diff options
| author | yehudah <yehudah@b8457f37-d9ea-0310-8a92-e5e31aec5664> | 2019-08-27 21:23:41 +0000 |
|---|---|---|
| committer | yehudah <yehudah@b8457f37-d9ea-0310-8a92-e5e31aec5664> | 2019-08-27 21:23:41 +0000 |
| commit | 6372e454198ed7a1a792b5bfd286af1178ae7d63 (patch) | |
| tree | fc8259384657cfebd76be774abd214f17eea680c | |
| parent | 69ef56ca57030e9c76e03ea937c9bdef1a4a3750 (diff) | |
| download | Post-SMTP-6372e454198ed7a1a792b5bfd286af1178ae7d63.zip | |
Security and bugs
| -rw-r--r-- | Postman/Postman-Configuration/PostmanConfigurationController.php | 2 | ||||
| -rw-r--r-- | Postman/Postman-Email-Log/PostmanEmailLogController.php | 20 | ||||
| -rw-r--r-- | Postman/Postman-Email-Log/PostmanEmailLogService.php | 2 | ||||
| -rw-r--r-- | Postman/Postman-Email-Log/PostmanEmailLogView.php | 17 | ||||
| -rw-r--r-- | Postman/Postman.php | 6 | ||||
| -rw-r--r-- | Postman/PostmanAdminController.php | 2 | ||||
| -rw-r--r-- | Postman/PostmanAjaxController.php | 2 | ||||
| -rw-r--r-- | Postman/PostmanLogFields.php | 5 | ||||
| -rw-r--r-- | Postman/PostmanPluginFeedback.php | 4 | ||||
| -rw-r--r-- | Postman/PostmanViewController.php | 2 | ||||
| -rw-r--r-- | Postman/PostmanWpMail.php | 3 | ||||
| -rw-r--r-- | postman-smtp.php | 10 |
12 files changed, 40 insertions, 35 deletions
diff --git a/Postman/Postman-Configuration/PostmanConfigurationController.php b/Postman/Postman-Configuration/PostmanConfigurationController.php index 4cade58..ee14ad8 100644 --- a/Postman/Postman-Configuration/PostmanConfigurationController.php +++ b/Postman/Postman-Configuration/PostmanConfigurationController.php @@ -608,7 +608,7 @@ class PostmanConfigurationController { Postman::getMailerTypeRecommend(); $in_wizard = true; - include_once POST_PATH . '/Postman/extra/donation.php'; + include_once POST_SMTP_PATH . '/Postman/extra/donation.php'; print '</section>'; print '</fieldset>'; diff --git a/Postman/Postman-Email-Log/PostmanEmailLogController.php b/Postman/Postman-Email-Log/PostmanEmailLogController.php index 2df2377..49f226b 100644 --- a/Postman/Postman-Email-Log/PostmanEmailLogController.php +++ b/Postman/Postman-Email-Log/PostmanEmailLogController.php @@ -91,7 +91,7 @@ class PostmanEmailLogController { $to = $meta_values ['original_to'] [0]; } - $success = wp_mail( $to, $meta_values ['original_subject'] [0], maybe_unserialize( $meta_values ['original_message'] [0] ), $meta_values ['original_headers'] [0] ); + $success = wp_mail( $to, $meta_values ['original_subject'] [0], $meta_values ['original_message'] [0], $meta_values ['original_headers'] [0] ); // Postman API: retrieve the result of sending this message from Postman $result = apply_filters( 'postman_wp_mail_result', null ); @@ -158,21 +158,21 @@ class PostmanEmailLogController { if ( PostmanUtils::isAdmin() && isset( $_REQUEST ['email_log_entry'] ) ) { $this->logger->trace( 'handling bulk action' ); if ( wp_verify_nonce( $_REQUEST ['_wpnonce'], 'bulk-email_log_entries' ) ) { - $this->logger->trace( sprintf( 'nonce "%s" passed validation', $_REQUEST ['_wpnonce'] ) ); + $this->logger->trace( sprintf( 'nonce "%s" passed validation', sanitize_text_field($_REQUEST ['_wpnonce']) ) ); if ( isset( $_REQUEST ['action'] ) && ($_REQUEST ['action'] == 'bulk_delete' || $_REQUEST ['action2'] == 'bulk_delete') ) { $this->logger->trace( sprintf( 'handling bulk delete' ) ); $purger = new PostmanEmailLogPurger(); - $postids = $_REQUEST ['email_log_entry']; + $postids = array_map( 'absint', $_REQUEST ['email_log_entry'] ); foreach ( $postids as $postid ) { $purger->verifyLogItemExistsAndRemove( $postid ); } $mh = new PostmanMessageHandler(); $mh->addMessage( __( 'Mail Log Entries were deleted.', 'post-smtp' ) ); } else { - $this->logger->warn( sprintf( 'action "%s" not recognized', $_REQUEST ['action'] ) ); + $this->logger->warn( sprintf( 'action "%s" not recognized', sanitize_text_field($_REQUEST ['action']) ) ); } } else { - $this->logger->warn( sprintf( 'nonce "%s" failed validation', $_REQUEST ['_wpnonce'] ) ); + $this->logger->warn( sprintf( 'nonce "%s" failed validation', sanitize_text_field($_REQUEST ['_wpnonce']) ) ); } $this->redirectToLogPage(); } @@ -184,15 +184,15 @@ class PostmanEmailLogController { // only do this for administrators if ( PostmanUtils::isAdmin() ) { $this->logger->trace( 'handling delete item' ); - $postid = $_REQUEST ['email']; + $postid = absint($_REQUEST ['email']); if ( wp_verify_nonce( $_REQUEST ['_wpnonce'], 'delete_email_log_item_' . $postid ) ) { - $this->logger->trace( sprintf( 'nonce "%s" passed validation', $_REQUEST ['_wpnonce'] ) ); + $this->logger->trace( sprintf( 'nonce "%s" passed validation', sanitize_text_field($_REQUEST ['_wpnonce']) ) ); $purger = new PostmanEmailLogPurger(); $purger->verifyLogItemExistsAndRemove( $postid ); $mh = new PostmanMessageHandler(); $mh->addMessage( __( 'Mail Log Entry was deleted.', 'post-smtp' ) ); } else { - $this->logger->warn( sprintf( 'nonce "%s" failed validation', $_REQUEST ['_wpnonce'] ) ); + $this->logger->warn( sprintf( 'nonce "%s" failed validation', sanitize_text_field($_REQUEST ['_wpnonce']) ) ); } $this->redirectToLogPage(); } @@ -267,7 +267,7 @@ class PostmanEmailLogController { // only do this for administrators if ( PostmanUtils::isAdmin() ) { $this->logger->trace( 'handling view transcript item' ); - $postid = $_REQUEST ['email']; + $postid = absint($_REQUEST ['email']); $post = get_post( $postid ); $meta_values = PostmanLogFields::get_instance()->get( $postid ); // https://css-tricks.com/examples/hrs/ @@ -360,7 +360,7 @@ class PostmanEmailLogController { /* Translators where (%s) is the name of the plugin */ echo sprintf( __( '%s Email Log', 'post-smtp' ), __( 'Post SMTP', 'post-smtp' ) )?></h2> - <?php include_once POST_PATH . '/Postman/extra/donation.php'; ?> + <?php include_once POST_SMTP_PATH . '/Postman/extra/donation.php'; ?> <div style="background: #ECECEC; border: 1px solid #CCC; padding: 0 10px; margin-top: 5px; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px;"> diff --git a/Postman/Postman-Email-Log/PostmanEmailLogService.php b/Postman/Postman-Email-Log/PostmanEmailLogService.php index eeb25c6..1afb4fc 100644 --- a/Postman/Postman-Email-Log/PostmanEmailLogService.php +++ b/Postman/Postman-Email-Log/PostmanEmailLogService.php @@ -193,7 +193,7 @@ if ( ! class_exists( 'PostmanEmailLogService' ) ) { $message .= "\r\n" . __( 'The log to paste when you open a support issue:', 'post-smtp' ) . "\r\n"; if ( $log->statusMessage && ! empty( $log->statusMessage ) ) { - require_once POST_PATH . '/Postman/notifications/PostmanNotify.php'; + require_once POST_SMTP_PATH . '/Postman/notifications/PostmanNotify.php'; $message = $message . $log->statusMessage; diff --git a/Postman/Postman-Email-Log/PostmanEmailLogView.php b/Postman/Postman-Email-Log/PostmanEmailLogView.php index 2f78ec0..2860690 100644 --- a/Postman/Postman-Email-Log/PostmanEmailLogView.php +++ b/Postman/Postman-Email-Log/PostmanEmailLogView.php @@ -110,9 +110,10 @@ class PostmanEmailLogView extends WP_List_Table { } if ( ! (empty( $meta_values ['original_to'] [0] ) && empty( $meta_values ['originalHeaders'] [0] )) ) { // $actions ['resend'] = sprintf ( '<a href="%s">%s</a>', $resendUrl, __ ( 'Resend', 'post-smtp' ) ); - $emails = maybe_unserialize( $meta_values ['original_to'] [0] ); - $to = is_array( $emails ) ? implode( ',', $emails ) : $emails; - $actions ['resend'] = sprintf( '<span id="%3$s"><a class="postman-open-resend" href="#">%2$s</a></span><div style="display:none;"><input type="hidden" name="security" value="%6$s"><input type="text" name="mail_to" class="regular-text ltr" data-id="%1$s" value="%4$s"><button class="postman-resend button button-primary">%2$s</button><i style="color: black;">%5$s</i></div>', $item ['ID'], __( 'Resend', 'post-smtp' ), 'resend-' . $item ['ID'], esc_attr( $to ), __( 'comma-separated for multiple emails', 'post-smtp' ), wp_create_nonce( 'resend' ) ); + $emails = $meta_values ['original_to'] [0]; + $to = is_array( $emails ) ? implode( ',', array_walk($emails, 'sanitize_email') ) : sanitize_email( $emails ); + + $actions ['resend'] = sprintf( '<span id="%3$s"><a class="postman-open-resend" href="#">%2$s</a></span><div style="display:none;"><input type="hidden" name="security" value="%6$s"><input type="text" name="mail_to" class="regular-text ltr" data-id="%1$s" value="%4$s"><button class="postman-resend button button-primary">%2$s</button><i style="color: black;">%5$s</i></div>', $item ['ID'], __( 'Resend', 'post-smtp' ), 'resend-' . $item ['ID'], esc_attr( $to ), __( 'comma-separated for multiple emails', 'post-smtp' ), wp_create_nonce( 'resend' ) ); } else { $actions ['resend'] = sprintf( '%2$s', $resendUrl, __( 'Resend', 'post-smtp' ) ); } @@ -262,10 +263,8 @@ class PostmanEmailLogView extends WP_List_Table { * ************************************************************************ */ function prepare_items() { - if ( isset( $_POST['action'] ) && $_POST['action'] == 'post-smtp-filter' ) { - if ( ! wp_verify_nonce( $_REQUEST['post-smtp-log'], 'post-smtp' ) ) - die( 'Security check' ); - } + if ( ! wp_verify_nonce( $_REQUEST['post-smtp-log'], 'post-smtp' ) ) + die( 'Security check' ); /** * First, lets decide how many records per page to show @@ -396,8 +395,8 @@ class PostmanEmailLogView extends WP_List_Table { * sorting technique would be unnecessary. */ function usort_reorder( $a, $b ) { - $orderby = ( ! empty( $_REQUEST ['orderby'] )) ? $_REQUEST ['orderby'] : 'title'; // If no sort, default to title - $order = ( ! empty( $_REQUEST ['order'] )) ? $_REQUEST ['order'] : 'asc'; // If no order, default to asc + $orderby = ( ! empty( $_REQUEST ['orderby'] )) ? sanitize_text_field($_REQUEST ['orderby']) : 'title'; // If no sort, default to title + $order = ( ! empty( $_REQUEST ['order'] )) ? sanitize_text_field($_REQUEST ['order']) : 'asc'; // If no order, default to asc $result = strcmp( $a [ $orderby ], $b [ $orderby ] ); // Determine sort order return ($order === 'asc') ? $result : - $result; // Send final sort direction to usort } diff --git a/Postman/Postman.php b/Postman/Postman.php index 0f36edf..51b2ab1 100644 --- a/Postman/Postman.php +++ b/Postman/Postman.php @@ -91,7 +91,7 @@ class Postman { } if ( isset( $_REQUEST ['page'] ) && $this->logger->isTrace() ) { - $this->logger->trace( 'Current page: ' . $_REQUEST ['page'] ); + $this->logger->trace( 'Current page: ' . sanitize_text_field($_REQUEST ['page']) ); } // register the email transports @@ -369,9 +369,9 @@ class Postman { <?php _e('Post SMTP v2 includes and new feature called: <b>Mailer Type</b>.', 'post-smtp' ); ?><br> <?php _e('I highly recommend to change and <strong>TEST</strong> Post SMTP with the value <code>PHPMailer</code>.', 'post-smtp' ); ?><br> <?php _e('if it will not work properly you can change back to the default value: <code>PostSMTP</code>.', 'post-smtp' ); ?><br> - <a target="_blank" href="<?php echo POST_URL; ?>/style/images/mailer-type.gif"> + <a target="_blank" href="<?php echo POST_SMTP_URL; ?>/style/images/mailer-type.gif"> <figure> - <img width="180" src="<?php echo POST_URL; ?>/style/images/mailer-type.gif" alt="how to set mailer type"> + <img width="180" src="<?php echo POST_SMTP_URL; ?>/style/images/mailer-type.gif" alt="how to set mailer type"> <figcaption><?php _e('click to enlarge image.', 'post-smtp' ); ?></figcaption> </figure> </a> diff --git a/Postman/PostmanAdminController.php b/Postman/PostmanAdminController.php index e871821..3d0486f 100644 --- a/Postman/PostmanAdminController.php +++ b/Postman/PostmanAdminController.php @@ -328,7 +328,7 @@ if ( ! class_exists( 'PostmanAdminController' ) ) { $this->logger->debug( 'is wpnonce import-settings?' ); $success = true; if ( wp_verify_nonce( $_REQUEST ['_wpnonce'], PostmanAdminController::IMPORT_SETTINGS_SLUG ) ) { - $success = PostmanOptions::getInstance()->import( $_POST ['settings'] ); + $success = PostmanOptions::getInstance()->import( sanitize_textarea_field($_POST ['settings']) ); } else { $success = false; } diff --git a/Postman/PostmanAjaxController.php b/Postman/PostmanAjaxController.php index e8e54b6..16d70cc 100644 --- a/Postman/PostmanAjaxController.php +++ b/Postman/PostmanAjaxController.php @@ -49,7 +49,7 @@ if (! class_exists ( 'PostmanAbstractAjaxHandler' )) { */ protected function getRequestParameter($parameterName) { if (isset ( $_POST [$parameterName] )) { - $value = $_POST[$parameterName]; + $value = sanitize_text_field($_POST[$parameterName]); $this->logger->trace ( sprintf ( 'Found parameter "%s"', $parameterName ) ); $this->logger->trace ( $value ); return $value; diff --git a/Postman/PostmanLogFields.php b/Postman/PostmanLogFields.php index e1f9c90..9299586 100644 --- a/Postman/PostmanLogFields.php +++ b/Postman/PostmanLogFields.php @@ -49,6 +49,11 @@ class PostmanLogFields { } private function maybe_json( $json ) { + + if ( is_array( $json ) ) { + return implode( ',', $json ); + } + if ( $this->isJson( $json ) ) { return implode( ',', json_decode( $json, true ) ); } diff --git a/Postman/PostmanPluginFeedback.php b/Postman/PostmanPluginFeedback.php index 7465377..95ea06f 100644 --- a/Postman/PostmanPluginFeedback.php +++ b/Postman/PostmanPluginFeedback.php @@ -4,7 +4,7 @@ if ( ! defined( 'ABSPATH' ) ) { } class PostmanPluginFeedback { function __construct() { - add_filter( 'plugin_action_links_' . plugin_basename( POST_BASE ), array( $this, 'insert_deactivate_link_id' ) ); + add_filter( 'plugin_action_links_' . plugin_basename( POST_SMTP_BASE ), array( $this, 'insert_deactivate_link_id' ) ); add_action( 'wp_ajax_post_user_feedback', array( $this, 'post_user_feedback' ) ); global $pagenow; if ( 'plugins.php' === $pagenow ) { @@ -16,7 +16,7 @@ class PostmanPluginFeedback { function load_scripts() { wp_enqueue_style( 'wp-jquery-ui-dialog' ); - wp_register_script( 'post-feedback', plugins_url( 'script/feedback/feedback.js', POST_BASE ), array( 'jquery', 'jquery-ui-core', 'jquery-ui-dialog' ), false, true ); + wp_register_script( 'post-feedback', plugins_url( 'script/feedback/feedback.js', POST_SMTP_BASE ), array( 'jquery', 'jquery-ui-core', 'jquery-ui-dialog' ), false, true ); wp_localize_script( 'post-feedback', 'post_feedback', array( 'admin_ajax' => admin_url( 'admin-ajax.php' ) ) ); wp_enqueue_script( 'post-feedback' ); } diff --git a/Postman/PostmanViewController.php b/Postman/PostmanViewController.php index e41234c..9082d35 100644 --- a/Postman/PostmanViewController.php +++ b/Postman/PostmanViewController.php @@ -331,7 +331,7 @@ if ( ! class_exists( 'PostmanViewController' ) ) { </div>'; } - include_once POST_PATH . '/Postman/extra/donation.php'; + include_once POST_SMTP_PATH . '/Postman/extra/donation.php'; echo '<div class="twitter-wrap">'; print '<div id="postman-main-menu" class="welcome-panel">'; diff --git a/Postman/PostmanWpMail.php b/Postman/PostmanWpMail.php index 85f3ebd..3a2b508 100644 --- a/Postman/PostmanWpMail.php +++ b/Postman/PostmanWpMail.php @@ -82,7 +82,8 @@ if ( ! class_exists( 'PostmanWpMail' ) ) { $hostName = php_uname('n'); } - return $id . '@' . $hostName; + return $id . '@' . str_replace('www.', '', $hostName); + } /** diff --git a/postman-smtp.php b/postman-smtp.php index 674392d..07454ed 100644 --- a/postman-smtp.php +++ b/postman-smtp.php @@ -41,9 +41,9 @@ if ( ! defined( 'ABSPATH' ) ) { * DO some check and Start Postman */ -define( 'POST_BASE', __FILE__ ); -define( 'POST_PATH', __DIR__ ); -define( 'POST_URL', plugins_url('', POST_BASE ) ); +define( 'POST_SMTP_BASE', __FILE__ ); +define( 'POST_SMTP_PATH', __DIR__ ); +define( 'POST_SMTP_URL', plugins_url('', POST_SMTP_BASE ) ); define( 'POST_SMTP_VER', '2.0.4' ); $postman_smtp_exist = in_array( 'postman-smtp/postman-smtp.php', (array) get_option( 'active_plugins', array() ) ); @@ -60,7 +60,7 @@ if ( $postman_smtp_exist || $required_php_version ) { add_action( 'admin_notices', 'post_smtp_plugin_admin_notice_version' ); } } else { - post_start( memory_get_usage() ); + post_smtp_start( memory_get_usage() ); } @@ -121,7 +121,7 @@ add_action( 'admin_footer', 'post_dismiss_not_configured' ); * * @param mixed $startingMemory */ -function post_start( $startingMemory ) { +function post_smtp_start( $startingMemory ) { post_setupPostman(); PostmanUtils::logMemoryUse( $startingMemory, 'Postman' ); } |