;");
    404             $SQL = $wpdb->prepare(preg_replace('/<\?php[\s]*(.+?)[\s]*\?>/i', '%s', str_replace('%', '%%', $SQL)), $found[2]);
     405            $SQL = $wpdb->prepare(preg_replace($regex, '%s', str_replace('%', '%%', $SQL)), $found[2]);
    405406        }
    406407    }
     
    586587            $js .= '" readonly="true';
    587588        }
    588         $js .= '" value="'.$backupDB[$db_key].'"><br />';
     589        $js .= '" value="'.esc_attr($backupDB[$db_key]).'"><br />';
    589590        if (constant($db_key) != $backupDB[$db_key])
    590591            $local = false;
     
    597598                $SQLkey = ELISQLREPORTS_query($MySQLexec);
    598599                if (isset($GLOBALS["ELISQLREPORTS"]["query_times"][$SQLkey]["errors"]) && $GLOBALS["ELISQLREPORTS"]["query_times"][$SQLkey]["errors"])
    599                     echo "<li>".$GLOBALS["ELISQLREPORTS"]["query_times"][$SQLkey]["errors"]."</li>";
     600                    echo "<li>".esc_html($GLOBALS["ELISQLREPORTS"]["query_times"][$SQLkey]["errors"])."</li>";
    600601                else {
    601602                    if (preg_match('/ FROM /', $MySQLexec))
     
    644645                                $startpos = 0;
    645646                                while ($endpos = strpos($full_sql, ";\n", $startpos)) {
    646                                     if ($sql = trim(@preg_replace("|/\*.+\*/[;\t ]*|", "", substr($full_sql, $startpos, $endpos - $startpos)).' ')) {
     647                                    if ($sql = trim( substr($full_sql, $startpos, $endpos - $startpos).' ')) {
    647648                                        if (mysqli_query($GLOBALS["ELISQLREPORTS"]["backup_connection"], $sql))
    648649                                            $queries++;
    649650                                        else
    650                                             $errors[] = "<li>".mysqli_error($GLOBALS["ELISQLREPORTS"]["backup_connection"])."</li>";
     651                                            $errors[] = "<li>ERROR: ".esc_html(mysqli_error($GLOBALS["ELISQLREPORTS"]["backup_connection"]))."</li>";
    651652                                    }
    652653                                    $startpos = $endpos + 2;
    653654                                }
    654                                 echo "<li>Restore Process executed $queries queries with ".count($errors).' error'.(count($errors)==1?'':'s').'!</li><br>'.implode("\n", $errors);
     655                                echo "<li>Restore Process executed $queries queries with ".count($errors).' error'.(count($errors)==1?'':'s').'!</li><br>'.esc_html(implode("\n", $errors));
    655656                            } else
    656657                                echo "Error Reading File: $file_sql";
     
    664665                }
    665666            } else {
    666                 die($js.'<option value="'.$_POST['db_date'].'">RESTORE '.$_POST['db_date'].'</option></select><br /><input name="db_nonce" type="checkbox" value="'.wp_create_nonce($_POST['db_date']).'"> Yes, I understand that I will be completely erasing this database with my backup file.<br /><input type="submit" value="Restore Backup to Database Now!"></div></form></div></div></body></html>');
     667                die($js.'<option value="'.esc_attr($_POST['db_date']).'">RESTORE '.esc_html($_POST['db_date']).'</option></select><br /><input name="db_nonce" type="checkbox" value="'.wp_create_nonce($_POST['db_date']).'"> Yes, I understand that I will be completely erasing this database and overwriting it with my backup file.<br /><input type="submit" value="Restore Backup to Database Now!"></div></form></div></div></body></html>');
    667668            }
    668669        } else

  • elisqlreports/tags/5.25.11/readme.txt

    r3257808 r3260469  
    88License: GPLv3 or later
    99License URI: https://www.gnu.org/licenses/gpl-3.0.html#license-text
    10 Stable tag: 5.25.10
    11 Version: 5.25.10
     10Stable tag: 5.25.11
     11Version: 5.25.11
    1212Requires at least: 2.6
    1313Tested up to: 6.7.2
     
    5252(There are other ways to get the display name in WordPress, this is just a simple example to illustrate the proper syntax.)
    5353
    54 <textarea>SELECT * FROM wp_users WHERE user_registered > '&lt;?php $_GET[thedate] ?>'</textarea>
    55 (note: this example assumes you are going to pass 'thedate' as a GET variable in the query string and, as this example shows, don't use quotes inside the PHP brackets.)
     54Update: Unfortunately this feature has been restricted due to security concerns from the WordPress plugin review team and so only current_user variables are available in version 5.25.11 or above no other php expressions will be evaluated.
    5655
    5756== Screenshots ==
     
    6059
    6160== Changelog ==
     61
     62= 5.25.11 =
     63* Due to security concerns from the WordPress plugin review team, I have removed the ability to insert evaluated PHP expressions into reports except for values of the global current_user object.
    6264
    6365= 5.25.10 =
     
    154156== Upgrade Notice ==
    155157
     158= 5.25.11 =
     159Due to security concerns from the WordPress plugin review team, I have removed the ability to insert evaluated PHP expressions into reports except for values of the global current_user object.
     160
    156161= 5.25.10 =
    157162Added Nonce Tokens to the wp-admin forms to fix CSRF in Report creation and on the plugin settings page.

  • elisqlreports/trunk/index.php

    r3257808 r3260469  
    66Author URI: https://supersecurehosting.com/
    77Description: Create and save SQL queries, run them from the Reports tab in your Admin, place them on the Dashboard for certain User Roles, or place them on Pages and Posts using the shortcode. And keep your database safe with scheduled backups.
    8 Version: 5.25.10
     8Version: 5.25.11
    99*/
    1010foreach (array("plugins_url", "get_option", "add_filter", "add_action", "add_shortcode", "register_activation_hook") as $func)
     
    398398function ELISQLREPORTS_eval($SQL) {
    399399    global $current_user, $wpdb;
    400     if (@preg_match_all('/<\?php[\s]*(.+?)[\s]*\?>/i', $SQL, $found)) {
     400    $regex = '/<\?php\s*+(\$current_user->[\[\]\w]++)\s*+\?>/i';
     401    if (@preg_match_all($regex, $SQL, $found)) {
    401402        if (isset($found[1]) && is_array($found[1]) && count($found[1])) {
    402403            foreach ($found[1] as $php_code)
    403404                eval("\$found[2][] = $php_code;");
    404             $SQL = $wpdb->prepare(preg_replace('/<\?php[\s]*(.+?)[\s]*\?>/i', '%s', str_replace('%', '%%', $SQL)), $found[2]);
     405            $SQL = $wpdb->prepare(preg_replace($regex, '%s', str_replace('%', '%%', $SQL)), $found[2]);
    405406        }
    406407    }
     
    586587            $js .= '" readonly="true';
    587588        }
    588         $js .= '" value="'.$backupDB[$db_key].'"><br />';
     589        $js .= '" value="'.esc_attr($backupDB[$db_key]).'"><br />';
    589590        if (constant($db_key) != $backupDB[$db_key])
    590591            $local = false;
     
    597598                $SQLkey = ELISQLREPORTS_query($MySQLexec);
    598599                if (isset($GLOBALS["ELISQLREPORTS"]["query_times"][$SQLkey]["errors"]) && $GLOBALS["ELISQLREPORTS"]["query_times"][$SQLkey]["errors"])
    599                     echo "<li>".$GLOBALS["ELISQLREPORTS"]["query_times"][$SQLkey]["errors"]."</li>";
     600                    echo "<li>".esc_html($GLOBALS["ELISQLREPORTS"]["query_times"][$SQLkey]["errors"])."</li>";
    600601                else {
    601602                    if (preg_match('/ FROM /', $MySQLexec))
     
    644645                                $startpos = 0;
    645646                                while ($endpos = strpos($full_sql, ";\n", $startpos)) {
    646                                     if ($sql = trim(@preg_replace("|/\*.+\*/[;\t ]*|", "", substr($full_sql, $startpos, $endpos - $startpos)).' ')) {
     647                                    if ($sql = trim( substr($full_sql, $startpos, $endpos - $startpos).' ')) {
    647648                                        if (mysqli_query($GLOBALS["ELISQLREPORTS"]["backup_connection"], $sql))
    648649                                            $queries++;
    649650                                        else
    650                                             $errors[] = "<li>".mysqli_error($GLOBALS["ELISQLREPORTS"]["backup_connection"])."</li>";
     651                                            $errors[] = "<li>ERROR: ".esc_html(mysqli_error($GLOBALS["ELISQLREPORTS"]["backup_connection"]))."</li>";
    651652                                    }
    652653                                    $startpos = $endpos + 2;
    653654                                }
    654                                 echo "<li>Restore Process executed $queries queries with ".count($errors).' error'.(count($errors)==1?'':'s').'!</li><br>'.implode("\n", $errors);
     655                                echo "<li>Restore Process executed $queries queries with ".count($errors).' error'.(count($errors)==1?'':'s').'!</li><br>'.esc_html(implode("\n", $errors));
    655656                            } else
    656657                                echo "Error Reading File: $file_sql";
     
    664665                }
    665666            } else {
    666                 die($js.'<option value="'.$_POST['db_date'].'">RESTORE '.$_POST['db_date'].'</option></select><br /><input name="db_nonce" type="checkbox" value="'.wp_create_nonce($_POST['db_date']).'"> Yes, I understand that I will be completely erasing this database with my backup file.<br /><input type="submit" value="Restore Backup to Database Now!"></div></form></div></div></body></html>');
     667                die($js.'<option value="'.esc_attr($_POST['db_date']).'">RESTORE '.esc_html($_POST['db_date']).'</option></select><br /><input name="db_nonce" type="checkbox" value="'.wp_create_nonce($_POST['db_date']).'"> Yes, I understand that I will be completely erasing this database and overwriting it with my backup file.<br /><input type="submit" value="Restore Backup to Database Now!"></div></form></div></div></body></html>');
    667668            }
    668669        } else

  • elisqlreports/trunk/readme.txt

    r3257808 r3260469  
    88License: GPLv3 or later
    99License URI: https://www.gnu.org/licenses/gpl-3.0.html#license-text
    10 Stable tag: 5.25.10
    11 Version: 5.25.10
     10Stable tag: 5.25.11
     11Version: 5.25.11
    1212Requires at least: 2.6
    1313Tested up to: 6.7.2
     
    5252(There are other ways to get the display name in WordPress, this is just a simple example to illustrate the proper syntax.)
    5353
    54 <textarea>SELECT * FROM wp_users WHERE user_registered > '&lt;?php $_GET[thedate] ?>'</textarea>
    55 (note: this example assumes you are going to pass 'thedate' as a GET variable in the query string and, as this example shows, don't use quotes inside the PHP brackets.)
     54Update: Unfortunately this feature has been restricted due to security concerns from the WordPress plugin review team and so only current_user variables are available in version 5.25.11 or above no other php expressions will be evaluated.
    5655
    5756== Screenshots ==
     
    6059
    6160== Changelog ==
     61
     62= 5.25.11 =
     63* Due to security concerns from the WordPress plugin review team, I have removed the ability to insert evaluated PHP expressions into reports except for values of the global current_user object.
    6264
    6365= 5.25.10 =
     
    154156== Upgrade Notice ==
    155157
     158= 5.25.11 =
     159Due to security concerns from the WordPress plugin review team, I have removed the ability to insert evaluated PHP expressions into reports except for values of the global current_user object.
     160
    156161= 5.25.10 =
    157162Added Nonce Tokens to the wp-admin forms to fix CSRF in Report creation and on the plugin settings page.
Note: See TracChangeset for help on using the changeset viewer.