Skip to content
Permalink
Browse files

[debug] [security] [fix] [major] Restrict the options update to admin…

…s and only to the SDK's options (starting with 'fs_').
  • Loading branch information...
vovafeldman committed Feb 25, 2019
1 parent 34dfa26 commit 50a7ca3d921d59e1d2b39bb6ab3c6c7efde494b8
Showing with 24 additions and 1 deletion.
  1. +22 −1 includes/class-freemius.php
  2. +2 −0 templates/debug.php
@@ -2977,6 +2977,10 @@ static function _add_debug_section() {
* @since 1.1.7.3
*/
static function _toggle_debug_mode() {
if ( ! is_super_admin() ) {
return;
}
$is_on = fs_request_get( 'is_on', false, 'post' );
if ( fs_request_is_post() && in_array( $is_on, array( 0, 1 ) ) ) {
@@ -3008,8 +3012,16 @@ static function _get_debug_log() {
* @since 1.2.1.7
*/
static function _get_db_option() {
check_admin_referer( 'fs_get_db_option' );
$option_name = fs_request_get( 'option_name' );
if ( ! is_super_admin() ||
! fs_starts_with( $option_name, 'fs_' )
) {
self::shoot_ajax_failure();
}
$value = get_option( $option_name );
$result = array(
@@ -3032,7 +3044,16 @@ static function _get_db_option() {
* @since 1.2.1.7
*/
static function _set_db_option() {
$option_name = fs_request_get( 'option_name' );
check_admin_referer( 'fs_set_db_option' );
$option_name = fs_request_get( 'option_name' );
if ( ! is_super_admin() ||
! fs_starts_with( $option_name, 'fs_' )
) {
self::shoot_ajax_failure();
}
$option_value = fs_request_get( 'option_value' );
if ( ! empty( $option_value ) ) {
@@ -113,6 +113,7 @@
if (optionName) {
$.post(ajaxurl, {
action : 'fs_get_db_option',
_wpnonce : '<?php echo wp_create_nonce( 'fs_get_db_option' ) ?>',
option_name: optionName
}, function (response) {
if (response.data.value)
@@ -132,6 +133,7 @@
if (optionValue) {
$.post(ajaxurl, {
action : 'fs_set_db_option',
_wpnonce : '<?php echo wp_create_nonce( 'fs_set_db_option' ) ?>',
option_name : optionName,
option_value: optionValue
}, function () {

0 comments on commit 50a7ca3

Please sign in to comment.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.