[debug] [security] [fix] [major] Restrict the options update to admin…

…s and only to the SDK's options (starting with 'fs_').
Freemius · Feb 25, 2019 · 50a7ca3 · 50a7ca3
1 parent 34dfa26
commit 50a7ca3
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/includes/class-freemius.php b/includes/class-freemius.php
@@ -2977,6 +2977,10 @@ static function _add_debug_section() {
          * @since  1.1.7.3
          */
         static function _toggle_debug_mode() {
+            if ( ! is_super_admin() ) {
+                return;
+            }
+
             $is_on = fs_request_get( 'is_on', false, 'post' );
 
             if ( fs_request_is_post() && in_array( $is_on, array( 0, 1 ) ) ) {
@@ -3008,8 +3012,16 @@ static function _get_debug_log() {
          * @since  1.2.1.7
          */
         static function _get_db_option() {
+            check_admin_referer( 'fs_get_db_option' );
+
             $option_name = fs_request_get( 'option_name' );
 
+            if ( ! is_super_admin() ||
+                 ! fs_starts_with( $option_name, 'fs_' )
+            ) {
+                self::shoot_ajax_failure();
+            }
+
             $value = get_option( $option_name );
 
             $result = array(
@@ -3032,7 +3044,16 @@ static function _get_db_option() {
          * @since  1.2.1.7
          */
         static function _set_db_option() {
-            $option_name  = fs_request_get( 'option_name' );
+            check_admin_referer( 'fs_set_db_option' );
+
+            $option_name = fs_request_get( 'option_name' );
+
+            if ( ! is_super_admin() ||
+                 ! fs_starts_with( $option_name, 'fs_' )
+            ) {
+                self::shoot_ajax_failure();
+            }
+
             $option_value = fs_request_get( 'option_value' );
 
             if ( ! empty( $option_value ) ) {

diff --git a/templates/debug.php b/templates/debug.php
@@ -113,6 +113,7 @@
             if (optionName) {
                 $.post(ajaxurl, {
                     action     : 'fs_get_db_option',
+                    _wpnonce   : '<?php echo wp_create_nonce( 'fs_get_db_option' ) ?>',
                     option_name: optionName
                 }, function (response) {
                     if (response.data.value)
@@ -132,6 +133,7 @@
                 if (optionValue) {
                     $.post(ajaxurl, {
                         action      : 'fs_set_db_option',
+                        _wpnonce   : '<?php echo wp_create_nonce( 'fs_set_db_option' ) ?>',
                         option_name : optionName,
                         option_value: optionValue
                     }, function () {