Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3399346

Timestamp:

11/20/2025 03:38:02 AM (4 months ago)

Author:

matrixaddons

Message:

Update to version 2.1.5 from GitHub

Location:

Files:

: 8 edited
: 1 copied

tags/2.1.5 (copied) (copied from easy-invoice/trunk)
tags/2.1.5/easy-invoice.php (modified) (2 diffs)
tags/2.1.5/includes/Controllers/InvoiceController.php (modified) (4 diffs)
tags/2.1.5/includes/Controllers/QuoteController.php (modified) (3 diffs)
tags/2.1.5/readme.txt (modified) (2 diffs)
trunk/easy-invoice.php (modified) (2 diffs)
trunk/includes/Controllers/InvoiceController.php (modified) (4 diffs)
trunk/includes/Controllers/QuoteController.php (modified) (3 diffs)
trunk/readme.txt (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

easy-invoice/tags/2.1.5/easy-invoice.php

-                      r3393362
+                      r3399346
  * Plugin URI: https://matrixaddons.com/plugins/easy-invoice
  * Description: A beautiful, full-featured invoicing solution for WordPress. Create professional invoices, quotes, and manage payments with ease.
  * Version: 2.1.4
+ * Version: 2.1.5
  * Author: MatrixAddons
  * Author URI: https://matrixaddons.com
 …
 // Define plugin constants.
 define( 'EASY_INVOICE_VERSION', '2.1.4' );
+define( 'EASY_INVOICE_VERSION', '2.1.5' );
 define( 'EASY_INVOICE_PLUGIN_FILE', __FILE__ );
 define( 'EASY_INVOICE_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );

easy-invoice/tags/2.1.5/includes/Controllers/InvoiceController.php

-                      r3377511
+                      r3399346
+        }
         // Get template name
+        // Get template name and validate it securely
         $template = isset($_POST['template']) ? sanitize_text_field($_POST['template']) : 'standard';
+        $template = $this->validateTemplateName($template, 'invoice');
         $invoice_id = isset($_POST['invoice_id']) ? intval($_POST['invoice_id']) : 0;
+        // Get secure template file path
+        $template_file = $this->getSecureTemplatePath($template, 'invoice');
+        if (!$template_file) {
+            wp_send_json_error(array('message' => __('Invalid template', 'easy-invoice')));
+        }
         // For new invoices (no ID), just return the template without invoice data
         if ($invoice_id === 0) {
-            // Get template file path
-            $template_file = EASY_INVOICE_PLUGIN_DIR . 'templates/invoice-templates/' . $template . '.php';
-            if (!file_exists($template_file)) {
-                $template_file = EASY_INVOICE_PLUGIN_DIR . 'templates/invoice-templates/standard.php';
+            }
             // Start output buffering
             ob_start();
 …
             $formatter = null;
             include_once $template_file;
             $html = ob_get_clean();
 …
         // Initialize formatter for currency formatting
         $formatter = new \EasyInvoice\Helpers\InvoiceFormatter($invoice);
-        // Get template file path
-        $template_file = EASY_INVOICE_PLUGIN_DIR . 'templates/invoice-templates/' . $template . '.php';
-        if (!file_exists($template_file)) {
-            $template_file = EASY_INVOICE_PLUGIN_DIR . 'templates/invoice-templates/standard.php';
+        }
         // Start output buffering
 …
         // Send response
         wp_send_json_success(array('html' => $html));
+    }
+    /**
+     * Validate and sanitize template name to prevent directory traversal attacks
+     *
+     * @param string $template The template name to validate
+     * @param string $type Either 'invoice' or 'quote'
+     * @return string Validated template name or 'standard' as fallback
+     */
+    private function validateTemplateName($template, $type = 'invoice') {
+        // Whitelist of allowed template names
+        $allowed_templates = array(
+            'invoice' => array('classic', 'corporate', 'creative', 'elegant', 'legacy', 'minimal', 'modern', 'professional', 'standard'),
+            'quote' => array('legacy', 'minimal', 'minimalist', 'modern', 'standard')
+        );
+        // Strip any directory components using basename
+        $template = basename($template);
+        // Remove any file extension
+        $template = preg_replace('/\.(php|html|htm)$/i', '', $template);
+        // Remove any non-alphanumeric characters except hyphens and underscores
+        $template = preg_replace('/[^a-z0-9_-]/i', '', $template);
+        // Check if template is in whitelist
+        if (isset($allowed_templates[$type]) && in_array($template, $allowed_templates[$type], true)) {
+            return $template;
+        }
+        // Return default template if not in whitelist
+        return 'standard';
+    }
+    /**
+     * Get secure template file path with directory traversal protection
+     *
+     * @param string $template The validated template name
+     * @param string $type Either 'invoice' or 'quote'
+     * @return string|false The secure template file path or false if invalid
+     */
+    private function getSecureTemplatePath($template, $type = 'invoice') {
+        // Define template directories
+        $template_dirs = array(
+            'invoice' => EASY_INVOICE_PLUGIN_DIR . 'templates/invoice-templates/',
+            'quote' => EASY_INVOICE_PLUGIN_DIR . 'templates/quote-templates/'
+        );
+        if (!isset($template_dirs[$type])) {
+            return false;
+        }
+        $template_dir = $template_dirs[$type];
+        // Ensure template directory exists and is a directory
+        if (!is_dir($template_dir)) {
+            return false;
+        }
+        // Get the real path of the template directory (resolves any symlinks)
+        $real_template_dir = realpath($template_dir);
+        if ($real_template_dir === false) {
+            return false;
+        }
+        // Construct the template file path
+        $template_file = $real_template_dir . DIRECTORY_SEPARATOR . $template . '.php';
+        // Get the real path of the template file (resolves any .. or . components)
+        $real_template_file = realpath($template_file);
+        // Verify that the resolved path is within the template directory
+        // This prevents directory traversal attacks
+        if ($real_template_file === false || strpos($real_template_file, $real_template_dir) !== 0) {
+            // If template doesn't exist or is outside the directory, use default
+            $default_file = $real_template_dir . DIRECTORY_SEPARATOR . 'standard.php';
+            $real_default_file = realpath($default_file);
+            if ($real_default_file !== false && strpos($real_default_file, $real_template_dir) === 0) {
+                return $real_default_file;
+            }
+            return false;
+        }
+        // Verify the file exists and is readable
+        if (!is_file($real_template_file) || !is_readable($real_template_file)) {
+            // Fallback to standard template
+            $default_file = $real_template_dir . DIRECTORY_SEPARATOR . 'standard.php';
+            $real_default_file = realpath($default_file);
+            if ($real_default_file !== false && strpos($real_default_file, $real_template_dir) === 0 && is_file($real_default_file) && is_readable($real_default_file)) {
+                return $real_default_file;
+            }
+            return false;
+        }
+        return $real_template_file;
+    }

easy-invoice/tags/2.1.5/includes/Controllers/QuoteController.php

-                      r3393362
+                      r3399346
+        }
+        // Validate template name securely
+        $template_id = $this->validateTemplateName($template_id, 'quote');
+        // Get secure template file path
+        $template_file = $this->getSecureTemplatePath($template_id, 'quote');
+        if (!$template_file) {
+            wp_send_json_error(['message' => __('Template not found.', 'easy-invoice')]);
+        }
         // Load quote if provided
         $quote = null;
 …
+        }
-        // Check if template file exists
-        $template_file = EASY_INVOICE_PLUGIN_DIR . 'templates/quote-templates/' . $template_id . '.php';
-        if (!file_exists($template_file)) {
-            wp_send_json_error(['message' => __('Template not found.', 'easy-invoice')]);
+        }
         // Start output buffering to capture template HTML
         ob_start();
 …
         wp_send_json_success(['html' => $html]);
+    }
+    /**
+     * Validate and sanitize template name to prevent directory traversal attacks
+     *
+     * @param string $template The template name to validate
+     * @param string $type Either 'invoice' or 'quote'
+     * @return string Validated template name or 'standard' as fallback
+     */
+    private function validateTemplateName($template, $type = 'quote') {
+        // Whitelist of allowed template names
+        $allowed_templates = array(
+            'invoice' => array('classic', 'corporate', 'creative', 'elegant', 'legacy', 'minimal', 'modern', 'professional', 'standard'),
+            'quote' => array('legacy', 'minimal', 'minimalist', 'modern', 'standard')
+        );
+        // Strip any directory components using basename
+        $template = basename($template);
+        // Remove any file extension
+        $template = preg_replace('/\.(php|html|htm)$/i', '', $template);
+        // Remove any non-alphanumeric characters except hyphens and underscores
+        $template = preg_replace('/[^a-z0-9_-]/i', '', $template);
+        // Check if template is in whitelist
+        if (isset($allowed_templates[$type]) && in_array($template, $allowed_templates[$type], true)) {
+            return $template;
+        }
+        // Return default template if not in whitelist
+        return 'standard';
+    }
+    /**
+     * Get secure template file path with directory traversal protection
+     *
+     * @param string $template The validated template name
+     * @param string $type Either 'invoice' or 'quote'
+     * @return string|false The secure template file path or false if invalid
+     */
+    private function getSecureTemplatePath($template, $type = 'quote') {
+        // Define template directories
+        $template_dirs = array(
+            'invoice' => EASY_INVOICE_PLUGIN_DIR . 'templates/invoice-templates/',
+            'quote' => EASY_INVOICE_PLUGIN_DIR . 'templates/quote-templates/'
+        );
+        if (!isset($template_dirs[$type])) {
+            return false;
+        }
+        $template_dir = $template_dirs[$type];
+        // Ensure template directory exists and is a directory
+        if (!is_dir($template_dir)) {
+            return false;
+        }
+        // Get the real path of the template directory (resolves any symlinks)
+        $real_template_dir = realpath($template_dir);
+        if ($real_template_dir === false) {
+            return false;
+        }
+        // Construct the template file path
+        $template_file = $real_template_dir . DIRECTORY_SEPARATOR . $template . '.php';
+        // Get the real path of the template file (resolves any .. or . components)
+        $real_template_file = realpath($template_file);
+        // Verify that the resolved path is within the template directory
+        // This prevents directory traversal attacks
+        if ($real_template_file === false || strpos($real_template_file, $real_template_dir) !== 0) {
+            // If template doesn't exist or is outside the directory, use default
+            $default_file = $real_template_dir . DIRECTORY_SEPARATOR . 'standard.php';
+            $real_default_file = realpath($default_file);
+            if ($real_default_file !== false && strpos($real_default_file, $real_template_dir) === 0) {
+                return $real_default_file;
+            }
+            return false;
+        }
+        // Verify the file exists and is readable
+        if (!is_file($real_template_file) || !is_readable($real_template_file)) {
+            // Fallback to standard template
+            $default_file = $real_template_dir . DIRECTORY_SEPARATOR . 'standard.php';
+            $real_default_file = realpath($default_file);
+            if ($real_default_file !== false && strpos($real_default_file, $real_template_dir) === 0 && is_file($real_default_file) && is_readable($real_default_file)) {
+                return $real_default_file;
+            }
+            return false;
+        }
+        return $real_template_file;
+    }

easy-invoice/tags/2.1.5/readme.txt

-                      r3393362
+                      r3399346
 Tested up to: 6.8
 Requires PHP: 7.4
 Stable tag: 2.1.4
+Stable tag: 2.1.5
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 …
 == Changelog ==
+= 2.1.5 - 2025-11-20 =
+* Fixed - Template loading issue fixed
 = 2.1.4 - 2025-11-11 =
 * Fixed - Email issue fixed

easy-invoice/trunk/easy-invoice.php

-                      r3393362
+                      r3399346
  * Plugin URI: https://matrixaddons.com/plugins/easy-invoice
  * Description: A beautiful, full-featured invoicing solution for WordPress. Create professional invoices, quotes, and manage payments with ease.
  * Version: 2.1.4
+ * Version: 2.1.5
  * Author: MatrixAddons
  * Author URI: https://matrixaddons.com
 …
 // Define plugin constants.
 define( 'EASY_INVOICE_VERSION', '2.1.4' );
+define( 'EASY_INVOICE_VERSION', '2.1.5' );
 define( 'EASY_INVOICE_PLUGIN_FILE', __FILE__ );
 define( 'EASY_INVOICE_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );

easy-invoice/trunk/includes/Controllers/InvoiceController.php

-                      r3377511
+                      r3399346
+        }
         // Get template name
+        // Get template name and validate it securely
         $template = isset($_POST['template']) ? sanitize_text_field($_POST['template']) : 'standard';
+        $template = $this->validateTemplateName($template, 'invoice');
         $invoice_id = isset($_POST['invoice_id']) ? intval($_POST['invoice_id']) : 0;
+        // Get secure template file path
+        $template_file = $this->getSecureTemplatePath($template, 'invoice');
+        if (!$template_file) {
+            wp_send_json_error(array('message' => __('Invalid template', 'easy-invoice')));
+        }
         // For new invoices (no ID), just return the template without invoice data
         if ($invoice_id === 0) {
-            // Get template file path
-            $template_file = EASY_INVOICE_PLUGIN_DIR . 'templates/invoice-templates/' . $template . '.php';
-            if (!file_exists($template_file)) {
-                $template_file = EASY_INVOICE_PLUGIN_DIR . 'templates/invoice-templates/standard.php';
+            }
             // Start output buffering
             ob_start();
 …
             $formatter = null;
             include_once $template_file;
             $html = ob_get_clean();
 …
         // Initialize formatter for currency formatting
         $formatter = new \EasyInvoice\Helpers\InvoiceFormatter($invoice);
-        // Get template file path
-        $template_file = EASY_INVOICE_PLUGIN_DIR . 'templates/invoice-templates/' . $template . '.php';
-        if (!file_exists($template_file)) {
-            $template_file = EASY_INVOICE_PLUGIN_DIR . 'templates/invoice-templates/standard.php';
+        }
         // Start output buffering
 …
         // Send response
         wp_send_json_success(array('html' => $html));
+    }
+    /**
+     * Validate and sanitize template name to prevent directory traversal attacks
+     *
+     * @param string $template The template name to validate
+     * @param string $type Either 'invoice' or 'quote'
+     * @return string Validated template name or 'standard' as fallback
+     */
+    private function validateTemplateName($template, $type = 'invoice') {
+        // Whitelist of allowed template names
+        $allowed_templates = array(
+            'invoice' => array('classic', 'corporate', 'creative', 'elegant', 'legacy', 'minimal', 'modern', 'professional', 'standard'),
+            'quote' => array('legacy', 'minimal', 'minimalist', 'modern', 'standard')
+        );
+        // Strip any directory components using basename
+        $template = basename($template);
+        // Remove any file extension
+        $template = preg_replace('/\.(php|html|htm)$/i', '', $template);
+        // Remove any non-alphanumeric characters except hyphens and underscores
+        $template = preg_replace('/[^a-z0-9_-]/i', '', $template);
+        // Check if template is in whitelist
+        if (isset($allowed_templates[$type]) && in_array($template, $allowed_templates[$type], true)) {
+            return $template;
+        }
+        // Return default template if not in whitelist
+        return 'standard';
+    }
+    /**
+     * Get secure template file path with directory traversal protection
+     *
+     * @param string $template The validated template name
+     * @param string $type Either 'invoice' or 'quote'
+     * @return string|false The secure template file path or false if invalid
+     */
+    private function getSecureTemplatePath($template, $type = 'invoice') {
+        // Define template directories
+        $template_dirs = array(
+            'invoice' => EASY_INVOICE_PLUGIN_DIR . 'templates/invoice-templates/',
+            'quote' => EASY_INVOICE_PLUGIN_DIR . 'templates/quote-templates/'
+        );
+        if (!isset($template_dirs[$type])) {
+            return false;
+        }
+        $template_dir = $template_dirs[$type];
+        // Ensure template directory exists and is a directory
+        if (!is_dir($template_dir)) {
+            return false;
+        }
+        // Get the real path of the template directory (resolves any symlinks)
+        $real_template_dir = realpath($template_dir);
+        if ($real_template_dir === false) {
+            return false;
+        }
+        // Construct the template file path
+        $template_file = $real_template_dir . DIRECTORY_SEPARATOR . $template . '.php';
+        // Get the real path of the template file (resolves any .. or . components)
+        $real_template_file = realpath($template_file);
+        // Verify that the resolved path is within the template directory
+        // This prevents directory traversal attacks
+        if ($real_template_file === false || strpos($real_template_file, $real_template_dir) !== 0) {
+            // If template doesn't exist or is outside the directory, use default
+            $default_file = $real_template_dir . DIRECTORY_SEPARATOR . 'standard.php';
+            $real_default_file = realpath($default_file);
+            if ($real_default_file !== false && strpos($real_default_file, $real_template_dir) === 0) {
+                return $real_default_file;
+            }
+            return false;
+        }
+        // Verify the file exists and is readable
+        if (!is_file($real_template_file) || !is_readable($real_template_file)) {
+            // Fallback to standard template
+            $default_file = $real_template_dir . DIRECTORY_SEPARATOR . 'standard.php';
+            $real_default_file = realpath($default_file);
+            if ($real_default_file !== false && strpos($real_default_file, $real_template_dir) === 0 && is_file($real_default_file) && is_readable($real_default_file)) {
+                return $real_default_file;
+            }
+            return false;
+        }
+        return $real_template_file;
+    }

easy-invoice/trunk/includes/Controllers/QuoteController.php

-                      r3393362
+                      r3399346
+        }
+        // Validate template name securely
+        $template_id = $this->validateTemplateName($template_id, 'quote');
+        // Get secure template file path
+        $template_file = $this->getSecureTemplatePath($template_id, 'quote');
+        if (!$template_file) {
+            wp_send_json_error(['message' => __('Template not found.', 'easy-invoice')]);
+        }
         // Load quote if provided
         $quote = null;
 …
+        }
-        // Check if template file exists
-        $template_file = EASY_INVOICE_PLUGIN_DIR . 'templates/quote-templates/' . $template_id . '.php';
-        if (!file_exists($template_file)) {
-            wp_send_json_error(['message' => __('Template not found.', 'easy-invoice')]);
+        }
         // Start output buffering to capture template HTML
         ob_start();
 …
         wp_send_json_success(['html' => $html]);
+    }
+    /**
+     * Validate and sanitize template name to prevent directory traversal attacks
+     *
+     * @param string $template The template name to validate
+     * @param string $type Either 'invoice' or 'quote'
+     * @return string Validated template name or 'standard' as fallback
+     */
+    private function validateTemplateName($template, $type = 'quote') {
+        // Whitelist of allowed template names
+        $allowed_templates = array(
+            'invoice' => array('classic', 'corporate', 'creative', 'elegant', 'legacy', 'minimal', 'modern', 'professional', 'standard'),
+            'quote' => array('legacy', 'minimal', 'minimalist', 'modern', 'standard')
+        );
+        // Strip any directory components using basename
+        $template = basename($template);
+        // Remove any file extension
+        $template = preg_replace('/\.(php|html|htm)$/i', '', $template);
+        // Remove any non-alphanumeric characters except hyphens and underscores
+        $template = preg_replace('/[^a-z0-9_-]/i', '', $template);
+        // Check if template is in whitelist
+        if (isset($allowed_templates[$type]) && in_array($template, $allowed_templates[$type], true)) {
+            return $template;
+        }
+        // Return default template if not in whitelist
+        return 'standard';
+    }
+    /**
+     * Get secure template file path with directory traversal protection
+     *
+     * @param string $template The validated template name
+     * @param string $type Either 'invoice' or 'quote'
+     * @return string|false The secure template file path or false if invalid
+     */
+    private function getSecureTemplatePath($template, $type = 'quote') {
+        // Define template directories
+        $template_dirs = array(
+            'invoice' => EASY_INVOICE_PLUGIN_DIR . 'templates/invoice-templates/',
+            'quote' => EASY_INVOICE_PLUGIN_DIR . 'templates/quote-templates/'
+        );
+        if (!isset($template_dirs[$type])) {
+            return false;
+        }
+        $template_dir = $template_dirs[$type];
+        // Ensure template directory exists and is a directory
+        if (!is_dir($template_dir)) {
+            return false;
+        }
+        // Get the real path of the template directory (resolves any symlinks)
+        $real_template_dir = realpath($template_dir);
+        if ($real_template_dir === false) {
+            return false;
+        }
+        // Construct the template file path
+        $template_file = $real_template_dir . DIRECTORY_SEPARATOR . $template . '.php';
+        // Get the real path of the template file (resolves any .. or . components)
+        $real_template_file = realpath($template_file);
+        // Verify that the resolved path is within the template directory
+        // This prevents directory traversal attacks
+        if ($real_template_file === false || strpos($real_template_file, $real_template_dir) !== 0) {
+            // If template doesn't exist or is outside the directory, use default
+            $default_file = $real_template_dir . DIRECTORY_SEPARATOR . 'standard.php';
+            $real_default_file = realpath($default_file);
+            if ($real_default_file !== false && strpos($real_default_file, $real_template_dir) === 0) {
+                return $real_default_file;
+            }
+            return false;
+        }
+        // Verify the file exists and is readable
+        if (!is_file($real_template_file) || !is_readable($real_template_file)) {
+            // Fallback to standard template
+            $default_file = $real_template_dir . DIRECTORY_SEPARATOR . 'standard.php';
+            $real_default_file = realpath($default_file);
+            if ($real_default_file !== false && strpos($real_default_file, $real_template_dir) === 0 && is_file($real_default_file) && is_readable($real_default_file)) {
+                return $real_default_file;
+            }
+            return false;
+        }
+        return $real_template_file;
+    }

easy-invoice/trunk/readme.txt

-                      r3393362
+                      r3399346
 Tested up to: 6.8
 Requires PHP: 7.4
 Stable tag: 2.1.4
+Stable tag: 2.1.5
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 …
 == Changelog ==
+= 2.1.5 - 2025-11-20 =
+* Fixed - Template loading issue fixed
 = 2.1.4 - 2025-11-11 =
 * Fixed - Email issue fixed

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: