diff options
| author | yehudah <yehudah@b8457f37-d9ea-0310-8a92-e5e31aec5664> | 2019-08-27 21:23:41 +0000 |
|---|---|---|
| committer | yehudah <yehudah@b8457f37-d9ea-0310-8a92-e5e31aec5664> | 2019-08-27 21:23:41 +0000 |
| commit | 6372e454198ed7a1a792b5bfd286af1178ae7d63 (patch) | |
| tree | fc8259384657cfebd76be774abd214f17eea680c /Postman/Postman-Email-Log/PostmanEmailLogController.php | |
| parent | 69ef56ca57030e9c76e03ea937c9bdef1a4a3750 (diff) | |
| download | Post-SMTP-6372e454198ed7a1a792b5bfd286af1178ae7d63.zip | |
Security and bugs
Diffstat (limited to 'Postman/Postman-Email-Log/PostmanEmailLogController.php')
| -rw-r--r-- | Postman/Postman-Email-Log/PostmanEmailLogController.php | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/Postman/Postman-Email-Log/PostmanEmailLogController.php b/Postman/Postman-Email-Log/PostmanEmailLogController.php index 2df2377..49f226b 100644 --- a/Postman/Postman-Email-Log/PostmanEmailLogController.php +++ b/Postman/Postman-Email-Log/PostmanEmailLogController.php @@ -91,7 +91,7 @@ class PostmanEmailLogController { $to = $meta_values ['original_to'] [0]; } - $success = wp_mail( $to, $meta_values ['original_subject'] [0], maybe_unserialize( $meta_values ['original_message'] [0] ), $meta_values ['original_headers'] [0] ); + $success = wp_mail( $to, $meta_values ['original_subject'] [0], $meta_values ['original_message'] [0], $meta_values ['original_headers'] [0] ); // Postman API: retrieve the result of sending this message from Postman $result = apply_filters( 'postman_wp_mail_result', null ); @@ -158,21 +158,21 @@ class PostmanEmailLogController { if ( PostmanUtils::isAdmin() && isset( $_REQUEST ['email_log_entry'] ) ) { $this->logger->trace( 'handling bulk action' ); if ( wp_verify_nonce( $_REQUEST ['_wpnonce'], 'bulk-email_log_entries' ) ) { - $this->logger->trace( sprintf( 'nonce "%s" passed validation', $_REQUEST ['_wpnonce'] ) ); + $this->logger->trace( sprintf( 'nonce "%s" passed validation', sanitize_text_field($_REQUEST ['_wpnonce']) ) ); if ( isset( $_REQUEST ['action'] ) && ($_REQUEST ['action'] == 'bulk_delete' || $_REQUEST ['action2'] == 'bulk_delete') ) { $this->logger->trace( sprintf( 'handling bulk delete' ) ); $purger = new PostmanEmailLogPurger(); - $postids = $_REQUEST ['email_log_entry']; + $postids = array_map( 'absint', $_REQUEST ['email_log_entry'] ); foreach ( $postids as $postid ) { $purger->verifyLogItemExistsAndRemove( $postid ); } $mh = new PostmanMessageHandler(); $mh->addMessage( __( 'Mail Log Entries were deleted.', 'post-smtp' ) ); } else { - $this->logger->warn( sprintf( 'action "%s" not recognized', $_REQUEST ['action'] ) ); + $this->logger->warn( sprintf( 'action "%s" not recognized', sanitize_text_field($_REQUEST ['action']) ) ); } } else { - $this->logger->warn( sprintf( 'nonce "%s" failed validation', $_REQUEST ['_wpnonce'] ) ); + $this->logger->warn( sprintf( 'nonce "%s" failed validation', sanitize_text_field($_REQUEST ['_wpnonce']) ) ); } $this->redirectToLogPage(); } @@ -184,15 +184,15 @@ class PostmanEmailLogController { // only do this for administrators if ( PostmanUtils::isAdmin() ) { $this->logger->trace( 'handling delete item' ); - $postid = $_REQUEST ['email']; + $postid = absint($_REQUEST ['email']); if ( wp_verify_nonce( $_REQUEST ['_wpnonce'], 'delete_email_log_item_' . $postid ) ) { - $this->logger->trace( sprintf( 'nonce "%s" passed validation', $_REQUEST ['_wpnonce'] ) ); + $this->logger->trace( sprintf( 'nonce "%s" passed validation', sanitize_text_field($_REQUEST ['_wpnonce']) ) ); $purger = new PostmanEmailLogPurger(); $purger->verifyLogItemExistsAndRemove( $postid ); $mh = new PostmanMessageHandler(); $mh->addMessage( __( 'Mail Log Entry was deleted.', 'post-smtp' ) ); } else { - $this->logger->warn( sprintf( 'nonce "%s" failed validation', $_REQUEST ['_wpnonce'] ) ); + $this->logger->warn( sprintf( 'nonce "%s" failed validation', sanitize_text_field($_REQUEST ['_wpnonce']) ) ); } $this->redirectToLogPage(); } @@ -267,7 +267,7 @@ class PostmanEmailLogController { // only do this for administrators if ( PostmanUtils::isAdmin() ) { $this->logger->trace( 'handling view transcript item' ); - $postid = $_REQUEST ['email']; + $postid = absint($_REQUEST ['email']); $post = get_post( $postid ); $meta_values = PostmanLogFields::get_instance()->get( $postid ); // https://css-tricks.com/examples/hrs/ @@ -360,7 +360,7 @@ class PostmanEmailLogController { /* Translators where (%s) is the name of the plugin */ echo sprintf( __( '%s Email Log', 'post-smtp' ), __( 'Post SMTP', 'post-smtp' ) )?></h2> - <?php include_once POST_PATH . '/Postman/extra/donation.php'; ?> + <?php include_once POST_SMTP_PATH . '/Postman/extra/donation.php'; ?> <div style="background: #ECECEC; border: 1px solid #CCC; padding: 0 10px; margin-top: 5px; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px;"> |