Skip to content
Permalink
Browse files Browse the repository at this point in the history
fixes for sql injection, card testing
  • Loading branch information
davidfcarr committed Apr 25, 2022
1 parent f402f4a commit bfb189f
Show file tree
Hide file tree
Showing 8 changed files with 57 additions and 20 deletions.
4 changes: 2 additions & 2 deletions README.txt
Expand Up @@ -7,8 +7,8 @@ License: GPLv2
License URI: http://www.gnu.org/licenses/gpl-2.0.html
Requires PHP: 5.6
Requires at least: 5.0
Tested up to: 5.9.2
Stable tag: 9.2.5
Tested up to: 5.9.3
Stable tag: 9.2.6

Schedule events, send invitations, track RSVPs, and collect payment via PayPal or Stripe.

Expand Down
7 changes: 7 additions & 0 deletions rsvpmaker-admin.php
Expand Up @@ -1027,6 +1027,10 @@ function handle_options()
</select>
</div>

<h3><?php esc_html_e('Minimum Amount','rsvpmaker'); ?>:</h3>
<div><input type="text" name="payment_option[payment_minimum]" value="<?php if(isset($options["payment_minimum"])) {echo esc_attr($options["payment_minimum"]);} else echo '5.00';?>" size="5" /> <br /><em><?php _e('Prevents fraudulent uses such as $1 donations to test stolen cards','rsvpmaker'); ?></em>
</div>

<h3>PayPal (REST API)</h3>
<p><?php esc_html_e('Keys may be obtained from','rsvpmaker'); ?> <a target="_blank" href="https://developer.paypal.com/developer/applications">developer.paypal.com/developer/applications/</a></p>
<?php
Expand Down Expand Up @@ -5121,6 +5125,9 @@ function rsvpmaker_submission ($atts) {
{ title: 'Italic', format: 'italic' },
]},]},
toolbar: 'bold italic link',
relative_urls: false,
remove_script_host : false,
document_base_url : "'.site_url().'/",
});
</script>
<?php
Expand Down
2 changes: 1 addition & 1 deletion rsvpmaker-api-endpoints.php
Expand Up @@ -385,7 +385,7 @@ public function get_items_permissions_check( $request ) {

public function get_items( $request ) {

$sked = get_template_sked( $request['post_id'] );
$sked = get_template_sked( intval($request['post_id']) );

return new WP_REST_Response( $sked, 200 );

Expand Down
2 changes: 1 addition & 1 deletion rsvpmaker-email.php
Expand Up @@ -2790,7 +2790,7 @@ function rsvp_notifications_via_template ($rsvp,$rsvp_to,$rsvpdata) {
$send_confirmation = get_post_meta($post->ID,'_rsvp_rsvpmaker_send_confirmation_email',true);
$confirm_on_payment = get_post_meta($post->ID,'_rsvp_confirmation_after_payment',true);

if(($send_confirmation ||!is_numeric($send_confirmation)) && empty($confirm_on_payment) )//if it hasn't been set to 0, send it
if(($send_confirmation ||!is_numeric($send_confirmation)) && $rsvpdata['yesno'] && empty($confirm_on_payment) )//if it hasn't been set to 0, send it
{
$confirmation_subject = $templates['confirmation']['subject'];
foreach($rsvpdata as $field => $value)
Expand Down
38 changes: 30 additions & 8 deletions rsvpmaker-group-email.php
Expand Up @@ -46,13 +46,14 @@ function rsvpmaker_relay_menu_pages() {
'rsvpmaker_relay_manual_test',
'rsvpmaker_relay_manual_test'
);

add_submenu_page(
$parent_slug,
__( 'Group Email Log', 'rsvpmaker' ),
__( 'Group Email Log', 'rsvpmaker' ),
'manage_options',
'rsvpmaker_relay_log',
'rsvpmaker_relay_log'
'rsvpmaker_relay_queue_monitor',
'rsvpmaker_relay_queue_monitor'
);

}
Expand Down Expand Up @@ -935,11 +936,32 @@ function rsvpmaker_qemail ($mail, $recipients) {
restore_current_blog();
}

function rsvpmaker_relay_log() {
function rsvpmaker_relay_queue_monitor () {
do_action('rsvpmaker_relay_queue_monitor');
global $wpdb;
$sql = "SELECT * from $wpdb->posts JOIN $wpdb->postmeta ON $wpdb->posts.ID = $wpdb->postmeta.post_id WHERE post_type='rsvpemail' AND meta_key LIKE 'rsvp%' ORDER BY ID DESC, meta_key LIMIT 0,500";
$sql = "SELECT ID, post_title, wpt_postmeta.meta_key, wpt_postmeta.meta_value FROM `wpt_posts` JOIN wpt_postmeta on wpt_posts.ID = wpt_postmeta.post_id WHERE post_type='rsvpemail' AND (post_status='draft' OR post_status='publish') AND meta_key='rsvprelay_to' ORDER BY ID DESC";
$results = $wpdb->get_results($sql);
foreach($results as $row) {
printf('<p>%s<br><strong>%s</strong> %s</p>',$row->post_title,$row->meta_key,$row->meta_value);
}
}
$was = 0;
echo '<h1>In Queue</h2>';
if(empty($results))
echo '<p>none</p>';
else
foreach($results as $row)
{
if($row->ID != $was)
printf('<h2>%s</h2>',$row->post_title);
printf('<p>%s %s</p>',$row->meta_key, $row->meta_value);
$was = $row->ID;
}
echo '<h1>Sent (200 Latest)</h2>';
$sql = "SELECT ID, post_title, wpt_postmeta.meta_key, wpt_postmeta.meta_value FROM `wpt_posts` JOIN wpt_postmeta on wpt_posts.ID = wpt_postmeta.post_id WHERE post_type='rsvpemail' AND meta_key='rsvpmail_sent' ORDER BY ID DESC LIMIT 0, 200";
$results = $wpdb->get_results($sql);
$was = 0;
foreach($results as $row)
{
if($row->ID != $was)
printf('<h2>%s</h2>',$row->post_title);
printf('<p>%s %s</p>',$row->meta_key, $row->meta_value);
$was = $row->ID;
}
}
4 changes: 2 additions & 2 deletions rsvpmaker-plugabble.php
Expand Up @@ -2573,13 +2573,13 @@ function save_rsvp() {
// $rsvpdata["rsvptitle"] = $post->post_title;

$rsvpdata['rsvpyesno'] = $answer;

$rsvpdata['yesno'] = $yesno;
$rsvpdata['rsvpdate'] = $date;

$rsvp_options['rsvplink'] = get_rsvp_link( $post->ID );

$rsvpdata['rsvpupdate'] = preg_replace( '/#rsvpnow">[^<]+/', '#rsvpnow">' . $rsvp_options['update_rsvp'], str_replace( '*|EMAIL|*', $rsvp['email'] . '&update=' . $rsvp_id, $rsvp_options['rsvplink'] ) );

rsvp_notifications_via_template( $rsvp, $rsvp_to, $rsvpdata );

// rsvp_notifications ($rsvp,$rsvp_to,$subject,$cleanmessage,$rsvp_confirm);
Expand Down
14 changes: 10 additions & 4 deletions rsvpmaker-stripe.php
Expand Up @@ -43,7 +43,7 @@ function rsvpmaker_stripecharge( $atts ) {
return;
}

global $current_user;
global $current_user, $rsvp_options;

$vars['description'] = ( ! empty( $atts['description'] ) ) ? $atts['description'] : __( 'charge from', 'rsvpmaker' ) . ' ' . get_bloginfo( 'name' );

Expand Down Expand Up @@ -101,6 +101,7 @@ function rsvpmaker_stripecharge( $atts ) {
$rsvpmaker_stripe_form = '';

function rsvpmaker_stripe_form( $vars, $show = false ) {
global $rsvp_options;

rsvpmaker_debug_log( $vars, 'rsvpmaker_stripe_form' );

Expand Down Expand Up @@ -175,7 +176,7 @@ function rsvpmaker_stripe_form( $vars, $show = false ) {
elseif ( isset( $vars['paymentType'] ) && ( $vars['paymentType'] == 'donation' ) ) {
if(isset($_GET['amount']))
$vars['amount'] = sanitize_text_field($_GET['amount']); //needed when both Stripe and PayPal are active
$output = sprintf( '<form action="%s" method="get">%s (%s): <input type="text" name="amount" value="%s"><br />%s<br /><textarea name="stripenote" cols="80" rows="2"></textarea><br /><input type="hidden" name="txid" value="%s"><button class="stripebutton">%s</button>%s</form>', $url, __( 'Amount', 'rsvpmaker' ), esc_attr( strtoupper( $vars['currency'] ) ), esc_attr( $vars['amount'] ), __('Note','rsvpmaker'), esc_attr( $idempotency_key ), __( 'Pay with Card' ), rsvpmaker_nonce('return') );
$output = sprintf( '<form action="%s" method="get">%s (%s, %s %s): <input type="text" name="amount" value="%s"><br />%s<br /><textarea name="stripenote" cols="80" rows="2"></textarea><br /><input type="hidden" name="txid" value="%s"><button class="stripebutton">%s</button>%s</form>', $url, __( 'Amount', 'rsvpmaker' ), esc_attr( strtoupper( $vars['currency'] ) ), __('minimum','rsvpmaker'), $rsvp_options['payment_minimum'], esc_attr( $vars['amount'] ), __('Note','rsvpmaker'), esc_attr( $idempotency_key ), __( 'Pay with Card' ), rsvpmaker_nonce('return') );
} else {
$output = sprintf( '<form action="%s" method="get"><input type="hidden" name="txid" value="%s"><button class="stripebutton">%s</button>%s</form>', $url, esc_attr( $idempotency_key ), __( 'Pay with Card' ), rsvpmaker_nonce('return') );
}
Expand Down Expand Up @@ -248,6 +249,8 @@ function rsvpmaker_stripe_checkout() {

global $post, $rsvp_options, $current_user;

$keys = get_rsvpmaker_stripe_keys();

if ( empty( $_GET['txid'] ) ) {

return;
Expand Down Expand Up @@ -275,15 +278,18 @@ function rsvpmaker_stripe_checkout() {

}

if($vars['amount'] < $rsvp_options['payment_minimum']) {
do_action('rsvpmaker_possible_card_testing',$vars);
return '<p>Transactions of less than '.$rsvp_options['payment_minimum'].' not accepted.</p>';
}

if(!empty($_GET['stripenote']))
$vars['note'] = sanitize_text_field($_GET['stripenote']);

update_option( $idempotency_key, $vars );

require_once 'stripe-php/init.php';

$keys = get_rsvpmaker_stripe_keys();

if ( ! empty( $vars['email'] ) ) {

$email = sanitize_email( $vars['email'] );
Expand Down
6 changes: 4 additions & 2 deletions rsvpmaker.php
Expand Up @@ -7,11 +7,11 @@
Author URI: http://www.carrcommunications.com
Text Domain: rsvpmaker
Domain Path: /translations
Version: 9.2.5
Version: 9.2.6
*/

function get_rsvpversion() {
return '9.2.5';
return '9.2.6';
}
global $wp_version;
global $default_tz;
Expand Down Expand Up @@ -111,6 +111,8 @@ function rsvp_options_defaults() {

'currency_thousands' => ',',

'payment_minimum' => '5.00',

'paypal_invoiceno' => 1,

'stripe' => 0,
Expand Down

0 comments on commit bfb189f

Please sign in to comment.