summaryrefslogtreecommitdiff
path: root/Postman/Postman-Email-Log
diff options
context:
space:
mode:
authoryehudah <yehudah@b8457f37-d9ea-0310-8a92-e5e31aec5664>2019-08-19 20:57:47 +0000
committeryehudah <yehudah@b8457f37-d9ea-0310-8a92-e5e31aec5664>2019-08-19 20:57:47 +0000
commitd1d82adca1dbb02382d7ccf49b8830816e8fa00f (patch)
treeba061c2b4c1f06cc67efcee7b85a3c8c25162905 /Postman/Postman-Email-Log
parent7aa4390a6702059342aad220e53e3aa4efc9caad (diff)
downloadPost-SMTP-d1d82adca1dbb02382d7ccf49b8830816e8fa00f.zip
Security issues
Diffstat (limited to 'Postman/Postman-Email-Log')
-rw-r--r--Postman/Postman-Email-Log/PostmanEmailLogController.php22
-rw-r--r--Postman/Postman-Email-Log/PostmanEmailLogPostType.php3
-rw-r--r--Postman/Postman-Email-Log/PostmanEmailLogService.php4
-rw-r--r--Postman/Postman-Email-Log/PostmanEmailLogView.php10
4 files changed, 32 insertions, 7 deletions
diff --git a/Postman/Postman-Email-Log/PostmanEmailLogController.php b/Postman/Postman-Email-Log/PostmanEmailLogController.php
index 79751f3..d22b265 100644
--- a/Postman/Postman-Email-Log/PostmanEmailLogController.php
+++ b/Postman/Postman-Email-Log/PostmanEmailLogController.php
@@ -1,4 +1,8 @@
<?php
+if ( ! defined( 'ABSPATH' ) ) {
+ exit; // Exit if accessed directly
+}
+
require_once dirname(__DIR__) . '/PostmanEmailLogs.php';
require_once 'PostmanEmailLogService.php';
require_once 'PostmanEmailLogView.php';
@@ -73,7 +77,7 @@ class PostmanEmailLogController {
/**
*/
public function resendMail() {
- check_ajax_referer( 'resend', 'security' );
+ check_admin_referer( 'resend', 'security' );
// get the email address of the recipient from the HTTP Request
$postid = $this->getRequestParameter( 'email' );
@@ -200,8 +204,13 @@ class PostmanEmailLogController {
// only do this for administrators
if ( PostmanUtils::isAdmin() ) {
$this->logger->trace( 'handling view item' );
- $postid = $_REQUEST ['email'];
+ $postid = absint( $_REQUEST ['email'] );
$post = get_post( $postid );
+
+ if ( $post->post_type !== 'postman_sent_mail' ) {
+ return;
+ }
+
$meta_values = PostmanEmailLogs::get_data( $postid );
// https://css-tricks.com/examples/hrs/
print '<html><head><style>body {font-family: monospace;} hr {
@@ -369,18 +378,21 @@ class PostmanEmailLogController {
?>
<form id="postman-email-log-filter" method="post">
+ <input type="hidden" action="post-smtp-filter" value="1">
+ <?php wp_nonce_field('post-smtp', 'post-smtp-log'); ?>
+
<div id="email-log-filter" class="postman-log-row">
<div class="form-control">
<label for="from_date"><?php _e( 'From Date', 'post-smtp' ); ?></label>
- <input id="from_date" class="email-log-date" value="<?php echo $from_date; ?>" type="text" name="from_date" placeholder="<?php _e( 'From Date', 'post-smtp' ); ?>">
+ <input id="from_date" class="email-log-date" value="<?php echo esc_attr($from_date); ?>" type="text" name="from_date" placeholder="<?php _e( 'From Date', 'post-smtp' ); ?>">
</div>
<div class="form-control">
<label for="to_date"><?php _e( 'To Date', 'post-smtp' ); ?></label>
- <input id="to_date" class="email-log-date" value="<?php echo $to_date; ?>" type="text" name="to_date" placeholder="<?php _e( 'To Date', 'post-smtp' ); ?>">
+ <input id="to_date" class="email-log-date" value="<?php echo esc_attr($to_date); ?>" type="text" name="to_date" placeholder="<?php _e( 'To Date', 'post-smtp' ); ?>">
</div>
<div class="form-control">
<label for="search"><?php _e( 'Search', 'post-smtp' ); ?></label>
- <input id="search" type="text" name="search" value="<?php echo $search; ?>" placeholder="<?php _e( 'Search', 'post-smtp' ); ?>">
+ <input id="search" type="text" name="search" value="<?php echo esc_attr($search); ?>" placeholder="<?php _e( 'Search', 'post-smtp' ); ?>">
</div>
<div class="form-control">
<label id="postman_page_records"><?php _e( 'Records per page', 'post-smtp' ); ?></label>
diff --git a/Postman/Postman-Email-Log/PostmanEmailLogPostType.php b/Postman/Postman-Email-Log/PostmanEmailLogPostType.php
index 38ab1d0..cf297db 100644
--- a/Postman/Postman-Email-Log/PostmanEmailLogPostType.php
+++ b/Postman/Postman-Email-Log/PostmanEmailLogPostType.php
@@ -1,4 +1,7 @@
<?php
+if ( ! defined( 'ABSPATH' ) ) {
+ exit; // Exit if accessed directly
+}
if (! class_exists ( 'PostmanEmailLogPostType' )) {
/**
diff --git a/Postman/Postman-Email-Log/PostmanEmailLogService.php b/Postman/Postman-Email-Log/PostmanEmailLogService.php
index b1b1dff..75c3879 100644
--- a/Postman/Postman-Email-Log/PostmanEmailLogService.php
+++ b/Postman/Postman-Email-Log/PostmanEmailLogService.php
@@ -1,4 +1,8 @@
<?php
+if ( ! defined( 'ABSPATH' ) ) {
+ exit; // Exit if accessed directly
+}
+
if ( ! class_exists( 'PostmanEmailLog' ) ) {
class PostmanEmailLog {
public $sender;
diff --git a/Postman/Postman-Email-Log/PostmanEmailLogView.php b/Postman/Postman-Email-Log/PostmanEmailLogView.php
index a9722bd..02da123 100644
--- a/Postman/Postman-Email-Log/PostmanEmailLogView.php
+++ b/Postman/Postman-Email-Log/PostmanEmailLogView.php
@@ -1,5 +1,7 @@
<?php
-
+if ( ! defined( 'ABSPATH' ) ) {
+ exit; // Exit if accessed directly
+}
require_once dirname(__DIR__) . '/PostmanEmailLogs.php';
/**
@@ -260,8 +262,12 @@ class PostmanEmailLogView extends WP_List_Table {
* ************************************************************************
*/
function prepare_items() {
+ if ( isset( $_POST['action'] ) && $_POST['action'] == 'post-smtp-filter' ) {
+ if ( ! wp_verify_nonce( $_REQUEST['post-smtp-log'], 'post-smtp' ) )
+ die( 'Security check' );
+ }
- /**
+ /**
* First, lets decide how many records per page to show
*/
$per_page = isset( $_POST['postman_page_records'] ) ? absint( $_POST['postman_page_records'] ) : 10;