diff options
| author | yehudah <yehudah@b8457f37-d9ea-0310-8a92-e5e31aec5664> | 2019-08-19 20:57:47 +0000 |
|---|---|---|
| committer | yehudah <yehudah@b8457f37-d9ea-0310-8a92-e5e31aec5664> | 2019-08-19 20:57:47 +0000 |
| commit | d1d82adca1dbb02382d7ccf49b8830816e8fa00f (patch) | |
| tree | ba061c2b4c1f06cc67efcee7b85a3c8c25162905 /Postman/Postman-Configuration/PostmanConfigurationController.php | |
| parent | 7aa4390a6702059342aad220e53e3aa4efc9caad (diff) | |
| download | Post-SMTP-d1d82adca1dbb02382d7ccf49b8830816e8fa00f.zip | |
Security issues
Diffstat (limited to 'Postman/Postman-Configuration/PostmanConfigurationController.php')
| -rw-r--r-- | Postman/Postman-Configuration/PostmanConfigurationController.php | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/Postman/Postman-Configuration/PostmanConfigurationController.php b/Postman/Postman-Configuration/PostmanConfigurationController.php index a81605a..4cade58 100644 --- a/Postman/Postman-Configuration/PostmanConfigurationController.php +++ b/Postman/Postman-Configuration/PostmanConfigurationController.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + require_once( 'PostmanRegisterConfigurationSettings.php' ); class PostmanConfigurationController { const CONFIGURATION_SLUG = 'postman/configuration'; @@ -207,6 +211,9 @@ class PostmanConfigurationController { print '</ul>'; print '<form method="post" action="options.php">'; + + wp_nonce_field('post-smtp', 'security'); + // This prints out all hidden setting fields settings_fields( PostmanAdminController::SETTINGS_GROUP_NAME ); @@ -441,6 +448,8 @@ class PostmanConfigurationController { printf( '<input type="hidden" id="input_%2$s" name="%1$s[%2$s]" value="%3$s" />', PostmanOptions::POSTMAN_OPTIONS, PostmanOptions::STEALTH_MODE, $this->options->isStealthModeEnabled() ); printf( '<input type="hidden" id="input_%2$s" name="%1$s[%2$s]" value="%3$s" />', PostmanOptions::POSTMAN_OPTIONS, PostmanOptions::TEMPORARY_DIRECTORY, $this->options->getTempDirectory() ); + wp_nonce_field('post-smtp', 'security' ); + // display the setting text settings_fields( PostmanAdminController::SETTINGS_GROUP_NAME ); @@ -622,6 +631,9 @@ class PostmanGetHostnameByEmailAjaxController extends PostmanAbstractAjaxHandler * This Ajax function retrieves the smtp hostname for a give e-mail address */ function getAjaxHostnameByEmail() { + + check_admin_referer('post-smtp', 'security'); + $goDaddyHostDetected = $this->getBooleanRequestParameter( 'go_daddy' ); $email = $this->getRequestParameter( 'email' ); $d = new PostmanSmtpDiscovery( $email ); @@ -656,6 +668,9 @@ class PostmanManageConfigurationAjaxHandler extends PostmanAbstractAjaxHandler { * @throws Exception */ function getManualConfigurationViaAjax() { + + check_admin_referer('post-smtp', 'security'); + $queryTransportType = $this->getTransportTypeFromRequest(); $queryAuthType = $this->getAuthenticationTypeFromRequest(); $queryHostname = $this->getHostnameFromRequest(); @@ -686,6 +701,9 @@ class PostmanManageConfigurationAjaxHandler extends PostmanAbstractAjaxHandler { * The UI response is built so the user may choose a different socket with different options. */ function getWizardConfigurationViaAjax() { + + check_admin_referer('post-smtp', 'security'); + $this->logger->debug( 'in getWizardConfiguration' ); $originalSmtpServer = $this->getRequestParameter( 'original_smtp_server' ); $queryHostData = $this->getHostDataFromRequest(); @@ -895,6 +913,9 @@ class PostmanImportConfigurationAjaxController extends PostmanAbstractAjaxHandle * and pushes them into the Postman configuration screen. */ function getConfigurationFromExternalPluginViaAjax() { + + check_admin_referer('post-smtp', 'security'); + $importableConfiguration = new PostmanImportableConfiguration(); $plugin = $this->getRequestParameter( 'plugin' ); $this->logger->debug( 'Looking for config=' . $plugin ); |