From 19d085f0073690137ba199364ba52831bfe3214b Mon Sep 17 00:00:00 2001 From: jascha ehrenreich Date: Thu, 20 Feb 2014 04:31:45 +0100 Subject: [PATCH 1/4] fixed variable naming bug this would have either output an empty $after_widget var if $before_widget is designed OR if would have ignored the set $after_widget var if the $before_widget var is unset. --- mailchimp_widget.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mailchimp_widget.php b/mailchimp_widget.php index 718619a..cec2401 100644 --- a/mailchimp_widget.php +++ b/mailchimp_widget.php @@ -270,7 +270,7 @@ function mailchimpSF_signup_form($args = array()) { Date: Thu, 22 May 2014 11:09:41 -0500 Subject: [PATCH 2/4] Fixes #22, CSS datepicker conflict --- mailchimp.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mailchimp.php b/mailchimp.php index ae36e99..ca3b8bb 100644 --- a/mailchimp.php +++ b/mailchimp.php @@ -269,7 +269,7 @@ function mailchimpSF_main_css() { ul.mc_list li { font-size: 12px; } - .ui-datepicker-year { + #ui-datepicker-div .ui-datepicker-year { display: none; } #ui-datepicker-div.show .ui-datepicker-year { From 3d31aca1fc0c3e7af403aae70a8bada9ccfa47ed Mon Sep 17 00:00:00 2001 From: Chris Mospaw Date: Mon, 8 Sep 2014 15:45:06 -0600 Subject: [PATCH 3/4] add customized wp_nonces functions for post-back behavior --- mailchimp.php | 80 +++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 74 insertions(+), 6 deletions(-) diff --git a/mailchimp.php b/mailchimp.php index ca3b8bb..1441ccf 100644 --- a/mailchimp.php +++ b/mailchimp.php @@ -3,7 +3,7 @@ Plugin Name: MailChimp Plugin URI: http://www.mailchimp.com/plugins/mailchimp-wordpress-plugin/ Description: The MailChimp plugin allows you to quickly and easily add a signup form for your MailChimp list. -Version: 1.4.1 +Version: 1.4.2 Author: MailChimp and Crowd Favorite Author URI: http://mailchimp.com/api/ */ @@ -25,7 +25,7 @@ */ // Version constant for easy CSS refreshes -define('MCSF_VER', '1.4.1'); +define('MCSF_VER', '1.4.2'); // What's our permission (capability) threshold define('MCSF_CAP_THRESHOLD', 'manage_options'); @@ -352,7 +352,7 @@ function mailchimpSF_auth_nonce_key($salt = null) { if (is_null($salt)) { $salt = mailchimpSF_auth_nonce_salt(); } - return md5('social_authentication'.AUTH_KEY.$salt); + return 'social_authentication' . md5( AUTH_KEY . $salt ); } function mailchimpSF_auth_nonce_salt() { @@ -364,7 +364,8 @@ function mailchimpSF_authorize() { $proxy = apply_filters('mailchimp_authorize_url', $api->getApiUrl('authorize')); if (strpos($proxy, 'socialize-this') !== false) { $salt = mailchimpSF_auth_nonce_salt(); - $id = wp_create_nonce(mailchimpSF_auth_nonce_key($salt)); + $id = mailchimpSF_create_nonce( mailchimpSF_auth_nonce_key( $salt ) ); + $url = home_url('index.php'); $args = array( 'mcsf_action' => 'authorized', @@ -393,7 +394,8 @@ function mailchimpSF_authorized() { $nonce = stripslashes($_POST['id']); $salt = stripslashes($_GET['salt']); - if (wp_verify_nonce($nonce, mailchimpSF_auth_nonce_key($salt)) === false) { + + if (mailchimpSF_verify_nonce( $nonce, mailchimpSF_auth_nonce_key( $salt ) ) === false) { wp_die('Cheatin’ huh?'); } @@ -1520,4 +1522,70 @@ function mailchimpSF_where_am_i() { } -?> +/** + * MODIFIED VERSION of wp_verify_nonce from WP Core. Core was not overridden to prevent problems when replacing + * something universally. + * + * Verify that correct nonce was used with time limit. + * + * The user is given an amount of time to use the token, so therefore, since the + * UID and $action remain the same, the independent variable is the time. + * + * @param string $nonce Nonce that was used in the form to verify + * @param string|int $action Should give context to what is taking place and be the same when nonce was created. + * @return bool Whether the nonce check passed or failed. + */ +function mailchimpSF_verify_nonce($nonce, $action = -1) { + $user = wp_get_current_user(); + $uid = (int) $user->ID; + if ( ! $uid ) { + $uid = apply_filters( 'nonce_user_logged_out', $uid, $action ); + } + + if ( empty( $nonce ) ) { + return false; + } + + $token = 'MAILCHIMP'; + $i = wp_nonce_tick(); + + // Nonce generated 0-12 hours ago + $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 ); + if ( hash_equals( $expected, $nonce ) ) { + return 1; + } + + // Nonce generated 12-24 hours ago + $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ); + if ( hash_equals( $expected, $nonce ) ) { + return 2; + } + + // Invalid nonce + return false; +} + + +/** + * MODIFIED VERSION of wp_create_nonce from WP Core. Core was not overridden to prevent problems when replacing + * something universally. + * + * Creates a cryptographic token tied to a specific action, user, and window of time. + * + * @param string $action Scalar value to add context to the nonce. + * @return string The token. + */ +function mailchimpSF_create_nonce($action = -1) { + $user = wp_get_current_user(); + $uid = (int) $user->ID; + if ( ! $uid ) { + /** This filter is documented in wp-includes/pluggable.php */ + $uid = apply_filters( 'nonce_user_logged_out', $uid, $action ); + } + + $token = 'MAILCHIMP'; + $i = wp_nonce_tick(); + + return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ); +} + From 3f48cbe77ef767c13a949bbfc20e068143b3825a Mon Sep 17 00:00:00 2001 From: Steven Mathias Date: Fri, 19 Sep 2014 11:00:34 -0600 Subject: [PATCH 4/4] Updated changelog. --- readme.txt | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/readme.txt b/readme.txt index 4c1116e..b559224 100644 --- a/readme.txt +++ b/readme.txt @@ -2,8 +2,8 @@ Contributors: crowdfavorite Tags: mailchimp, email, newsletter, signup, marketing, plugin, widget Requires at least: 2.8 -Tested up to: 3.7.1 -Stable tag: 1.4.1 +Tested up to: 4.0 +Stable tag: 1.4.2 == Description == @@ -138,7 +138,11 @@ Maybe! Look in the /po/ directory in our plugin package and see if your language == Upgrade Notice == += 1.4.2 = +add customized wp_nonces functions for post-back behavior to fix 4.0 callbacks += 1.4.1 = +Fix for checkbox weirdness on 3.8 = 1.4 = Added Developer Mode "Kitchen Sink" to aid in styling without having to authenticate a MailChimp account.