Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3495827

Timestamp:

03/31/2026 04:26:18 PM (5 days ago)

Author:

edge22

Message:

Update to version 2.2.1 from GitHub

Location:

generateblocks

Files:

: 14 edited
: 1 copied

tags/2.2.1 (copied) (copied from generateblocks/trunk)
tags/2.2.1/includes/class-meta-handler.php (modified) (2 diffs)
tags/2.2.1/includes/class-query-utils.php (modified) (2 diffs)
tags/2.2.1/includes/dynamic-tags/class-dynamic-tag-callbacks.php (modified) (1 diff)
tags/2.2.1/includes/dynamic-tags/class-dynamic-tags.php (modified) (3 diffs)
tags/2.2.1/package.json (modified) (1 diff)
tags/2.2.1/plugin.php (modified) (2 diffs)
tags/2.2.1/readme.txt (modified) (2 diffs)
trunk/includes/class-meta-handler.php (modified) (2 diffs)
trunk/includes/class-query-utils.php (modified) (2 diffs)
trunk/includes/dynamic-tags/class-dynamic-tag-callbacks.php (modified) (1 diff)
trunk/includes/dynamic-tags/class-dynamic-tags.php (modified) (3 diffs)
trunk/package.json (modified) (1 diff)
trunk/plugin.php (modified) (2 diffs)
trunk/readme.txt (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

generateblocks/tags/2.2.1/includes/class-meta-handler.php

-                      r3415721
+                      r3495827
             if ( 'get_post_meta' === $callable ) {
+                if ( is_numeric( $id ) && ! current_user_can( 'read_post', (int) $id ) ) {
+                    return '';
+                }
                 if ( is_protected_meta( $key, 'post' ) ) {
                     return '';
 …
+        }
+        // Require list_users capability to access other users' meta.
+        if ( $id !== $current_id && ! current_user_can( 'list_users' ) ) {
+            return rest_ensure_response(
+                new WP_Error(
+                    'rest_forbidden',
+                    __( 'Sorry, you are not allowed to access this user\'s meta.', 'generateblocks' ),
+                    array( 'status' => rest_authorization_required_code() )
+                )
+            );
+        }
         $key         = $request->get_param( 'key' );
         $single_only = true;

generateblocks/tags/2.2.1/includes/class-query-utils.php

-                      r3415721
+                      r3495827
         $args = $request->get_param( 'args' ) ?? [];
+        // Sanitize dangerous query args for users without list_users capability.
+        if ( ! current_user_can( 'list_users' ) ) {
+            unset( $args['meta_query'] );
+            unset( $args['meta_key'] );
+            unset( $args['meta_value'] );
+            unset( $args['meta_compare'] );
+        }
         if ( ! isset( $args['number'] ) ) {
             $args['number'] = 150;
 …
                     unset( $user->data->user_login );
                     unset( $user->data->user_email );
+                    // Remove capability data to prevent role enumeration.
+                    unset( $user->caps );
+                    unset( $user->allcaps );
+                }

generateblocks/tags/2.2.1/includes/dynamic-tags/class-dynamic-tag-callbacks.php

-                      r3415721
+                      r3495827
                 break;
             case 'author_email':
+                if ( defined( 'REST_REQUEST' ) && REST_REQUEST && ! current_user_can( 'list_users' ) ) {
+                    break;
+                }
                 $user_id = get_post_field( 'post_author', $id );
                 $url     = 'mailto:' . get_the_author_meta( 'user_email', $user_id );

generateblocks/tags/2.2.1/includes/dynamic-tags/class-dynamic-tags.php

-                      r3415721
+                      r3495827
         $context      = $request->get_param( 'context' );
         $client_id    = $request->get_param( 'clientId' );
+        $post_id      = $context['postId'] ?? 0;
+        $post_id      = absint( $context['postId'] ?? 0 );
+        // Verify the current user can read the context post.
+        if ( $post_id && ! current_user_can( 'read_post', $post_id ) ) {
+            return rest_ensure_response( [] );
+        }
         $fallback_id  = $post_id;
         $instance     = new stdClass();
 …
         // Create a unique cache key.
         $cache_key = sprintf(
             'replacements_%s_%s_%s',
+            'replacements_%s_%s_%s_%s',
             md5( $content ),
             $client_id,
+            $post_id
+        );
+        $replacements_cache = wp_cache_get( $cache_key, 'generate_blocks_dynamic_tags' );
+            $post_id,
+            get_current_user_id()
+        );
+        $replacements_cache = wp_cache_get( $cache_key, 'generateblocks_dynamic_tags' );
         // Return the cache here if present.
 …
                 if ( 'user' === $type ) {
                     $fallback_id = get_current_user_id();
+                }
+                // Check object-level access for tags where id: refers to a post ID.
+                // Parse options using the same logic the callbacks use so the
+                // authorised ID always matches the ID used for data retrieval.
+                if ( in_array( $type, [ 'post', 'author', 'media' ], true ) ) {
+                    $tag_options_string = isset( $split_tag[1] ) ? ltrim( $split_tag[1], ' ' ) : '';
+                    $tag_options        = GenerateBlocks_Register_Dynamic_Tag::parse_options( $tag_options_string, $tag_name );
+                    $tag_post_id        = isset( $tag_options['id'] ) ? absint( $tag_options['id'] ) : 0;
+                    if ( $tag_post_id && ! current_user_can( 'read_post', $tag_post_id ) ) {
+                        $replacements[] = [
+                            'original'    => "{{{$tag}}}",
+                            'replacement' => '',
+                            'fallback'    => $fallback,
+                        ];
+                        continue;
+                    }
+                }

generateblocks/tags/2.2.1/package.json

r3415721	r3495827
1	1	{
2	2	"name": "generateblocks",
3		"version": "2.2.0",
	3	"version": "2.2.1",
4	4	"private": true,
5	5	"description": "A small collection of lightweight WordPress blocks that can accomplish nearly anything.",

generateblocks/tags/2.2.1/plugin.php

-                      r3415721
+                      r3495827
  * Author: Tom Usborne
  * Author URI: https://tomusborne.com
  * Version: 2.2.0
+ * Version: 2.2.1
  * Requires at least: 6.5
  * Requires PHP: 7.2
 …
+}
 define( 'GENERATEBLOCKS_VERSION', '2.2.0' );
+define( 'GENERATEBLOCKS_VERSION', '2.2.1' );
 define( 'GENERATEBLOCKS_DIR', plugin_dir_path( __FILE__ ) );
 define( 'GENERATEBLOCKS_DIR_URL', plugin_dir_url( __FILE__ ) );

generateblocks/tags/2.2.1/readme.txt

-                      r3415721
+                      r3495827
 Tested up to: 6.9
 Requires PHP: 7.2
 Stable tag: 2.2.0
+Stable tag: 2.2.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 …
 == Changelog ==
+= 2.2.1 =
+* Security: Improve dynamic tag replacement security in the editor
 = 2.2.0 =

generateblocks/trunk/includes/class-meta-handler.php

-                      r3415721
+                      r3495827
             if ( 'get_post_meta' === $callable ) {
+                if ( is_numeric( $id ) && ! current_user_can( 'read_post', (int) $id ) ) {
+                    return '';
+                }
                 if ( is_protected_meta( $key, 'post' ) ) {
                     return '';
 …
+        }
+        // Require list_users capability to access other users' meta.
+        if ( $id !== $current_id && ! current_user_can( 'list_users' ) ) {
+            return rest_ensure_response(
+                new WP_Error(
+                    'rest_forbidden',
+                    __( 'Sorry, you are not allowed to access this user\'s meta.', 'generateblocks' ),
+                    array( 'status' => rest_authorization_required_code() )
+                )
+            );
+        }
         $key         = $request->get_param( 'key' );
         $single_only = true;

generateblocks/trunk/includes/class-query-utils.php

-                      r3415721
+                      r3495827
         $args = $request->get_param( 'args' ) ?? [];
+        // Sanitize dangerous query args for users without list_users capability.
+        if ( ! current_user_can( 'list_users' ) ) {
+            unset( $args['meta_query'] );
+            unset( $args['meta_key'] );
+            unset( $args['meta_value'] );
+            unset( $args['meta_compare'] );
+        }
         if ( ! isset( $args['number'] ) ) {
             $args['number'] = 150;
 …
                     unset( $user->data->user_login );
                     unset( $user->data->user_email );
+                    // Remove capability data to prevent role enumeration.
+                    unset( $user->caps );
+                    unset( $user->allcaps );
+                }

generateblocks/trunk/includes/dynamic-tags/class-dynamic-tag-callbacks.php

-                      r3415721
+                      r3495827
                 break;
             case 'author_email':
+                if ( defined( 'REST_REQUEST' ) && REST_REQUEST && ! current_user_can( 'list_users' ) ) {
+                    break;
+                }
                 $user_id = get_post_field( 'post_author', $id );
                 $url     = 'mailto:' . get_the_author_meta( 'user_email', $user_id );

generateblocks/trunk/includes/dynamic-tags/class-dynamic-tags.php

-                      r3415721
+                      r3495827
         $context      = $request->get_param( 'context' );
         $client_id    = $request->get_param( 'clientId' );
+        $post_id      = $context['postId'] ?? 0;
+        $post_id      = absint( $context['postId'] ?? 0 );
+        // Verify the current user can read the context post.
+        if ( $post_id && ! current_user_can( 'read_post', $post_id ) ) {
+            return rest_ensure_response( [] );
+        }
         $fallback_id  = $post_id;
         $instance     = new stdClass();
 …
         // Create a unique cache key.
         $cache_key = sprintf(
             'replacements_%s_%s_%s',
+            'replacements_%s_%s_%s_%s',
             md5( $content ),
             $client_id,
+            $post_id
+        );
+        $replacements_cache = wp_cache_get( $cache_key, 'generate_blocks_dynamic_tags' );
+            $post_id,
+            get_current_user_id()
+        );
+        $replacements_cache = wp_cache_get( $cache_key, 'generateblocks_dynamic_tags' );
         // Return the cache here if present.
 …
                 if ( 'user' === $type ) {
                     $fallback_id = get_current_user_id();
+                }
+                // Check object-level access for tags where id: refers to a post ID.
+                // Parse options using the same logic the callbacks use so the
+                // authorised ID always matches the ID used for data retrieval.
+                if ( in_array( $type, [ 'post', 'author', 'media' ], true ) ) {
+                    $tag_options_string = isset( $split_tag[1] ) ? ltrim( $split_tag[1], ' ' ) : '';
+                    $tag_options        = GenerateBlocks_Register_Dynamic_Tag::parse_options( $tag_options_string, $tag_name );
+                    $tag_post_id        = isset( $tag_options['id'] ) ? absint( $tag_options['id'] ) : 0;
+                    if ( $tag_post_id && ! current_user_can( 'read_post', $tag_post_id ) ) {
+                        $replacements[] = [
+                            'original'    => "{{{$tag}}}",
+                            'replacement' => '',
+                            'fallback'    => $fallback,
+                        ];
+                        continue;
+                    }
+                }

generateblocks/trunk/package.json

r3415721	r3495827
1	1	{
2	2	"name": "generateblocks",
3		"version": "2.2.0",
	3	"version": "2.2.1",
4	4	"private": true,
5	5	"description": "A small collection of lightweight WordPress blocks that can accomplish nearly anything.",

generateblocks/trunk/plugin.php

-                      r3415721
+                      r3495827
  * Author: Tom Usborne
  * Author URI: https://tomusborne.com
  * Version: 2.2.0
+ * Version: 2.2.1
  * Requires at least: 6.5
  * Requires PHP: 7.2
 …
+}
 define( 'GENERATEBLOCKS_VERSION', '2.2.0' );
+define( 'GENERATEBLOCKS_VERSION', '2.2.1' );
 define( 'GENERATEBLOCKS_DIR', plugin_dir_path( __FILE__ ) );
 define( 'GENERATEBLOCKS_DIR_URL', plugin_dir_url( __FILE__ ) );

generateblocks/trunk/readme.txt

-                      r3415721
+                      r3495827
 Tested up to: 6.9
 Requires PHP: 7.2
 Stable tag: 2.2.0
+Stable tag: 2.2.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 …
 == Changelog ==
+= 2.2.1 =
+* Security: Improve dynamic tag replacement security in the editor
 = 2.2.0 =

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory