Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3412265

Timestamp:

12/05/2025 02:23:08 PM (4 months ago)

Author:

Milmor

Message:

Update to version 1.8.2 from GitHub

Location:

anac-xml-viewer

Files:

: 4 edited
: 1 copied

tags/1.8.2 (copied) (copied from anac-xml-viewer/trunk)
tags/1.8.2/anac-xml-viewer.php (modified) (3 diffs)
tags/1.8.2/readme.txt (modified) (2 diffs)
trunk/anac-xml-viewer.php (modified) (3 diffs)
trunk/readme.txt (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

anac-xml-viewer/tags/1.8.2/anac-xml-viewer.php

-                      r3301629
+                      r3412265
 Description: Visualizzatore XML per file generati da applicativi esterni
 Author: Marco Milesi
 Version: 1.8.1
+Version: 1.8.2
 Author URI: https://marcomilesi.com
 */
 …
         if ( substr( $content, 0, 4 ) === "http" ) {
+            $gare_xml = new SimpleXMLElement( $content, LIBXML_NOCDATA, true );
+            $gare_xml = $this->fetch_and_load_xml( $content );
+            if ( $gare_xml === null ) {
+                echo '<div class="notice notice-error"><p>Impossibile caricare XML. Assicurarsi che l\'URL esista e che il contenuto sia XML valido.</p></div>';
+                return;
+            }
         } else {
+            $gare_xml = new SimpleXMLElement( stripslashes($content) );
+            try {
+                $gare_xml = new SimpleXMLElement( stripslashes($content) );
+            } catch ( Exception $e ) {
+                echo '<div class="notice notice-error"><p>Il contenuto inserito non è XML valido.</p></div>';
+                return;
+            }
+        }
 …
+    }
+    private function is_private_ip( $ip ) {
+        if ( filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 ) ) {
+            $long = ip2long($ip);
+            $ranges = [
+                ['0.0.0.0', '0.255.255.255'],
+                ['10.0.0.0', '10.255.255.255'],
+                ['127.0.0.0', '127.255.255.255'],
+                ['169.254.0.0', '169.254.255.255'],
+                ['172.16.0.0', '172.31.255.255'],
+                ['192.168.0.0', '192.168.255.255']
+            ];
+            foreach ( $ranges as $r ) {
+                if ( $long >= ip2long($r[0]) && $long <= ip2long($r[1]) ) return true;
+            }
+            return false;
+        }
+        if ( filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 ) ) {
+            if ( strpos($ip, '::1') === 0 ) return true; // localhost
+            // fc00::/7 unique local, fe80::/10 link-local
+            if ( strpos($ip, 'fc') === 0 || strpos($ip, 'fd') === 0 ) return true;
+            if ( strpos($ip, 'fe80') === 0 ) return true;
+            return false;
+        }
+        return true;
+    }
+    private function fetch_and_load_xml( $url ) {
+        if ( ! function_exists('wp_http_validate_url') || ! wp_http_validate_url( $url ) ) return null;
+        $parts = wp_parse_url( $url );
+        if ( ! $parts || ! isset($parts['scheme']) || ! in_array( strtolower($parts['scheme']), ['http','https'], true ) ) return null;
+        if ( empty($parts['host']) ) return null;
+        $host = $parts['host'];
+        $blocked_hosts = [
+            '169.254.169.254',
+            'metadata.google.internal'
+        ];
+        if ( in_array( strtolower($host), $blocked_hosts, true ) ) return null;
+        $resolved = gethostbynamel( $host );
+        if ( $resolved ) {
+            foreach ( $resolved as $ip ) {
+                if ( $this->is_private_ip( $ip ) ) return null;
+            }
+        }
+        $args = [
+            'timeout' => 5,
+            'redirection' => 2,
+            'headers' => [ 'Accept' => 'application/xml, text/xml; q=0.9, */*; q=0.1' ],
+        ];
+        $response = wp_remote_get( $url, $args );
+        if ( is_wp_error( $response ) ) return null;
+        $code = wp_remote_retrieve_response_code( $response );
+        if ( $code < 200 || $code >= 300 ) return null;
+        $body = wp_remote_retrieve_body( $response );
+        if ( ! $body ) return null;
+        $ctype = wp_remote_retrieve_header( $response, 'content-type' );
+        if ( $ctype && strpos( strtolower($ctype), 'xml' ) === false ) {
+            // Allow if body looks like XML even when header is wrong
+            if ( strpos( ltrim($body), '<') !== 0 ) return null;
+        }
+        libxml_use_internal_errors(true);
+        try {
+            $xml = new SimpleXMLElement( $body );
+            return $xml;
+        } catch ( Exception $e ) {
+            return null;
+        }
+    }
     public function template_redirect() {
         global $wp, $wp_query;

anac-xml-viewer/tags/1.8.2/readme.txt

-                      r3301629
+                      r3412265
 Requires at least: 4.3
 Tested up to: 6.9
 Version: 1.8.1
 Stable tag: 1.8.1
+Version: 1.8.2
+Stable tag: 1.8.2
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 …
 > Questa è la lista completa di tutti gli aggiornamenti, test e correzioni. Ogni volta che una nuova versione viene rilasciata assicuratevi di aggiornare il prima possibile per usufruire delle ultime migliorie!
+= 1.8.2 2025-12-05 =
+* Bugfix minori e sicurezza
 = 1.8.1 2025-05-27 =

anac-xml-viewer/trunk/anac-xml-viewer.php

-                      r3301629
+                      r3412265
 Description: Visualizzatore XML per file generati da applicativi esterni
 Author: Marco Milesi
 Version: 1.8.1
+Version: 1.8.2
 Author URI: https://marcomilesi.com
 */
 …
         if ( substr( $content, 0, 4 ) === "http" ) {
+            $gare_xml = new SimpleXMLElement( $content, LIBXML_NOCDATA, true );
+            $gare_xml = $this->fetch_and_load_xml( $content );
+            if ( $gare_xml === null ) {
+                echo '<div class="notice notice-error"><p>Impossibile caricare XML. Assicurarsi che l\'URL esista e che il contenuto sia XML valido.</p></div>';
+                return;
+            }
         } else {
+            $gare_xml = new SimpleXMLElement( stripslashes($content) );
+            try {
+                $gare_xml = new SimpleXMLElement( stripslashes($content) );
+            } catch ( Exception $e ) {
+                echo '<div class="notice notice-error"><p>Il contenuto inserito non è XML valido.</p></div>';
+                return;
+            }
+        }
 …
+    }
+    private function is_private_ip( $ip ) {
+        if ( filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 ) ) {
+            $long = ip2long($ip);
+            $ranges = [
+                ['0.0.0.0', '0.255.255.255'],
+                ['10.0.0.0', '10.255.255.255'],
+                ['127.0.0.0', '127.255.255.255'],
+                ['169.254.0.0', '169.254.255.255'],
+                ['172.16.0.0', '172.31.255.255'],
+                ['192.168.0.0', '192.168.255.255']
+            ];
+            foreach ( $ranges as $r ) {
+                if ( $long >= ip2long($r[0]) && $long <= ip2long($r[1]) ) return true;
+            }
+            return false;
+        }
+        if ( filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 ) ) {
+            if ( strpos($ip, '::1') === 0 ) return true; // localhost
+            // fc00::/7 unique local, fe80::/10 link-local
+            if ( strpos($ip, 'fc') === 0 || strpos($ip, 'fd') === 0 ) return true;
+            if ( strpos($ip, 'fe80') === 0 ) return true;
+            return false;
+        }
+        return true;
+    }
+    private function fetch_and_load_xml( $url ) {
+        if ( ! function_exists('wp_http_validate_url') || ! wp_http_validate_url( $url ) ) return null;
+        $parts = wp_parse_url( $url );
+        if ( ! $parts || ! isset($parts['scheme']) || ! in_array( strtolower($parts['scheme']), ['http','https'], true ) ) return null;
+        if ( empty($parts['host']) ) return null;
+        $host = $parts['host'];
+        $blocked_hosts = [
+            '169.254.169.254',
+            'metadata.google.internal'
+        ];
+        if ( in_array( strtolower($host), $blocked_hosts, true ) ) return null;
+        $resolved = gethostbynamel( $host );
+        if ( $resolved ) {
+            foreach ( $resolved as $ip ) {
+                if ( $this->is_private_ip( $ip ) ) return null;
+            }
+        }
+        $args = [
+            'timeout' => 5,
+            'redirection' => 2,
+            'headers' => [ 'Accept' => 'application/xml, text/xml; q=0.9, */*; q=0.1' ],
+        ];
+        $response = wp_remote_get( $url, $args );
+        if ( is_wp_error( $response ) ) return null;
+        $code = wp_remote_retrieve_response_code( $response );
+        if ( $code < 200 || $code >= 300 ) return null;
+        $body = wp_remote_retrieve_body( $response );
+        if ( ! $body ) return null;
+        $ctype = wp_remote_retrieve_header( $response, 'content-type' );
+        if ( $ctype && strpos( strtolower($ctype), 'xml' ) === false ) {
+            // Allow if body looks like XML even when header is wrong
+            if ( strpos( ltrim($body), '<') !== 0 ) return null;
+        }
+        libxml_use_internal_errors(true);
+        try {
+            $xml = new SimpleXMLElement( $body );
+            return $xml;
+        } catch ( Exception $e ) {
+            return null;
+        }
+    }
     public function template_redirect() {
         global $wp, $wp_query;

anac-xml-viewer/trunk/readme.txt

-                      r3301629
+                      r3412265
 Requires at least: 4.3
 Tested up to: 6.9
 Version: 1.8.1
 Stable tag: 1.8.1
+Version: 1.8.2
+Stable tag: 1.8.2
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 …
 > Questa è la lista completa di tutti gli aggiornamenti, test e correzioni. Ogni volta che una nuova versione viene rilasciata assicuratevi di aggiornare il prima possibile per usufruire delle ultime migliorie!
+= 1.8.2 2025-12-05 =
+* Bugfix minori e sicurezza
 = 1.8.1 2025-05-27 =

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory