fix: add missing capability check and nonce validation to exporter fu…

…nctions
podlove · Feb 6, 2024 · 0ac83d1 · 0ac83d1
1 parent 7873ff5
commit 0ac83d1
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 13 deletions.
diff --git a/lib/modules/import_export/export/podcast_exporter.php b/lib/modules/import_export/export/podcast_exporter.php
@@ -30,6 +30,14 @@ public static function init()
         }
 
         if (isset($_GET['podlove_export']) && $_GET['podlove_export']) {
+            if (!current_user_can('administrator')) {
+                return;
+            }
+
+            if (!wp_verify_nonce($_REQUEST['_podlove_nonce'], 'podlove_export')) {
+                return;
+            }
+
             $exporter = new \Podlove\Modules\ImportExport\Export\PodcastExporter();
             $exporter->download();
             exit;

diff --git a/lib/modules/import_export/export/tracking_exporter.php b/lib/modules/import_export/export/tracking_exporter.php
@@ -19,6 +19,14 @@ public static function init_download()
         }
 
         if (isset($_GET['podlove_export_tracking']) && $_GET['podlove_export_tracking']) {
+            if (!current_user_can('administrator')) {
+                exit;
+            }
+
+            if (!wp_verify_nonce($_REQUEST['_podlove_nonce'], 'podlove_export_tracking_download')) {
+                exit;
+            }
+
             delete_transient('podlove_tracking_export_finished');
 
             header('Content-Type: application/octet-stream');
@@ -43,9 +51,17 @@ public static function export_tracking()
     {
         global $wpdb;
 
+        if (!current_user_can('administrator')) {
+            exit;
+        }
+
+        if (!wp_verify_nonce($_REQUEST['_podlove_nonce'], 'podlove_export_tracking')) {
+            exit;
+        }
+
         // only one export at a time
         if (get_option('podlove_tracking_export_all') !== false) {
-            return;
+            exit;
         }
 
         update_option('podlove_tracking_export_all', $wpdb->get_var('SELECT COUNT(*) FROM '.\Podlove\Model\DownloadIntent::table_name()));

diff --git a/lib/modules/import_export/import_export.php b/lib/modules/import_export/import_export.php
@@ -123,7 +123,7 @@ public function tools_podcast_export()
 			<li><?php echo __('In your new WordPress instance, import that file.', 'podlove-podcasting-plugin-for-wordpress'); ?></li>
 		</ol>
 
-		<a href="?podlove_export=1" class="button"><?php echo __('Export Podcast Data', 'podlove-podcasting-plugin-for-wordpress'); ?></a>
+		<a href="?podlove_export=1&_podlove_nonce=<?php echo wp_create_nonce('podlove_export'); ?>" class="button"><?php echo __('Export Podcast Data', 'podlove-podcasting-plugin-for-wordpress'); ?></a>
 		<?php
     }
 
@@ -168,12 +168,12 @@ public function tools_tracking_export()
 							$("#podlove_tracking_export_status_wrapper").show();
 
 							timeoutID = window.setTimeout(podlove_check_export_status, 1000);
-						} 
+						}
 
 						if (result.finished) {
 							$("#podlove_tracking_export").attr('disabled', false);
 							$("#podlove_tracking_export_status_wrapper").hide();
-							window.location = window.location + "&podlove_export_tracking=1";
+							window.location = window.location + "&podlove_export_tracking=1&_podlove_nonce=<?php echo wp_create_nonce('podlove_export_tracking_download'); ?>";
 						}
 					}
 				});
@@ -187,20 +187,19 @@ public function tools_tracking_export()
 
 				$.ajax({
 					url: ajaxurl,
-					data: {action: 'podlove-export-tracking'},
-					dataType: 'json',
-					success: function(result) {
+					data: {action: 'podlove-export-tracking', _podlove_nonce: '<?php echo wp_create_nonce('podlove_export_tracking'); ?>'},
+					dataType: 'json'
+				}).done(function(result) {
 						console.log("tracking export finished");
-					}
+				    window.setTimeout(podlove_check_export_status, 2000);
 				});
 
-				window.setTimeout(podlove_check_export_status, 2000);
 			});
 
 			// start immediately, in case the user refreshes the page
 			podlove_check_export_status();
 		}(jQuery));
-		</script>		
+		</script>
 		<?php
     }
 
@@ -213,10 +212,10 @@ public function tools_podcast_import()
 
 		<form method="POST" enctype="multipart/form-data">
 			(<span><?php echo self::get_maximum_upload_size_text(); ?></span>)
-			<input type="file" name="podlove_import"/> 
+			<input type="file" name="podlove_import"/>
 			<input type="submit" value="<?php echo __('Import Podcast Data', 'podlove-podcasting-plugin-for-wordpress'); ?>" class="button" />
 			<?php wp_nonce_field('podlove_import', '_podlove_nonce'); ?>
-		</form>		
+		</form>
 		<?php
     }
 
@@ -228,7 +227,7 @@ public function tools_tracking_import()
 			<input type="file" name="podlove_import_tracking"/>
 			<input type="submit" value="<?php echo __('Import Tracking Data', 'podlove-podcasting-plugin-for-wordpress'); ?>" class="button" />
 			<?php wp_nonce_field('podlove_import_tracking', '_podlove_nonce'); ?>
-		</form>		
+		</form>
 		<?php
     }
 

diff --git a/readme.txt b/readme.txt
@@ -112,6 +112,7 @@ This product includes GeoLite2 data created by MaxMind, available from http://ww
 
 - fix SSRF vulnerability in Slacknotes module
 - add missing capability check and nonce validation to importer functions
+- add missing capability check and nonce validation to exporter functions
 
 = 4.0.11 =