diff options
| author | yehudah <yehudah@b8457f37-d9ea-0310-8a92-e5e31aec5664> | 2019-08-19 20:57:47 +0000 |
|---|---|---|
| committer | yehudah <yehudah@b8457f37-d9ea-0310-8a92-e5e31aec5664> | 2019-08-19 20:57:47 +0000 |
| commit | d1d82adca1dbb02382d7ccf49b8830816e8fa00f (patch) | |
| tree | ba061c2b4c1f06cc67efcee7b85a3c8c25162905 | |
| parent | 7aa4390a6702059342aad220e53e3aa4efc9caad (diff) | |
| download | Post-SMTP-d1d82adca1dbb02382d7ccf49b8830816e8fa00f.zip | |
Security issues
76 files changed, 356 insertions, 67 deletions
diff --git a/Postman/Phpmailer/PostsmtpMailer.php b/Postman/Phpmailer/PostsmtpMailer.php index 9eee0a7..b3a421b 100644 --- a/Postman/Phpmailer/PostsmtpMailer.php +++ b/Postman/Phpmailer/PostsmtpMailer.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} require_once ABSPATH . WPINC . '/class-phpmailer.php'; require_once ABSPATH . WPINC . '/class-smtp.php'; diff --git a/Postman/Postman-Auth/PostmanAbstractAuthenticationManager.php b/Postman/Postman-Auth/PostmanAbstractAuthenticationManager.php index 75d734b..7402ba7 100644 --- a/Postman/Postman-Auth/PostmanAbstractAuthenticationManager.php +++ b/Postman/Postman-Auth/PostmanAbstractAuthenticationManager.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if (! class_exists ( "PostmanAbstractAuthenticationManager" )) { require_once 'PostmanAuthenticationManager.php'; diff --git a/Postman/Postman-Auth/PostmanAuthenticationManager.php b/Postman/Postman-Auth/PostmanAuthenticationManager.php index 56cc697..c405459 100644 --- a/Postman/Postman-Auth/PostmanAuthenticationManager.php +++ b/Postman/Postman-Auth/PostmanAuthenticationManager.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if (! interface_exists ( "PostmanAuthenticationManager" )) { interface PostmanAuthenticationManager { const POSTMAN_AUTHORIZATION_IN_PROGRESS = 'request_oauth_permission'; diff --git a/Postman/Postman-Auth/PostmanAuthenticationManagerFactory.php b/Postman/Postman-Auth/PostmanAuthenticationManagerFactory.php index fec81a1..799b999 100644 --- a/Postman/Postman-Auth/PostmanAuthenticationManagerFactory.php +++ b/Postman/Postman-Auth/PostmanAuthenticationManagerFactory.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if (! class_exists ( "PostmanAuthenticationManagerFactory" )) { require_once 'PostmanGoogleAuthenticationManager.php'; diff --git a/Postman/Postman-Auth/PostmanGoogleAuthenticationManager.php b/Postman/Postman-Auth/PostmanGoogleAuthenticationManager.php index 4bbe27b..c00afba 100644 --- a/Postman/Postman-Auth/PostmanGoogleAuthenticationManager.php +++ b/Postman/Postman-Auth/PostmanGoogleAuthenticationManager.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if (! class_exists ( "PostmanGoogleAuthenticationManager" )) { require_once 'PostmanAbstractAuthenticationManager.php'; diff --git a/Postman/Postman-Auth/PostmanMicrosoftAuthenticationManager.php b/Postman/Postman-Auth/PostmanMicrosoftAuthenticationManager.php index a724f04..96fb529 100644 --- a/Postman/Postman-Auth/PostmanMicrosoftAuthenticationManager.php +++ b/Postman/Postman-Auth/PostmanMicrosoftAuthenticationManager.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if (! class_exists ( "PostmanMicrosoftAuthenticationManager" )) { require_once 'PostmanAbstractAuthenticationManager.php'; diff --git a/Postman/Postman-Auth/PostmanNonOAuthAuthenticationManager.php b/Postman/Postman-Auth/PostmanNonOAuthAuthenticationManager.php index 7ab1b5a..ed4f0c3 100644 --- a/Postman/Postman-Auth/PostmanNonOAuthAuthenticationManager.php +++ b/Postman/Postman-Auth/PostmanNonOAuthAuthenticationManager.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if (! class_exists ( "PostmanNonOAuthAuthenticationManager" )) { require_once 'PostmanAuthenticationManager.php'; diff --git a/Postman/Postman-Auth/PostmanStateIdMissingException.php b/Postman/Postman-Auth/PostmanStateIdMissingException.php index 94a973d..afa16c2 100644 --- a/Postman/Postman-Auth/PostmanStateIdMissingException.php +++ b/Postman/Postman-Auth/PostmanStateIdMissingException.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if (! class_exists ( 'PostmanStateIdMissingException' )) { class PostmanStateIdMissingException extends Exception { } diff --git a/Postman/Postman-Auth/PostmanYahooAuthenticationManager.php b/Postman/Postman-Auth/PostmanYahooAuthenticationManager.php index 56d7b9e..86c35d9 100644 --- a/Postman/Postman-Auth/PostmanYahooAuthenticationManager.php +++ b/Postman/Postman-Auth/PostmanYahooAuthenticationManager.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if (! class_exists ( "PostmanYahooAuthenticationManager" )) { require_once 'PostmanAbstractAuthenticationManager.php'; diff --git a/Postman/Postman-Configuration/PostmanConfigurationController.php b/Postman/Postman-Configuration/PostmanConfigurationController.php index a81605a..4cade58 100644 --- a/Postman/Postman-Configuration/PostmanConfigurationController.php +++ b/Postman/Postman-Configuration/PostmanConfigurationController.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + require_once( 'PostmanRegisterConfigurationSettings.php' ); class PostmanConfigurationController { const CONFIGURATION_SLUG = 'postman/configuration'; @@ -207,6 +211,9 @@ class PostmanConfigurationController { print '</ul>'; print '<form method="post" action="options.php">'; + + wp_nonce_field('post-smtp', 'security'); + // This prints out all hidden setting fields settings_fields( PostmanAdminController::SETTINGS_GROUP_NAME ); @@ -441,6 +448,8 @@ class PostmanConfigurationController { printf( '<input type="hidden" id="input_%2$s" name="%1$s[%2$s]" value="%3$s" />', PostmanOptions::POSTMAN_OPTIONS, PostmanOptions::STEALTH_MODE, $this->options->isStealthModeEnabled() ); printf( '<input type="hidden" id="input_%2$s" name="%1$s[%2$s]" value="%3$s" />', PostmanOptions::POSTMAN_OPTIONS, PostmanOptions::TEMPORARY_DIRECTORY, $this->options->getTempDirectory() ); + wp_nonce_field('post-smtp', 'security' ); + // display the setting text settings_fields( PostmanAdminController::SETTINGS_GROUP_NAME ); @@ -622,6 +631,9 @@ class PostmanGetHostnameByEmailAjaxController extends PostmanAbstractAjaxHandler * This Ajax function retrieves the smtp hostname for a give e-mail address */ function getAjaxHostnameByEmail() { + + check_admin_referer('post-smtp', 'security'); + $goDaddyHostDetected = $this->getBooleanRequestParameter( 'go_daddy' ); $email = $this->getRequestParameter( 'email' ); $d = new PostmanSmtpDiscovery( $email ); @@ -656,6 +668,9 @@ class PostmanManageConfigurationAjaxHandler extends PostmanAbstractAjaxHandler { * @throws Exception */ function getManualConfigurationViaAjax() { + + check_admin_referer('post-smtp', 'security'); + $queryTransportType = $this->getTransportTypeFromRequest(); $queryAuthType = $this->getAuthenticationTypeFromRequest(); $queryHostname = $this->getHostnameFromRequest(); @@ -686,6 +701,9 @@ class PostmanManageConfigurationAjaxHandler extends PostmanAbstractAjaxHandler { * The UI response is built so the user may choose a different socket with different options. */ function getWizardConfigurationViaAjax() { + + check_admin_referer('post-smtp', 'security'); + $this->logger->debug( 'in getWizardConfiguration' ); $originalSmtpServer = $this->getRequestParameter( 'original_smtp_server' ); $queryHostData = $this->getHostDataFromRequest(); @@ -895,6 +913,9 @@ class PostmanImportConfigurationAjaxController extends PostmanAbstractAjaxHandle * and pushes them into the Postman configuration screen. */ function getConfigurationFromExternalPluginViaAjax() { + + check_admin_referer('post-smtp', 'security'); + $importableConfiguration = new PostmanImportableConfiguration(); $plugin = $this->getRequestParameter( 'plugin' ); $this->logger->debug( 'Looking for config=' . $plugin ); diff --git a/Postman/Postman-Configuration/PostmanImportableConfiguration.php b/Postman/Postman-Configuration/PostmanImportableConfiguration.php index ba807d3..0008221 100644 --- a/Postman/Postman-Configuration/PostmanImportableConfiguration.php +++ b/Postman/Postman-Configuration/PostmanImportableConfiguration.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + if (! interface_exists ( 'PostmanPluginOptions' )) { interface PostmanPluginOptions { public function getPluginSlug(); diff --git a/Postman/Postman-Configuration/PostmanRegisterConfigurationSettings.php b/Postman/Postman-Configuration/PostmanRegisterConfigurationSettings.php index 84305a3..6ddebd7 100644 --- a/Postman/Postman-Configuration/PostmanRegisterConfigurationSettings.php +++ b/Postman/Postman-Configuration/PostmanRegisterConfigurationSettings.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + class PostmanSettingsRegistry { private $options; @@ -11,7 +15,7 @@ class PostmanSettingsRegistry { * Fires on the admin_init method */ public function on_admin_init() { - $this->registerSettings(); + $this->registerSettings(); } /** diff --git a/Postman/Postman-Configuration/PostmanSmtpDiscovery.php b/Postman/Postman-Configuration/PostmanSmtpDiscovery.php index 44da3bb..67a58b3 100644 --- a/Postman/Postman-Configuration/PostmanSmtpDiscovery.php +++ b/Postman/Postman-Configuration/PostmanSmtpDiscovery.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + if (! class_exists ( 'PostmanSmtpMappings' )) { class PostmanSmtpMappings { // if an email is in this domain array, it is a known smtp server (easy lookup) diff --git a/Postman/Postman-Configuration/postman_manual_config.js b/Postman/Postman-Configuration/postman_manual_config.js index 293df28..a47df1a 100644 --- a/Postman/Postman-Configuration/postman_manual_config.js +++ b/Postman/Postman-Configuration/postman_manual_config.js @@ -77,11 +77,13 @@ function reloadOauthSection() { var hostname = jQuery(postman_hostname_element_name).val(); var transport = jQuery('#input_transport_type').val(); var authtype = jQuery('select#input_auth_type').val(); + var security = jQuery('#security').val(); var data = { 'action' : 'manual_config', 'auth_type' : authtype, 'hostname' : hostname, 'transport' : transport, + 'security' : security }; jQuery.post(ajaxurl, data, function(response) { if (response.success) { diff --git a/Postman/Postman-Configuration/postman_wizard.js b/Postman/Postman-Configuration/postman_wizard.js index c29edb4..d844322 100644 --- a/Postman/Postman-Configuration/postman_wizard.js +++ b/Postman/Postman-Configuration/postman_wizard.js @@ -33,7 +33,8 @@ function checkGoDaddyAndCheckEmail(email) { 'action' : 'postman_wizard_port_test', 'hostname' : 'relay-hosting.secureserver.net', 'port' : 25, - 'timeout' : 3 + 'timeout' : 3, + 'security' : jQuery('#security').val(), }; goDaddy = 'unknown'; checkedEmail = false; @@ -50,7 +51,8 @@ function checkEmail(goDaddyHostDetected, email) { var data = { 'action' : 'postman_check_email', 'go_daddy' : goDaddyHostDetected, - 'email' : email + 'email' : email, + 'security' : jQuery('#security').val() }; jQuery.post( ajaxurl, @@ -282,7 +284,8 @@ function getHostsToCheck(hostname) { var data = { 'action' : 'postman_get_hosts_to_test', 'hostname' : hostname, - 'original_smtp_server' : smtpDiscovery.hostname + 'original_smtp_server' : smtpDiscovery.hostname, + 'security' : jQuery('#security').val(), }; jQuery.post(ajaxurl, data, function(response) { if (postmanValidateAjaxResponseWithPopup(response)) { @@ -311,7 +314,8 @@ function handleHostsToCheckResponse(response) { 'action' : 'postman_wizard_port_test', 'hostname' : hostname, 'port' : port, - 'transport' : transport + 'transport' : transport, + 'security' : jQuery('#security').val(), }; postThePortTest(hostname, port, data); } @@ -358,6 +362,7 @@ function handlePortTestResponse(hostname, port, data, response) { } else { // SMTP failed, try again on the SMTPS port data['action'] = 'postman_wizard_port_test_smtps'; + data['security'] = jQuery('#security').val(); postThePortTest(hostname, port, data); } } @@ -386,7 +391,8 @@ function afterPortsChecked() { var data = { 'action' : 'get_wizard_configuration_options', 'original_smtp_server' : smtpDiscovery.hostname, - 'host_data' : connectivtyTestResults + 'host_data' : connectivtyTestResults, + 'security': jQuery('#security').val() }; postTheConfigurationRequest(data); hide('#connectivity_test_status'); @@ -403,7 +409,8 @@ function userOverrideMenu() { "input:radio[name='user_socket_override']:checked").val(), 'user_auth_override' : jQuery( "input:radio[name='user_auth_override']:checked").val(), - 'host_data' : connectivtyTestResults + 'host_data' : connectivtyTestResults, + 'security' : jQuery('#security').val() }; postTheConfigurationRequest(data); } @@ -544,7 +551,8 @@ function getConfiguration() { if (plugin != '') { var data = { 'action' : 'import_configuration', - 'plugin' : plugin + 'plugin' : plugin, + '_wpnonce' : jQuery('#_wpnonce').val(), }; jQuery .post( diff --git a/Postman/Postman-Connectivity-Test/Postman-PortTest.php b/Postman/Postman-Connectivity-Test/Postman-PortTest.php index 91d18f1..adbe530 100644 --- a/Postman/Postman-Connectivity-Test/Postman-PortTest.php +++ b/Postman/Postman-Connectivity-Test/Postman-PortTest.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + require_once ("registered-domain-libs-master/PHP/effectiveTLDs.inc.php"); require_once ("registered-domain-libs-master/PHP/regDomain.inc.php"); diff --git a/Postman/Postman-Connectivity-Test/PostmanConnectivityTestController.php b/Postman/Postman-Connectivity-Test/PostmanConnectivityTestController.php index b423c05..3e17dbd 100644 --- a/Postman/Postman-Connectivity-Test/PostmanConnectivityTestController.php +++ b/Postman/Postman-Connectivity-Test/PostmanConnectivityTestController.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} class PostmanConnectivityTestController { @@ -137,6 +140,9 @@ class PostmanConnectivityTestController { print '<p>'; print __( 'This test determines which well-known ports are available for Postman to use.', 'post-smtp' ); print '<form id="port_test_form_id" method="post">'; + + wp_nonce_field('post-smtp', 'security' ); + printf( '<label for="hostname">%s</label>', __( 'Outgoing Mail Server Hostname', 'post-smtp' ) ); $this->port_test_hostname_callback(); submit_button( _x( 'Begin Test', 'Button Label', 'post-smtp' ), 'primary', 'begin-port-test', true ); @@ -205,6 +211,9 @@ class PostmanPortTestAjaxController { * combinations to run the connectivity test on */ function getPortsToTestViaAjax() { + + check_admin_referer('post-smtp', 'security'); + $queryHostname = PostmanUtils::getRequestParameter( 'hostname' ); // originalSmtpServer is what SmtpDiscovery thinks the SMTP server should be, given an email address $originalSmtpServer = PostmanUtils::getRequestParameter( 'original_smtp_server' ); @@ -222,6 +231,9 @@ class PostmanPortTestAjaxController { * This Ajax function retrieves whether a TCP port is open or not */ function runPortQuizTest() { + + check_admin_referer('post-smtp', 'security'); + $hostname = 'portquiz.net'; $port = intval( PostmanUtils::getRequestParameter( 'port' ) ); $this->logger->debug( 'testing TCP port: hostname ' . $hostname . ' port ' . $port ); @@ -235,6 +247,9 @@ class PostmanPortTestAjaxController { * This is called by both the Wizard and Port Test */ function runSmtpTest() { + + check_admin_referer('post-smtp', 'security'); + $hostname = trim( PostmanUtils::getRequestParameter( 'hostname' ) ); $port = intval( PostmanUtils::getRequestParameter( 'port' ) ); $transport = trim( PostmanUtils::getRequestParameter( 'transport' ) ); @@ -258,6 +273,9 @@ class PostmanPortTestAjaxController { * This Ajax function retrieves whether a TCP port is open or not */ function runSmtpsTest() { + + check_admin_referer('post-smtp', 'security'); + $hostname = trim( PostmanUtils::getRequestParameter( 'hostname' ) ); $port = intval( PostmanUtils::getRequestParameter( 'port' ) ); $transport = trim( PostmanUtils::getRequestParameter( 'transport' ) ); diff --git a/Postman/Postman-Connectivity-Test/postman_port_test.js b/Postman/Postman-Connectivity-Test/postman_port_test.js index 138b4ef..1d5c3fb 100644 --- a/Postman/Postman-Connectivity-Test/postman_port_test.js +++ b/Postman/Postman-Connectivity-Test/postman_port_test.js @@ -23,7 +23,8 @@ jQuery(document).ready(function() { var hostname = jQuery(postman_hostname_element_name).val(); var data = { 'action' : 'postman_get_hosts_to_test', - 'hostname' : hostname + 'hostname' : hostname, + 'security' : jQuery('#security').val(), }; totalPortsTested = 0; @@ -71,7 +72,8 @@ function portQuizTest(socket, hostname, port) { var data = { 'action' : 'postman_port_quiz_test', 'hostname' : hostname, - 'port' : port + 'port' : port, + '_wpnonce' : jQuery('#_wpnonce').val(), }; jQuery.post( ajaxurl, @@ -104,7 +106,8 @@ function firstServiceTest(socket, hostname, port, open) { var data = { 'action' : 'postman_test_port', 'hostname' : hostname, - 'port' : port + 'port' : port, + 'security' : jQuery('#security').val(), }; jQuery .post( @@ -197,7 +200,8 @@ function portTest3(socket, hostname, port, open) { var data = { 'action' : 'postman_test_smtps', 'hostname' : hostname, - 'port' : port + 'port' : port, + '_wpnonce' : jQuery('#_wpnonce').val(), }; jQuery .post( diff --git a/Postman/Postman-Controller/PostmanAdminPointer.php b/Postman/Postman-Controller/PostmanAdminPointer.php index 15fb52d..a05376b 100644 --- a/Postman/Postman-Controller/PostmanAdminPointer.php +++ b/Postman/Postman-Controller/PostmanAdminPointer.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + if (! class_exists ( 'PostmanAdminPointer' )) { /** diff --git a/Postman/Postman-Controller/PostmanDashboardWidgetController.php b/Postman/Postman-Controller/PostmanDashboardWidgetController.php index 6233315..8f6bae6 100644 --- a/Postman/Postman-Controller/PostmanDashboardWidgetController.php +++ b/Postman/Postman-Controller/PostmanDashboardWidgetController.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + if (! class_exists ( "PostmanDashboardWidgetController" )) { // diff --git a/Postman/Postman-Controller/PostmanManageConfigurationAjaxHandler.php b/Postman/Postman-Controller/PostmanManageConfigurationAjaxHandler.php index 1260dad..82472c3 100644 --- a/Postman/Postman-Controller/PostmanManageConfigurationAjaxHandler.php +++ b/Postman/Postman-Controller/PostmanManageConfigurationAjaxHandler.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + class PostmanWizardSocket { // these variables are populated by the Port Test diff --git a/Postman/Postman-Controller/PostmanWelcomeController.php b/Postman/Postman-Controller/PostmanWelcomeController.php index 869848a..e37d3e8 100644 --- a/Postman/Postman-Controller/PostmanWelcomeController.php +++ b/Postman/Postman-Controller/PostmanWelcomeController.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} class PostmanWelcomeController { diff --git a/Postman/Postman-Diagnostic-Test/PostmanDiagnosticTestController.php b/Postman/Postman-Diagnostic-Test/PostmanDiagnosticTestController.php index 82eb558..18a3ec5 100644 --- a/Postman/Postman-Diagnostic-Test/PostmanDiagnosticTestController.php +++ b/Postman/Postman-Diagnostic-Test/PostmanDiagnosticTestController.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} class PostmanDiagnosticTestController { const DIAGNOSTICS_SLUG = 'postman/diagnostics'; @@ -100,6 +103,12 @@ class PostmanDiagnosticTestController { PostmanViewController::outputChildPageHeader( __( 'Diagnostic Test', 'post-smtp' ) ); + ?> + <form> + <?php wp_nonce_field('post-smtp', 'security' ); ?> + </form> + <?php + printf( '<h4>%s</h4>', __( 'Are you having issues with Postman?', 'post-smtp' ) ); /* translators: where %1$s and %2$s are the URLs to the Troubleshooting and Support Forums on WordPress.org */ printf( '<p style="margin:0 10px">%s</p>', sprintf( __( 'Please check the <a href="%1$s">troubleshooting and error messages</a> page and the <a href="%2$s">support forum</a>.', 'post-smtp' ), 'https://wordpress.org/plugins/post-smtp/other_notes/', 'https://wordpress.org/support/plugin/post-smtp' ) ); @@ -208,6 +217,9 @@ class PostmanGetDiagnosticsViaAjax { /** */ public function getDiagnostics() { + + check_admin_referer('post-smtp', 'security'); + $curl = curl_version(); $transportRegistry = PostmanTransportRegistry::getInstance(); $this->addToDiagnostics( 'Mailer', PostmanOptions::getInstance()->getSmtpMailer() ); diff --git a/Postman/Postman-Diagnostic-Test/postman_diagnostics.js b/Postman/Postman-Diagnostic-Test/postman_diagnostics.js index 4aeaa5c..140668e 100644 --- a/Postman/Postman-Diagnostic-Test/postman_diagnostics.js +++ b/Postman/Postman-Diagnostic-Test/postman_diagnostics.js @@ -6,7 +6,8 @@ jQuery(document).ready(function() { */ function getDiagnosticData() { var data = { - 'action' : 'postman_diagnostics' + 'action' : 'postman_diagnostics', + 'security' : jQuery('#security').val() }; jQuery.post(ajaxurl, data, function(response) { if (response.success) { diff --git a/Postman/Postman-Email-Log/PostmanEmailLogController.php b/Postman/Postman-Email-Log/PostmanEmailLogController.php index 79751f3..d22b265 100644 --- a/Postman/Postman-Email-Log/PostmanEmailLogController.php +++ b/Postman/Postman-Email-Log/PostmanEmailLogController.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + require_once dirname(__DIR__) . '/PostmanEmailLogs.php'; require_once 'PostmanEmailLogService.php'; require_once 'PostmanEmailLogView.php'; @@ -73,7 +77,7 @@ class PostmanEmailLogController { /** */ public function resendMail() { - check_ajax_referer( 'resend', 'security' ); + check_admin_referer( 'resend', 'security' ); // get the email address of the recipient from the HTTP Request $postid = $this->getRequestParameter( 'email' ); @@ -200,8 +204,13 @@ class PostmanEmailLogController { // only do this for administrators if ( PostmanUtils::isAdmin() ) { $this->logger->trace( 'handling view item' ); - $postid = $_REQUEST ['email']; + $postid = absint( $_REQUEST ['email'] ); $post = get_post( $postid ); + + if ( $post->post_type !== 'postman_sent_mail' ) { + return; + } + $meta_values = PostmanEmailLogs::get_data( $postid ); // https://css-tricks.com/examples/hrs/ print '<html><head><style>body {font-family: monospace;} hr { @@ -369,18 +378,21 @@ class PostmanEmailLogController { ?> <form id="postman-email-log-filter" method="post"> + <input type="hidden" action="post-smtp-filter" value="1"> + <?php wp_nonce_field('post-smtp', 'post-smtp-log'); ?> + <div id="email-log-filter" class="postman-log-row"> <div class="form-control"> <label for="from_date"><?php _e( 'From Date', 'post-smtp' ); ?></label> - <input id="from_date" class="email-log-date" value="<?php echo $from_date; ?>" type="text" name="from_date" placeholder="<?php _e( 'From Date', 'post-smtp' ); ?>"> + <input id="from_date" class="email-log-date" value="<?php echo esc_attr($from_date); ?>" type="text" name="from_date" placeholder="<?php _e( 'From Date', 'post-smtp' ); ?>"> </div> <div class="form-control"> <label for="to_date"><?php _e( 'To Date', 'post-smtp' ); ?></label> - <input id="to_date" class="email-log-date" value="<?php echo $to_date; ?>" type="text" name="to_date" placeholder="<?php _e( 'To Date', 'post-smtp' ); ?>"> + <input id="to_date" class="email-log-date" value="<?php echo esc_attr($to_date); ?>" type="text" name="to_date" placeholder="<?php _e( 'To Date', 'post-smtp' ); ?>"> </div> <div class="form-control"> <label for="search"><?php _e( 'Search', 'post-smtp' ); ?></label> - <input id="search" type="text" name="search" value="<?php echo $search; ?>" placeholder="<?php _e( 'Search', 'post-smtp' ); ?>"> + <input id="search" type="text" name="search" value="<?php echo esc_attr($search); ?>" placeholder="<?php _e( 'Search', 'post-smtp' ); ?>"> </div> <div class="form-control"> <label id="postman_page_records"><?php _e( 'Records per page', 'post-smtp' ); ?></label> diff --git a/Postman/Postman-Email-Log/PostmanEmailLogPostType.php b/Postman/Postman-Email-Log/PostmanEmailLogPostType.php index 38ab1d0..cf297db 100644 --- a/Postman/Postman-Email-Log/PostmanEmailLogPostType.php +++ b/Postman/Postman-Email-Log/PostmanEmailLogPostType.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if (! class_exists ( 'PostmanEmailLogPostType' )) { /** diff --git a/Postman/Postman-Email-Log/PostmanEmailLogService.php b/Postman/Postman-Email-Log/PostmanEmailLogService.php index b1b1dff..75c3879 100644 --- a/Postman/Postman-Email-Log/PostmanEmailLogService.php +++ b/Postman/Postman-Email-Log/PostmanEmailLogService.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + if ( ! class_exists( 'PostmanEmailLog' ) ) { class PostmanEmailLog { public $sender; diff --git a/Postman/Postman-Email-Log/PostmanEmailLogView.php b/Postman/Postman-Email-Log/PostmanEmailLogView.php index a9722bd..02da123 100644 --- a/Postman/Postman-Email-Log/PostmanEmailLogView.php +++ b/Postman/Postman-Email-Log/PostmanEmailLogView.php @@ -1,5 +1,7 @@ <?php - +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} require_once dirname(__DIR__) . '/PostmanEmailLogs.php'; /** @@ -260,8 +262,12 @@ class PostmanEmailLogView extends WP_List_Table { * ************************************************************************ */ function prepare_items() { + if ( isset( $_POST['action'] ) && $_POST['action'] == 'post-smtp-filter' ) { + if ( ! wp_verify_nonce( $_REQUEST['post-smtp-log'], 'post-smtp' ) ) + die( 'Security check' ); + } - /** + /** * First, lets decide how many records per page to show */ $per_page = isset( $_POST['postman_page_records'] ) ? absint( $_POST['postman_page_records'] ) : 10; diff --git a/Postman/Postman-Mail/PostmanContactForm7.php b/Postman/Postman-Mail/PostmanContactForm7.php index 40fd698..8792b08 100644 --- a/Postman/Postman-Mail/PostmanContactForm7.php +++ b/Postman/Postman-Mail/PostmanContactForm7.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} class Postsmtp_ContactForm7 { private $result_error; diff --git a/Postman/Postman-Mail/PostmanDefaultModuleTransport.php b/Postman/Postman-Mail/PostmanDefaultModuleTransport.php index 3234a26..e52c754 100644 --- a/Postman/Postman-Mail/PostmanDefaultModuleTransport.php +++ b/Postman/Postman-Mail/PostmanDefaultModuleTransport.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + require_once 'PostmanModuleTransport.php'; if (! class_exists ( 'PostmanSmtpModuleTransport' )) { class PostmanDefaultModuleTransport extends PostmanAbstractZendModuleTransport implements PostmanZendModuleTransport { diff --git a/Postman/Postman-Mail/PostmanEmailAddress.php b/Postman/Postman-Mail/PostmanEmailAddress.php index 123064d..d29b0f4 100644 --- a/Postman/Postman-Mail/PostmanEmailAddress.php +++ b/Postman/Postman-Mail/PostmanEmailAddress.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + if (! class_exists ( 'PostmanEmailAddress' )) { class PostmanEmailAddress { private $name; diff --git a/Postman/Postman-Mail/PostmanGmailApiModuleTransport.php b/Postman/Postman-Mail/PostmanGmailApiModuleTransport.php index 98fc1f1..fc9e351 100644 --- a/Postman/Postman-Mail/PostmanGmailApiModuleTransport.php +++ b/Postman/Postman-Mail/PostmanGmailApiModuleTransport.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + require_once 'PostmanModuleTransport.php'; /** diff --git a/Postman/Postman-Mail/PostmanGmailApiModuleZendMailTransport.php b/Postman/Postman-Mail/PostmanGmailApiModuleZendMailTransport.php index 544d5fb..b190772 100644 --- a/Postman/Postman-Mail/PostmanGmailApiModuleZendMailTransport.php +++ b/Postman/Postman-Mail/PostmanGmailApiModuleZendMailTransport.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + /** * Zend Framework * diff --git a/Postman/Postman-Mail/PostmanMailEngine.php b/Postman/Postman-Mail/PostmanMailEngine.php index 16c799a..046178b 100644 --- a/Postman/Postman-Mail/PostmanMailEngine.php +++ b/Postman/Postman-Mail/PostmanMailEngine.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + if (! interface_exists ( "PostmanMailEngine" )) { interface PostmanMailEngine { diff --git a/Postman/Postman-Mail/PostmanMailgunMailEngine.php b/Postman/Postman-Mail/PostmanMailgunMailEngine.php index abb0466..ce1ebb7 100644 --- a/Postman/Postman-Mail/PostmanMailgunMailEngine.php +++ b/Postman/Postman-Mail/PostmanMailgunMailEngine.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + require_once 'mailgun/mailgun.php'; use Mailgun\Mailgun; diff --git a/Postman/Postman-Mail/PostmanMailgunTransport.php b/Postman/Postman-Mail/PostmanMailgunTransport.php index 63173db..b56cadf 100644 --- a/Postman/Postman-Mail/PostmanMailgunTransport.php +++ b/Postman/Postman-Mail/PostmanMailgunTransport.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + require_once 'PostmanModuleTransport.php'; /** * Postman Mailgun module diff --git a/Postman/Postman-Mail/PostmanMandrillMailEngine.php b/Postman/Postman-Mail/PostmanMandrillMailEngine.php index 6ecc156..74980d3 100644 --- a/Postman/Postman-Mail/PostmanMandrillMailEngine.php +++ b/Postman/Postman-Mail/PostmanMandrillMailEngine.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + if ( ! class_exists( 'PostmanMandrillMailEngine' ) ) { require_once 'mailchimp-mandrill-api-php-da3adc10042e/src/Mandrill.php'; diff --git a/Postman/Postman-Mail/PostmanMandrillTransport.php b/Postman/Postman-Mail/PostmanMandrillTransport.php index 8284660..3279f2b 100644 --- a/Postman/Postman-Mail/PostmanMandrillTransport.php +++ b/Postman/Postman-Mail/PostmanMandrillTransport.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + require_once 'PostmanModuleTransport.php'; /** * Postman Mandrill module diff --git a/Postman/Postman-Mail/PostmanMessage.php b/Postman/Postman-Mail/PostmanMessage.php index 7f8949e..12099ba 100644 --- a/Postman/Postman-Mail/PostmanMessage.php +++ b/Postman/Postman-Mail/PostmanMessage.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + if ( ! class_exists( 'PostmanMessage' ) ) { require_once 'PostmanEmailAddress.php'; diff --git a/Postman/Postman-Mail/PostmanModuleTransport.php b/Postman/Postman-Mail/PostmanModuleTransport.php index 12d3d17..a0874e3 100644 --- a/Postman/Postman-Mail/PostmanModuleTransport.php +++ b/Postman/Postman-Mail/PostmanModuleTransport.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + /** * Keep the interface_exists check here for Postman Gmail API Extension users! * diff --git a/Postman/Postman-Mail/PostmanMyMailConnector.php b/Postman/Postman-Mail/PostmanMyMailConnector.php index f6b7e54..507b4e0 100644 --- a/Postman/Postman-Mail/PostmanMyMailConnector.php +++ b/Postman/Postman-Mail/PostmanMyMailConnector.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + define( 'MAILSTER_POSTMAN_REQUIRED_VERSION', '2.0' ); define( 'MAILSTER_POSTMAN_ID', 'postman' ); diff --git a/Postman/Postman-Mail/PostmanSendGridMailEngine.php b/Postman/Postman-Mail/PostmanSendGridMailEngine.php index 311d7cc..2ffb8e2 100644 --- a/Postman/Postman-Mail/PostmanSendGridMailEngine.php +++ b/Postman/Postman-Mail/PostmanSendGridMailEngine.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if ( ! class_exists( 'PostmanSendGridMailEngine' ) ) { diff --git a/Postman/Postman-Mail/PostmanSendGridTransport.php b/Postman/Postman-Mail/PostmanSendGridTransport.php index efac416..47a0638 100644 --- a/Postman/Postman-Mail/PostmanSendGridTransport.php +++ b/Postman/Postman-Mail/PostmanSendGridTransport.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + require_once 'PostmanModuleTransport.php'; /** * Postman SendGrid module diff --git a/Postman/Postman-Mail/PostmanSmtpModuleTransport.php b/Postman/Postman-Mail/PostmanSmtpModuleTransport.php index 08e833f..f7d8009 100644 --- a/Postman/Postman-Mail/PostmanSmtpModuleTransport.php +++ b/Postman/Postman-Mail/PostmanSmtpModuleTransport.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + require_once 'PostmanModuleTransport.php'; /** diff --git a/Postman/Postman-Mail/PostmanTransportRegistry.php b/Postman/Postman-Mail/PostmanTransportRegistry.php index 5af2493..4de782a 100644 --- a/Postman/Postman-Mail/PostmanTransportRegistry.php +++ b/Postman/Postman-Mail/PostmanTransportRegistry.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + require_once 'PostmanModuleTransport.php'; require_once 'PostmanZendMailTransportConfigurationFactory.php'; diff --git a/Postman/Postman-Mail/PostmanWooCommerce.php b/Postman/Postman-Mail/PostmanWooCommerce.php index feee32e..1768881 100644 --- a/Postman/Postman-Mail/PostmanWooCommerce.php +++ b/Postman/Postman-Mail/PostmanWooCommerce.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if ( ! class_exists( 'PostmanWoocommerce' ) ) { class PostmanWoocommerce { diff --git a/Postman/Postman-Mail/PostmanZendMailEngine.php b/Postman/Postman-Mail/PostmanZendMailEngine.php index 86905f8..82da37c 100644 --- a/Postman/Postman-Mail/PostmanZendMailEngine.php +++ b/Postman/Postman-Mail/PostmanZendMailEngine.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + if ( ! class_exists( 'PostmanZendMailEngine' ) ) { require_once 'Zend-1.12.10/Loader.php'; diff --git a/Postman/Postman-Mail/PostmanZendMailTransportConfigurationFactory.php b/Postman/Postman-Mail/PostmanZendMailTransportConfigurationFactory.php index 08e1810..23fdc41 100644 --- a/Postman/Postman-Mail/PostmanZendMailTransportConfigurationFactory.php +++ b/Postman/Postman-Mail/PostmanZendMailTransportConfigurationFactory.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + if (! interface_exists ( 'PostmanZendMailTransportConfigurationFactory' )) { interface PostmanZendMailTransportConfigurationFactory { static function createConfig(PostmanTransport $transport); diff --git a/Postman/Postman-Send-Test-Email/PostmanSendTestEmailController.php b/Postman/Postman-Send-Test-Email/PostmanSendTestEmailController.php index b569c98..1a207c8 100644 --- a/Postman/Postman-Send-Test-Email/PostmanSendTestEmailController.php +++ b/Postman/Postman-Send-Test-Email/PostmanSendTestEmailController.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + class PostmanSendTestEmailController { const EMAIL_TEST_SLUG = 'postman/email_test'; const RECIPIENT_EMAIL_FIELD_NAME = 'postman_recipient_email'; @@ -127,6 +131,8 @@ class PostmanSendTestEmailController { printf( '<form id="postman_test_email_wizard" method="post" action="%s">', PostmanUtils::getSettingsPageUrl() ); + wp_nonce_field('post-smtp', 'security' ); + // Step 1 printf( '<h5>%s</h5>', __( 'Specify the Recipient', 'post-smtp' ) ); print '<fieldset>'; @@ -199,6 +205,9 @@ class PostmanSendTestEmailAjaxController extends PostmanAbstractAjaxHandler { * This Ajax sends a test email */ function sendTestEmailViaAjax() { + + check_admin_referer('post-smtp', 'security'); + // get the email address of the recipient from the HTTP Request $email = $this->getRequestParameter( 'email' ); diff --git a/Postman/Postman-Send-Test-Email/postman_send_test_email.js b/Postman/Postman-Send-Test-Email/postman_send_test_email.js index c3e9f07..ab69d1f 100644 --- a/Postman/Postman-Send-Test-Email/postman_send_test_email.js +++ b/Postman/Postman-Send-Test-Email/postman_send_test_email.js @@ -107,7 +107,8 @@ function postHandleStepChange(event, currentIndex, priorIndex, myself) { jQuery('li').addClass('disabled'); var data = { 'action' : 'postman_send_test_email', - 'email' : jQuery(postman_email_test.recipient).val() + 'email' : jQuery(postman_email_test.recipient).val(), + 'security' : jQuery('#security').val() }; jQuery('#postman_test_message_status').html(postman_email_test.sending); jQuery('#postman_test_message_status').css('color', 'blue'); diff --git a/Postman/Postman.php b/Postman/Postman.php index 71c7cfd..0f36edf 100644 --- a/Postman/Postman.php +++ b/Postman/Postman.php @@ -1,5 +1,7 @@ <?php - +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} /** * Postman execution begins here: * - the default Postman transports are loaded @@ -155,9 +157,6 @@ class Postman { $active_plugins = (array)get_option('active_plugins', array()); if (in_array('sitepress-multilingual-cms/sitepress.php', $active_plugins) && !get_option('postman_wpml_fixed')) { add_action('admin_notices', array($this, 'post_smtp_wpml_admin_notice')); - - // Temp: Just a quick solution, need to find a better option. - add_action('admin_init', array($this, 'postman_fix_wpml')); } } @@ -181,30 +180,6 @@ class Postman { } - public function post_smtp_wpml_admin_notice() { - $class = 'notice notice-error'; - $title = __( 'Post SMTP notice!', 'post-smtp' ); - $intro = __( 'WPML is installed and has a known bug with Post SMTP and few other plugins - you better upgrade, but we can try to fix it.', 'post-smtp' ); - $text = __( 'Click here to fix', 'post-smtp' ); - $message = '<br><a href="' . esc_url( add_query_arg( 'action', 'postman_fix_wpml', get_permalink() ) ) . '">' . $text . '</a>'; - - printf( '<div class="%1$s"><h2>%2$s</h2><p>%3$s</p><p>%4$s</p></div>', esc_attr( $class ), $title, $intro, $message ); - } - - public function postman_fix_wpml() { - if ( isset( $_GET['action'] ) && $_GET['action'] == 'postman_fix_wpml' ) { - $wpml_file_path = WP_PLUGIN_DIR . '/sitepress-multilingual-cms/inc/utilities/wpml-data-encryptor.class.php'; - - if ( file_exists( $wpml_file_path ) ) { - $content = file_get_contents( $wpml_file_path ); - $content = str_replace( "require_once ABSPATH . '/wp-includes/pluggable.php';", "//require_once ABSPATH . '/wp-includes/pluggable.php';", $content ); - file_put_contents( $wpml_file_path, $content ); - } - - update_option( 'postman_wpml_fixed', true ); - wp_redirect( esc_url( remove_query_arg( 'action' ) ) ); - } - } /** * Functions to execute on the plugins_loaded event @@ -436,7 +411,7 @@ class Postman { $message .= (sprintf( ' %s | %s', $goToEmailLog, $goToSettings )); $message .= '<input type="hidden" name="security" class="security" value="' . wp_create_nonce('postsmtp') . '">'; - $hide = get_option('postman_release_version_not_configured' ); + $hide = get_option('postman_release_version' ); if ( $msg['error'] == true && ! $hide ) { $this->messageHandler->printMessage( $message, 'postman-not-configured-notice notice notice-error is-dismissible' ); diff --git a/Postman/PostmanAdminController.php b/Postman/PostmanAdminController.php index f92bc2c..e871821 100644 --- a/Postman/PostmanAdminController.php +++ b/Postman/PostmanAdminController.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + if ( ! class_exists( 'PostmanAdminController' ) ) { require_once 'PostmanOptions.php'; diff --git a/Postman/PostmanAjaxController.php b/Postman/PostmanAjaxController.php index 88ec369..e8e54b6 100644 --- a/Postman/PostmanAjaxController.php +++ b/Postman/PostmanAjaxController.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + if (! class_exists ( 'PostmanAbstractAjaxHandler' )) { require_once ('PostmanPreRequisitesCheck.php'); diff --git a/Postman/PostmanConfigTextHelper.php b/Postman/PostmanConfigTextHelper.php index 6bc23fe..8ba5ef0 100644 --- a/Postman/PostmanConfigTextHelper.php +++ b/Postman/PostmanConfigTextHelper.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + if ( ! interface_exists( 'PostmanConfigTextHelper' ) ) { interface PostmanConfigTextHelper { public function isOauthHost(); diff --git a/Postman/PostmanEmailLogs.php b/Postman/PostmanEmailLogs.php index c7b6175..b25bfbb 100644 --- a/Postman/PostmanEmailLogs.php +++ b/Postman/PostmanEmailLogs.php @@ -1,5 +1,7 @@ <?php - +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} class PostmanEmailLogs { private $db; diff --git a/Postman/PostmanInputSanitizer.php b/Postman/PostmanInputSanitizer.php index 561ce28..e33f6c4 100644 --- a/Postman/PostmanInputSanitizer.php +++ b/Postman/PostmanInputSanitizer.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if ( ! class_exists( 'PostmanInputSanitizer' ) ) { class PostmanInputSanitizer { private $logger; diff --git a/Postman/PostmanInstaller.php b/Postman/PostmanInstaller.php index 0563679..01c6a07 100644 --- a/Postman/PostmanInstaller.php +++ b/Postman/PostmanInstaller.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + require_once( 'PostmanOAuthToken.php' ); require_once( 'PostmanOptions.php' ); diff --git a/Postman/PostmanLogger.php b/Postman/PostmanLogger.php index c606e25..5454c60 100644 --- a/Postman/PostmanLogger.php +++ b/Postman/PostmanLogger.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + if (! class_exists ( "PostmanLogger" )) { // diff --git a/Postman/PostmanMessageHandler.php b/Postman/PostmanMessageHandler.php index 7a218e8..cd9220d 100644 --- a/Postman/PostmanMessageHandler.php +++ b/Postman/PostmanMessageHandler.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if (! class_exists ( 'PostmanMessageHandler' )) { require_once ('PostmanSession.php'); diff --git a/Postman/PostmanOAuthToken.php b/Postman/PostmanOAuthToken.php index 1f4de78..1cd9634 100644 --- a/Postman/PostmanOAuthToken.php +++ b/Postman/PostmanOAuthToken.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if (! class_exists ( 'PostmanOAuthToken.php' )) { class PostmanOAuthToken { diff --git a/Postman/PostmanOptions.php b/Postman/PostmanOptions.php index 57fe658..d890124 100644 --- a/Postman/PostmanOptions.php +++ b/Postman/PostmanOptions.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if ( ! interface_exists( 'PostmanOptionsInterface' ) ) { interface PostmanOptionsInterface { /** diff --git a/Postman/PostmanPluginFeedback.php b/Postman/PostmanPluginFeedback.php index b31011d..7465377 100644 --- a/Postman/PostmanPluginFeedback.php +++ b/Postman/PostmanPluginFeedback.php @@ -1,5 +1,7 @@ <?php - +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} class PostmanPluginFeedback { function __construct() { add_filter( 'plugin_action_links_' . plugin_basename( POST_BASE ), array( $this, 'insert_deactivate_link_id' ) ); @@ -152,4 +154,4 @@ class PostmanPluginFeedback { <?php } } -new PostmanPluginFeedback; +//new PostmanPluginFeedback; diff --git a/Postman/PostmanPreRequisitesCheck.php b/Postman/PostmanPreRequisitesCheck.php index 884ecdf..c187a9b 100644 --- a/Postman/PostmanPreRequisitesCheck.php +++ b/Postman/PostmanPreRequisitesCheck.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if (! class_exists ( 'PostmanPreRequisitesCheck' )) { class PostmanPreRequisitesCheck { public static function checkIconv() { diff --git a/Postman/PostmanSession.php b/Postman/PostmanSession.php index 4243f2b..f1128b4 100644 --- a/Postman/PostmanSession.php +++ b/Postman/PostmanSession.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if (! class_exists ( 'PostmanSession' )) { /** diff --git a/Postman/PostmanState.php b/Postman/PostmanState.php index ac251fa..4b077e0 100644 --- a/Postman/PostmanState.php +++ b/Postman/PostmanState.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if (! class_exists ( "PostmanState" )) { /** diff --git a/Postman/PostmanUtils.php b/Postman/PostmanUtils.php index 6858fe3..335d0f3 100644 --- a/Postman/PostmanUtils.php +++ b/Postman/PostmanUtils.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} require_once 'PostmanLogger.php'; require_once 'PostmanState.php'; @@ -368,9 +371,9 @@ class PostmanUtils { */ static function postmanGetServerName() { if ( ! empty( $_SERVER ['SERVER_NAME'] ) ) { - $serverName = $_SERVER ['SERVER_NAME']; + $serverName = sanitize_text_field($_SERVER ['SERVER_NAME']); } else if ( ! empty( $_SERVER ['HTTP_HOST'] ) ) { - $serverName = $_SERVER ['HTTP_HOST']; + $serverName = sanitize_text_field($_SERVER ['HTTP_HOST']); } else { $serverName = 'localhost.localdomain'; } @@ -410,6 +413,7 @@ class PostmanUtils { * @param mixed $callbackName */ public static function registerAjaxHandler( $actionName, $class, $callbackName ) { + if ( is_admin() ) { $fullname = 'wp_ajax_' . $actionName; // $this->logger->debug ( 'Registering ' . 'wp_ajax_' . $fullname . ' Ajax handler' ); diff --git a/Postman/PostmanViewController.php b/Postman/PostmanViewController.php index 55a56e9..7d5c35d 100644 --- a/Postman/PostmanViewController.php +++ b/Postman/PostmanViewController.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if ( ! class_exists( 'PostmanViewController' ) ) { class PostmanViewController { private $logger; @@ -46,19 +49,19 @@ if ( ! class_exists( 'PostmanViewController' ) ) { function dismiss_version_notify() { - check_ajax_referer( 'postsmtp', 'security' ); + check_admin_referer( 'postsmtp', 'security' ); $result = update_option('postman_release_version', true ); } function dismiss_donation_notify() { - check_ajax_referer( 'postsmtp', 'security' ); + check_admin_referer( 'postsmtp', 'security' ); $result = update_option('postman_dismiss_donation', true ); } function delete_lock_file() { - check_ajax_referer( 'postman', 'security' ); + check_admin_referer( 'postman', 'security' ); if ( ! PostmanUtils::lockFileExists() ) { echo __('No lock file found.', 'post-smtp' ); @@ -295,7 +298,7 @@ if ( ! class_exists( 'PostmanViewController' ) ) { print '</section>'; print '<section id="delete_settings">'; printf( '<h3><span>%s<span></h3>', $resetTitle ); - print '<form method="POST" action="' . get_admin_url() . 'admin-post.php">'; + print '<form class="post-smtp-reset-options" method="POST" action="' . get_admin_url() . 'admin-post.php">'; wp_nonce_field( PostmanAdminController::PURGE_DATA_SLUG ); printf( '<input type="hidden" name="action" value="%s" />', PostmanAdminController::PURGE_DATA_SLUG ); printf( '<p><span>%s</span></p><p><span>%s</span></p>', __( 'This will purge all of Postman\'s settings, including account credentials and the email log.', 'post-smtp' ), __( 'Are you sure?', 'post-smtp' ) ); @@ -375,9 +378,6 @@ if ( ! class_exists( 'PostmanViewController' ) ) { printf( '<li><img class="align-middle" src="' . plugins_url( 'style/images/new.gif', dirname( __DIR__ ) . '/postman-smtp.php' ) . '"><a target="blank" class="align-middle" href="https://postmansmtp.com/category/guides/" class="welcome-icon postman_guides">%s</a></li>', __( 'Guides', 'post-smtp' ) ); print '</ul></div></div></div></div>'; ?> - <div class="twitter-iframe-wrap" style="min-width: 300px;"> - <a class="twitter-timeline" data-height="304" href="https://twitter.com/PostSMTP?ref_src=twsrc%5Etfw">Tweets by PostSMTP</a> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> - </div> </div> <?php } diff --git a/Postman/PostmanWpMail.php b/Postman/PostmanWpMail.php index 66b3279..85f3ebd 100644 --- a/Postman/PostmanWpMail.php +++ b/Postman/PostmanWpMail.php @@ -1,5 +1,7 @@ <?php - +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if ( ! class_exists( 'PostmanWpMail' ) ) { /** @@ -75,7 +77,7 @@ if ( ! class_exists( 'PostmanWpMail' ) ) { $id = md5(uniqid(time())); if (isset($_SERVER["SERVER_NAME"])) { - $hostName = $_SERVER["SERVER_NAME"]; + $hostName = sanitize_text_field($_SERVER["SERVER_NAME"]); } else { $hostName = php_uname('n'); } diff --git a/Postman/PostmanWpMailBinder.php b/Postman/PostmanWpMailBinder.php index 95eb898..575e1bb 100644 --- a/Postman/PostmanWpMailBinder.php +++ b/Postman/PostmanWpMailBinder.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} if (! class_exists ( 'PostmanWpMailBinder' )) { class PostmanWpMailBinder { private $logger; diff --git a/Postman/notifications/INotify.php b/Postman/notifications/INotify.php index d330cbe..f40548d 100644 --- a/Postman/notifications/INotify.php +++ b/Postman/notifications/INotify.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} interface Postman_Notify { public function send_message( $message ); }
\ No newline at end of file diff --git a/Postman/notifications/PostmanMailNotify.php b/Postman/notifications/PostmanMailNotify.php index a76fb2a..922c304 100644 --- a/Postman/notifications/PostmanMailNotify.php +++ b/Postman/notifications/PostmanMailNotify.php @@ -1,5 +1,7 @@ <?php - +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} class PostmanMailNotify implements Postman_Notify { public function send_message($message) diff --git a/Postman/notifications/PostmanNotify.php b/Postman/notifications/PostmanNotify.php index 365d708..7654ecb 100644 --- a/Postman/notifications/PostmanNotify.php +++ b/Postman/notifications/PostmanNotify.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} require_once 'INotify.php'; require_once 'PostmanMailNotify.php'; require_once 'PostmanPushoverNotify.php'; diff --git a/Postman/notifications/PostmanPushoverNotify.php b/Postman/notifications/PostmanPushoverNotify.php index 1c483b3..14ef7d2 100644 --- a/Postman/notifications/PostmanPushoverNotify.php +++ b/Postman/notifications/PostmanPushoverNotify.php @@ -1,5 +1,7 @@ <?php - +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} class PostmanPushoverNotify implements Postman_Notify { public function send_message($message) diff --git a/Postman/notifications/PostmanSlackNotify.php b/Postman/notifications/PostmanSlackNotify.php index 41094ed..5b6fae3 100644 --- a/Postman/notifications/PostmanSlackNotify.php +++ b/Postman/notifications/PostmanSlackNotify.php @@ -1,5 +1,7 @@ <?php - +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} class PostmanSlackNotify implements Postman_Notify { public function send_message($message) diff --git a/postman-smtp.php b/postman-smtp.php index 4f4f706..effa6a8 100644 --- a/postman-smtp.php +++ b/postman-smtp.php @@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} /* * Plugin Name: Post SMTP * Plugin URI: https://wordpress.org/plugins/post-smtp/ diff --git a/script/postman.js b/script/postman.js index edd33ac..696414a 100644 --- a/script/postman.js +++ b/script/postman.js @@ -1,6 +1,15 @@ jQuery(document).ready(function($) { $( ".email-log-date" ).datepicker(); + $('.post-smtp-reset-options').on('submit', function(e) { + var result = confirm('Are you sure?'); + + if ( ! result ) { + e.preventDefault(); + return false; + } + }); + $('.notice-dismiss.postman-release-message').on('click', function() { var $this = $(this); var args = { |