Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3263526

Timestamp:

03/28/2025 01:23:06 PM (12 months ago)

Author:

wcproducttable

Message:

v3.9.6 update

Location:

wc-product-table-lite/trunk

Files:

: 4 edited

main.php (modified) (4 diffs)
presets/presets.php (modified) (2 diffs)
query_editor_v2/query_editor_v2.php (modified) (3 diffs)
readme.txt (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

wc-product-table-lite/trunk/main.php

-                      r3231930
+                      r3263526
  * Author: WC Product Table
  * Author URI: https://profiles.wordpress.org/wcproducttable/
  * Version: 3.9.5
+ * Version: 3.9.6
+ *
  * WC requires at least: 3.4.4
  * WC tested up to: 9.6.0
+ * WC tested up to: 9.7.1
+ *
  * Text Domain: wc-product-table-pro
 …
 // define('WCPT_DEV', TRUE);
 define('WCPT_VERSION', '3.9.5');
+define('WCPT_VERSION', '3.9.6');
 define('WCPT_PLUGIN_PATH', plugin_dir_path(__FILE__));
 define('WCPT_PLUGIN_URL', plugin_dir_url(__FILE__));
 …
+}
 // refresh custom field list
+// refresh custom field list
 add_action('admin_init', 'wcpt_refresh_custom_fields');
 function wcpt_refresh_custom_fields()
 …
   if (
     is_admin() &&
+    !empty($_GET['wcpt_refresh_custom_fields'])
+    !empty($_GET['wcpt_refresh_custom_fields']) &&
+    current_user_can('manage_options') // Only allow administrators
   ) {
     delete_transient('wcpt_custom_fields');

wc-product-table-lite/trunk/presets/presets.php

-                      r3204509
+                      r3263526
 function wcpt_presets__set_preset_required_meta_flag()
+{
+  // Check if we're on the table editor page
   if (!wcpt_preset__is_table_editor_page()) {
     return;
+  }
+  // if table is new (no data) then set preset requrired meta flag
+  $post_id = $_GET['post_id'];
+  // Check if user has proper capabilities
+  if (!current_user_can('create_wc_product_tables')) {
+    return;
+  }
+  // Validate and sanitize post_id
+  if (empty($_GET['post_id']) || !is_numeric($_GET['post_id'])) {
+    return;
+  }
+  $post_id = intval($_GET['post_id']);
+  // Verify post exists and is the correct type
+  $post = get_post($post_id);
+  if (!$post || $post->post_type !== 'wc_product_table') {
+    return;
+  }
+  // If table is new (no data) then set preset required meta flag
   $table_data = get_post_meta($post_id, 'wcpt_data', true);
   if (!$table_data) {
     update_post_meta($post_id, 'wcpt_preset_required', true);
+  }
+}
 // duplicate a preset to table
 …
 function wcpt_presets__duplicate_preset_to_table()
+{
+  // Check if we're on the table editor page
   if (!wcpt_preset__is_table_editor_page()) {
     return;
+  }
+  // Check for proper authorization
   if (!current_user_can('create_wc_product_tables')) {
     exit('Unauthorized action.');
+  }
   // no preset selected yet
+    wp_die('Unauthorized action.');
+  }
+  // No preset selected yet
   if (empty($_GET['wcpt_preset'])) {
     return;
+  }
+  // Validate and sanitize post_id
+  if (empty($_GET['post_id']) || !is_numeric($_GET['post_id'])) {
+    return;
+  }
   $post_id = intval($_GET['post_id']);
+  // Verify post exists and is the correct type
+  $post = get_post($post_id);
+  if (!$post || $post->post_type !== 'wc_product_table') {
+    return;
+  }
+  // Sanitize preset slug and validate against an allowlist (better approach)
   $slug = sanitize_file_name($_GET['wcpt_preset']);
+  // preset already applied on this table
+  // You might want to create an allowlist of valid presets
+  $allowed_presets = array('blank', 'regular-table', 'list-layout'); // Add all valid presets
+  if (!in_array($slug, $allowed_presets)) {
+    wp_die('Invalid preset selected.');
+  }
+  // Preset already applied on this table
   if (!wcpt_preset__required($post_id)) {
     return;
+  }
+  // apply the preset
+  update_post_meta($post_id, 'wcpt_preset_required', false); // turn off 'preset required' flag
+  wp_update_post(
+    array(
+      'ID' => $post_id,
+      'post_title' => $slug == 'blank' ? 'New table' : ucwords(str_replace('-', ' ', $slug)),
+      'post_status' => 'publish',
+    )
+  );
+  // Apply the preset
+  update_post_meta($post_id, 'wcpt_preset_required', false); // Turn off 'preset required' flag
+  wp_update_post(array(
+    'ID' => $post_id,
+    'post_title' => $slug == 'blank' ? 'New table' : ucwords(str_replace('-', ' ', $slug)),
+    'post_status' => 'publish',
+  ));
   if ($slug !== 'blank') {
     // get data from json preset file
+    // Get data from json preset file
     $preset_path = WCPT_PLUGIN_PATH . 'presets/table/' . $slug . '.json';
+    if (realpath($preset_path) && strpos(realpath($preset_path), realpath(WCPT_PLUGIN_PATH . 'presets/table/')) === 0) {
+      $preset_json = file_get_contents($preset_path);
+    // More robust path validation to prevent directory traversal
+    $real_preset_path = realpath($preset_path);
+    $real_presets_dir = realpath(WCPT_PLUGIN_PATH . 'presets/table/');
+    if ($real_preset_path && strpos($real_preset_path, $real_presets_dir) === 0 && file_exists($real_preset_path)) {
+      $preset_json = file_get_contents($real_preset_path);
       $table_data = json_decode($preset_json, true);
+      wcpt_new_ids($table_data);
+      $table_data['id'] = $post_id;
+      update_post_meta($post_id, 'wcpt_data', addslashes(json_encode($table_data)));
+      update_post_meta($post_id, 'wcpt_preset_applied__message_required', true);
+      update_post_meta($post_id, 'wcpt_preset_applied__slug', $slug);
+      if ($table_data) {
+        wcpt_new_ids($table_data);
+        $table_data['id'] = $post_id;
+        update_post_meta($post_id, 'wcpt_data', addslashes(json_encode($table_data)));
+        update_post_meta($post_id, 'wcpt_preset_applied__message_required', true);
+        update_post_meta($post_id, 'wcpt_preset_applied__slug', $slug);
+      }
+    }
+  }

wc-product-table-lite/trunk/query_editor_v2/query_editor_v2.php

-                      r3204509
+                      r3263526
 function wcpt_qv2_reset()
+{
+  // Check if all required parameters are present
   if (
+    isset($_GET['post_type']) && $_GET['post_type'] === 'wc_product_table' &&
+    isset($_GET['page']) && $_GET['page'] === 'wcpt-edit' &&
+    isset($_GET['post_id'])
+    && isset($_GET['qv2']) && $_GET['qv2'] === "false"
+    isset($_GET['post_type']) &&
+    $_GET['post_type'] === 'wc_product_table' &&
+    isset($_GET['page']) &&
+    $_GET['page'] === 'wcpt-edit' &&
+    isset($_GET['post_id']) &&
+    isset($_GET['qv2']) &&
+    $_GET['qv2'] === "false"
   ) {
+    // provide new ids to avoid conflicts
+    if ($table_data = get_post_meta($_GET['post_id'], 'wcpt_data', true)) {
+    // Check user capability
+    if (!current_user_can('create_wc_product_tables')) {
+      wp_die('Unauthorized action.');
+    }
+    // Sanitize and validate post_id
+    $post_id = intval($_GET['post_id']);
+    // Verify post exists and is the correct type
+    $post = get_post($post_id);
+    if (!$post || $post->post_type !== 'wc_product_table') {
+      return;
+    }
+    // Provide new ids to avoid conflicts
+    $table_data = get_post_meta($post_id, 'wcpt_data', true);
+    if ($table_data) {
       $table_data = json_decode($table_data, true);
+      $table_data['query_v2'] = false;
+      update_post_meta($_GET['post_id'], 'wcpt_data', addslashes(json_encode($table_data)));
+      if (is_array($table_data)) {
+        $table_data['query_v2'] = false;
+        update_post_meta($post_id, 'wcpt_data', addslashes(json_encode($table_data)));
+      }
+    }
+  }
 …
     'wcpt_qv2/v1',
     '/terms/(?P<taxonomy_slug>[a-zA-Z0-9_-]+)',
     array (
+    array(
       'methods' => WP_REST_Server::READABLE,
       'callback' => 'wcpt_qv2_ajax_return_taxonomy_terms_with_children',
       'args' => array (
         'taxonomy_slug' => array (
+      'args' => array(
+        'taxonomy_slug' => array(
           'validate_callback' => function ($param, $request, $key) {
             return !empty ($param);
+            return !empty($param);
+          }
         ),
 …
       'permission_callback' => function (WP_REST_Request $request) {
         if (isset ($_SERVER['HTTP_X_WP_NONCE']) && wp_verify_nonce($_SERVER['HTTP_X_WP_NONCE'], 'wp_rest')) {
+        if (isset($_SERVER['HTTP_X_WP_NONCE']) && wp_verify_nonce($_SERVER['HTTP_X_WP_NONCE'], 'wp_rest')) {
           return true;
+        }
         return new WP_Error('forbidden', 'You do not have permission to access this resource.', array ('status' => 403));
+        return new WP_Error('forbidden', 'You do not have permission to access this resource.', array('status' => 403));
+      }

wc-product-table-lite/trunk/readme.txt

-                      r3231930
+                      r3263526
 == Changelog ==
+= 3.9.6 (28th March '25) =
+Fixed
+* Patched security vulnerabilities
+* WooCommerce 9.7 compatibility tag
 = 3.9.5 (30th January '25) =

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory

Context Navigation

Changeset 3263526

Legend:

wc-product-table-lite/trunk/main.php

wc-product-table-lite/trunk/presets/presets.php

wc-product-table-lite/trunk/query_editor_v2/query_editor_v2.php

wc-product-table-lite/trunk/readme.txt

Download in other formats: