diff options
author | yehudah <yehudah@b8457f37-d9ea-0310-8a92-e5e31aec5664> | 2019-08-19 20:57:47 +0000 |
---|---|---|
committer | yehudah <yehudah@b8457f37-d9ea-0310-8a92-e5e31aec5664> | 2019-08-19 20:57:47 +0000 |
commit | d1d82adca1dbb02382d7ccf49b8830816e8fa00f (patch) | |
tree | ba061c2b4c1f06cc67efcee7b85a3c8c25162905 /Postman/Postman-Email-Log/PostmanEmailLogController.php | |
parent | 7aa4390a6702059342aad220e53e3aa4efc9caad (diff) | |
download | Post-SMTP-d1d82adca1dbb02382d7ccf49b8830816e8fa00f.zip |
Security issues
Diffstat (limited to 'Postman/Postman-Email-Log/PostmanEmailLogController.php')
-rw-r--r-- | Postman/Postman-Email-Log/PostmanEmailLogController.php | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/Postman/Postman-Email-Log/PostmanEmailLogController.php b/Postman/Postman-Email-Log/PostmanEmailLogController.php index 79751f3..d22b265 100644 --- a/Postman/Postman-Email-Log/PostmanEmailLogController.php +++ b/Postman/Postman-Email-Log/PostmanEmailLogController.php @@ -1,4 +1,8 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly +} + require_once dirname(__DIR__) . '/PostmanEmailLogs.php'; require_once 'PostmanEmailLogService.php'; require_once 'PostmanEmailLogView.php'; @@ -73,7 +77,7 @@ class PostmanEmailLogController { /** */ public function resendMail() { - check_ajax_referer( 'resend', 'security' ); + check_admin_referer( 'resend', 'security' ); // get the email address of the recipient from the HTTP Request $postid = $this->getRequestParameter( 'email' ); @@ -200,8 +204,13 @@ class PostmanEmailLogController { // only do this for administrators if ( PostmanUtils::isAdmin() ) { $this->logger->trace( 'handling view item' ); - $postid = $_REQUEST ['email']; + $postid = absint( $_REQUEST ['email'] ); $post = get_post( $postid ); + + if ( $post->post_type !== 'postman_sent_mail' ) { + return; + } + $meta_values = PostmanEmailLogs::get_data( $postid ); // https://css-tricks.com/examples/hrs/ print '<html><head><style>body {font-family: monospace;} hr { @@ -369,18 +378,21 @@ class PostmanEmailLogController { ?> <form id="postman-email-log-filter" method="post"> + <input type="hidden" action="post-smtp-filter" value="1"> + <?php wp_nonce_field('post-smtp', 'post-smtp-log'); ?> + <div id="email-log-filter" class="postman-log-row"> <div class="form-control"> <label for="from_date"><?php _e( 'From Date', 'post-smtp' ); ?></label> - <input id="from_date" class="email-log-date" value="<?php echo $from_date; ?>" type="text" name="from_date" placeholder="<?php _e( 'From Date', 'post-smtp' ); ?>"> + <input id="from_date" class="email-log-date" value="<?php echo esc_attr($from_date); ?>" type="text" name="from_date" placeholder="<?php _e( 'From Date', 'post-smtp' ); ?>"> </div> <div class="form-control"> <label for="to_date"><?php _e( 'To Date', 'post-smtp' ); ?></label> - <input id="to_date" class="email-log-date" value="<?php echo $to_date; ?>" type="text" name="to_date" placeholder="<?php _e( 'To Date', 'post-smtp' ); ?>"> + <input id="to_date" class="email-log-date" value="<?php echo esc_attr($to_date); ?>" type="text" name="to_date" placeholder="<?php _e( 'To Date', 'post-smtp' ); ?>"> </div> <div class="form-control"> <label for="search"><?php _e( 'Search', 'post-smtp' ); ?></label> - <input id="search" type="text" name="search" value="<?php echo $search; ?>" placeholder="<?php _e( 'Search', 'post-smtp' ); ?>"> + <input id="search" type="text" name="search" value="<?php echo esc_attr($search); ?>" placeholder="<?php _e( 'Search', 'post-smtp' ); ?>"> </div> <div class="form-control"> <label id="postman_page_records"><?php _e( 'Records per page', 'post-smtp' ); ?></label> |