Skip to content
Permalink
Browse files Browse the repository at this point in the history
Version 0.5.3 - Security Update
Security Update
* Correct security vulnerability allowing both private and password protected posts from being accessed through the print page
* Creates is_protected() method to determine if the print page should be visible to the current user
* Remove print_url links from the content when the current user does not have the necessary capabilities to view the print page
ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss
  • Loading branch information
stevenkword committed Apr 30, 2013
1 parent c370956 commit 4377872
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 8 deletions.
11 changes: 8 additions & 3 deletions readme.txt
@@ -1,10 +1,10 @@
=== WP Print Friendly ===
Contributors: ethitter, thinkoomph
Contributors: ethitter, stevenkword, thinkoomph
Donate link: http://www.thinkoomph.com/plugins-modules/wp-print-friendly/
Tags: print, template, printer, printable
Requires at least: 3.1
Tested up to: 3.5
Stable tag: 0.5.2
Stable tag: 0.5.3
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html

Expand Down Expand Up @@ -59,6 +59,11 @@ This plugin is known to conflict with certain plugins, many pertaining to SEO an

== Changelog ==

= 0.5.3 =
* Creates is_protected() method to determine if the print page should be visible to the current user
* Correct security vulnerability allowing both private and password protected posts from being accessed through the print page
* Remove print_url links from the content when the current user does not have the necessary capabilities to view the print page

= 0.5.2 =
* Revert change in is_print() method made in version 0.5 as it breaks the method when no page number is specified. See [https://github.com/ethitter/WP-Print-Friendly/issues/2](https://github.com/ethitter/WP-Print-Friendly/issues/2).

Expand Down Expand Up @@ -174,4 +179,4 @@ This release expands the plugin's page rewrite rules to accomodate permalink str
This release fixes bug that displayed post links automatically on the wrong post types.

= 0.4 =
This release addresses numerous bugs reported by the community, including print templates for child pages. All admin text, save the plugin's name, are now ready for translation. Templates are now completely customizable, and new template functions are included.
This release addresses numerous bugs reported by the community, including print templates for child pages. All admin text, save the plugin's name, are now ready for translation. Templates are now completely customizable, and new template functions are included.
51 changes: 46 additions & 5 deletions wp-print-friendly.php
Expand Up @@ -3,8 +3,8 @@
Plugin Name: WP Print Friendly
Plugin URI: http://www.thinkoomph.com/plugins-modules/wp-print-friendly/
Description: Extends WordPress' template system to support printer-friendly templates. Works with permalink structures to support nice URLs.
Author: Erick Hitter & Oomph, Inc.
Version: 0.5.2
Author: Erick Hitter, Steven K Word & Oomph, Inc.
Version: 0.5.3
Author URI: http://www.thinkoomph.com/
This program is free software; you can redistribute it and/or modify
Expand Down Expand Up @@ -80,6 +80,7 @@ public function action_plugins_loaded() {
add_action( 'admin_menu', array( $this, 'action_admin_menu' ) );
add_filter( 'request', array( $this, 'filter_request' ) );
add_action( 'pre_get_posts', array( $this, 'action_pre_get_posts' ) );
add_action( 'wp', array( $this, 'action_wp' ) );
add_filter( 'template_include', array( $this, 'filter_template_include' ) );
add_filter( 'redirect_canonical', array( $this, 'filter_redirect_canonical' ) );
add_filter( 'body_class', array( $this, 'filter_body_class' ) );
Expand Down Expand Up @@ -161,6 +162,23 @@ public function action_admin_init() {
update_option( $this->notice_key, 1 );
}

/**
* Determine if the print page should be visible to the current user
*
* @uses current_user_can, post_password_required
* @global $wp_query, $post
* @return bool
*/
public function is_protected() {
global $post;

// If the global $post object is not set OR BOTH the current user is NOT an admin AND the post is private
$private = ( ! isset( $post ) || ( ! current_user_can( 'read_private_posts' ) && 'private' == $post->post_status ) ) ? true : false;

// If the password is required OR if the current user does not have the capability to view private posts
return post_password_required() || true === $private;
}

/**
* Determine if print template is being requested.
*
Expand Down Expand Up @@ -273,15 +291,34 @@ public function action_pre_get_posts( $query ) {
return $query;
}

/**
* Throw a 404 if the print page should not be visible to the user
*
* @action wp
* @global $wp_query
* @uses $this::is_print, $this::is_protected
* @return null
*/
function action_wp() {
global $wp_query;

if( $this->is_print() && $this->is_protected() ) {
$wp_query->set_404();
status_header( 404 );
nocache_headers();
}
}

/**
* Filter template include to return print template if requested.
*
* @param string $template
* @filter template_include
* @uses this::is_protected
* @return string
*/
public function filter_template_include( $template ) {
if ( $this->is_print() && ( $print_template = $this->template_chooser() ) )
if ( $this->is_print() && ! $this->is_protected() && ( $print_template = $this->template_chooser() ) )
$template = $print_template[ 'path' ];

return $template;
Expand Down Expand Up @@ -350,7 +387,7 @@ public function filter_the_content( $content ) {
* Filter the content if automatic inclusion is selected.
*
* @param string $content
* @uses $this::get_options, $post, $this::print_url, get_query_var, apply_filters
* @uses $this::get_options, $post, $this::print_url, $this::is_protected, get_query_var, apply_filters
* @filter the_content
* @return string
*/
Expand All @@ -359,6 +396,10 @@ public function filter_the_content_auto( $content ) {

global $post;

// Do not display the print_url link if the print page is not be accessible to the user
if( $this->is_protected() )
return $content;

if ( is_array( $options ) && array_key_exists( 'auto', $options ) && $options[ 'auto' ] == true && in_array( $post->post_type, $options[ 'post_types' ] ) && ! $this->is_print() ) {
extract( $options );

Expand Down Expand Up @@ -928,4 +969,4 @@ function is_print() {
return $wpf->is_print();
}
}
?>
?>

0 comments on commit 4377872

Please sign in to comment.