From aeb5cf0276bb7b658997281ba34abf6e69fe17bb Mon Sep 17 00:00:00 2001 From: yehudah Date: Mon, 26 Aug 2019 13:21:06 +0000 Subject: security + bugs --- .../PostmanConnectivityTestController.php | 10 ++++++++++ Postman/Postman-Connectivity-Test/postman_port_test.js | 4 ++-- Postman/Postman-Mail/PostmanSmtpModuleTransport.php | 2 ++ Postman/PostmanInputSanitizer.php | 7 +++++-- Postman/PostmanViewController.php | 2 +- 5 files changed, 20 insertions(+), 5 deletions(-) (limited to 'Postman') diff --git a/Postman/Postman-Connectivity-Test/PostmanConnectivityTestController.php b/Postman/Postman-Connectivity-Test/PostmanConnectivityTestController.php index 3e17dbd..6ff5a69 100644 --- a/Postman/Postman-Connectivity-Test/PostmanConnectivityTestController.php +++ b/Postman/Postman-Connectivity-Test/PostmanConnectivityTestController.php @@ -98,6 +98,14 @@ class PostmanConnectivityTestController { wp_enqueue_script( 'postman_port_test_script' ); $warning = __( 'Warning', 'post-smtp' ); wp_localize_script( PostmanViewController::POSTMAN_SCRIPT, 'postman_hostname_element_name', '#input_' . PostmanOptions::HOSTNAME ); + wp_localize_script( PostmanViewController::POSTMAN_SCRIPT, 'postman_email_test', array( + 'recipient' => '#' . PostmanSendTestEmailController::RECIPIENT_EMAIL_FIELD_NAME, + 'not_started' => _x( 'In Outbox', 'Email Test Status', 'post-smtp' ), + 'sending' => _x( 'Sending...', 'Email Test Status', 'post-smtp' ), + 'success' => _x( 'Success', 'Email Test Status', 'post-smtp' ), + 'failed' => _x( 'Failed', 'Email Test Status', 'post-smtp' ), + 'ajax_error' => __( 'Ajax Error', 'post-smtp' ), + ) ); PostmanConnectivityTestController::addLocalizeScriptForPortTest(); } static function addLocalizeScriptForPortTest() { @@ -135,6 +143,8 @@ class PostmanConnectivityTestController { public function outputPortTestContent() { print '
'; + wp_nonce_field('post-smtp', 'security'); + PostmanViewController::outputChildPageHeader( __( 'Connectivity Test', 'post-smtp' ) ); print '

'; diff --git a/Postman/Postman-Connectivity-Test/postman_port_test.js b/Postman/Postman-Connectivity-Test/postman_port_test.js index 1d5c3fb..8667c06 100644 --- a/Postman/Postman-Connectivity-Test/postman_port_test.js +++ b/Postman/Postman-Connectivity-Test/postman_port_test.js @@ -73,7 +73,7 @@ function portQuizTest(socket, hostname, port) { 'action' : 'postman_port_quiz_test', 'hostname' : hostname, 'port' : port, - '_wpnonce' : jQuery('#_wpnonce').val(), + 'security' : jQuery('#security').val(), }; jQuery.post( ajaxurl, @@ -201,7 +201,7 @@ function portTest3(socket, hostname, port, open) { 'action' : 'postman_test_smtps', 'hostname' : hostname, 'port' : port, - '_wpnonce' : jQuery('#_wpnonce').val(), + 'security' : jQuery('#security').val(), }; jQuery .post( diff --git a/Postman/Postman-Mail/PostmanSmtpModuleTransport.php b/Postman/Postman-Mail/PostmanSmtpModuleTransport.php index f7d8009..7442972 100644 --- a/Postman/Postman-Mail/PostmanSmtpModuleTransport.php +++ b/Postman/Postman-Mail/PostmanSmtpModuleTransport.php @@ -542,6 +542,8 @@ class PostmanSmtpModuleTransport extends PostmanAbstractZendModuleTransport impl printf( '%s', _x( 'Which host will relay the mail?', 'Wizard Step Title', 'post-smtp' ) ); printf( '

%s

', __( 'This is the Outgoing (SMTP) Mail Server, or Mail Submission Agent (MSA), which Postman delegates mail delivery to. This server is specific to your email account, and if you don\'t know what to use, ask your email service provider.', 'post-smtp' ) ); printf( '

%s

', __( 'Note that many WordPress hosts, such as GoDaddy, Bluehost and Dreamhost, require that you use their mail accounts with their mail servers, and prevent you from using others.', 'post-smtp' ) ); + + printf( '
%s

', __( 'If you plan to use An API and not SMTP just type any value.', 'post-smtp' ) ); printf( '', __( 'Outgoing Mail Server Hostname', 'post-smtp' ) ); print $this->hostname_callback(); printf( '', plugins_url( 'post-smtp/style/ajax-loader.gif' ) ); diff --git a/Postman/PostmanInputSanitizer.php b/Postman/PostmanInputSanitizer.php index e33f6c4..1b73378 100644 --- a/Postman/PostmanInputSanitizer.php +++ b/Postman/PostmanInputSanitizer.php @@ -93,6 +93,8 @@ if ( ! class_exists( 'PostmanInputSanitizer' ) ) { $this->sanitizeString( 'Fallback username', PostmanOptions::FALLBACK_SMTP_USERNAME, $input, $new_input ); $this->sanitizePassword( 'Fallback password', PostmanOptions::FALLBACK_SMTP_PASSWORD, $input, $new_input, $this->options->getFallbackPassword() ); + $new_input = apply_filters( 'post_smtp_sanitize', $new_input, $input, $this ); + if ( $new_input [ PostmanOptions::CLIENT_ID ] != $this->options->getClientId() || $new_input [ PostmanOptions::CLIENT_SECRET ] != $this->options->getClientSecret() || $new_input [ PostmanOptions::HOSTNAME ] != $this->options->getHostname() ) { $this->logger->debug( 'Recognized new Client ID' ); // the user entered a new client id and we should destroy the stored auth token @@ -115,7 +117,8 @@ if ( ! class_exists( 'PostmanInputSanitizer' ) ) { return $new_input; } - private function sanitizeString( $desc, $key, $input, &$new_input ) { + + public function sanitizeString( $desc, $key, $input, &$new_input ) { if ( isset( $input [ $key ] ) ) { $this->logSanitize( $desc, $input [ $key ] ); $new_input [ $key ] = trim( $input [ $key ] ); @@ -130,7 +133,7 @@ if ( ! class_exists( 'PostmanInputSanitizer' ) ) { * @param mixed $input * @param mixed $new_input */ - private function sanitizePassword( $desc, $key, $input, &$new_input, $existingPassword ) { + public function sanitizePassword( $desc, $key, $input, &$new_input, $existingPassword ) { // WordPress calling Sanitize twice is a known issue // https://core.trac.wordpress.org/ticket/21989 $action = PostmanSession::getInstance()->getAction(); diff --git a/Postman/PostmanViewController.php b/Postman/PostmanViewController.php index 7d5c35d..e41234c 100644 --- a/Postman/PostmanViewController.php +++ b/Postman/PostmanViewController.php @@ -121,7 +121,7 @@ if ( ! class_exists( 'PostmanViewController' ) ) { } function enqueueHomeScreenStylesheet() { wp_enqueue_style( PostmanViewController::POSTMAN_STYLE ); - wp_enqueue_script( 'postman_script' ); + wp_enqueue_script( PostmanViewController::POSTMAN_SCRIPT ); } /** -- cgit v1.2.3