From 50a7ca3d921d59e1d2b39bb6ab3c6c7efde494b8 Mon Sep 17 00:00:00 2001
From: Vova Feldman <vova@freemius.com>
Date: Mon, 25 Feb 2019 08:18:27 +0200
Subject: [PATCH] [debug] [security] [fix] [major] Restrict the options update
 to admins and only to the SDK's options (starting with 'fs_').

---
 includes/class-freemius.php | 23 ++++++++++++++++++++++-
 templates/debug.php         |  2 ++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/includes/class-freemius.php b/includes/class-freemius.php
index 470e92f41..d85a5baf8 100755
--- a/includes/class-freemius.php
+++ b/includes/class-freemius.php
@@ -2977,6 +2977,10 @@ static function _add_debug_section() {
          * @since  1.1.7.3
          */
         static function _toggle_debug_mode() {
+            if ( ! is_super_admin() ) {
+                return;
+            }
+
             $is_on = fs_request_get( 'is_on', false, 'post' );
 
             if ( fs_request_is_post() && in_array( $is_on, array( 0, 1 ) ) ) {
@@ -3008,8 +3012,16 @@ static function _get_debug_log() {
          * @since  1.2.1.7
          */
         static function _get_db_option() {
+            check_admin_referer( 'fs_get_db_option' );
+
             $option_name = fs_request_get( 'option_name' );
 
+            if ( ! is_super_admin() ||
+                 ! fs_starts_with( $option_name, 'fs_' )
+            ) {
+                self::shoot_ajax_failure();
+            }
+
             $value = get_option( $option_name );
 
             $result = array(
@@ -3032,7 +3044,16 @@ static function _get_db_option() {
          * @since  1.2.1.7
          */
         static function _set_db_option() {
-            $option_name  = fs_request_get( 'option_name' );
+            check_admin_referer( 'fs_set_db_option' );
+
+            $option_name = fs_request_get( 'option_name' );
+
+            if ( ! is_super_admin() ||
+                 ! fs_starts_with( $option_name, 'fs_' )
+            ) {
+                self::shoot_ajax_failure();
+            }
+
             $option_value = fs_request_get( 'option_value' );
 
             if ( ! empty( $option_value ) ) {
diff --git a/templates/debug.php b/templates/debug.php
index fa1232d33..bafff1614 100644
--- a/templates/debug.php
+++ b/templates/debug.php
@@ -113,6 +113,7 @@
             if (optionName) {
                 $.post(ajaxurl, {
                     action     : 'fs_get_db_option',
+                    _wpnonce   : '<?php echo wp_create_nonce( 'fs_get_db_option' ) ?>',
                     option_name: optionName
                 }, function (response) {
                     if (response.data.value)
@@ -132,6 +133,7 @@
                 if (optionValue) {
                     $.post(ajaxurl, {
                         action      : 'fs_set_db_option',
+                        _wpnonce   : '<?php echo wp_create_nonce( 'fs_set_db_option' ) ?>',
                         option_name : optionName,
                         option_value: optionValue
                     }, function () {