From 0ac83d1955aa964a358833b1b5ce790fff45b3f4 Mon Sep 17 00:00:00 2001 From: Eric Teubert Date: Sun, 4 Feb 2024 21:15:41 +0100 Subject: [PATCH] fix: add missing capability check and nonce validation to exporter functions --- .../import_export/export/podcast_exporter.php | 8 +++++++ .../export/tracking_exporter.php | 18 ++++++++++++++- lib/modules/import_export/import_export.php | 23 +++++++++---------- readme.txt | 1 + 4 files changed, 37 insertions(+), 13 deletions(-) diff --git a/lib/modules/import_export/export/podcast_exporter.php b/lib/modules/import_export/export/podcast_exporter.php index 1eefca8e8..a994582f3 100644 --- a/lib/modules/import_export/export/podcast_exporter.php +++ b/lib/modules/import_export/export/podcast_exporter.php @@ -30,6 +30,14 @@ public static function init() } if (isset($_GET['podlove_export']) && $_GET['podlove_export']) { + if (!current_user_can('administrator')) { + return; + } + + if (!wp_verify_nonce($_REQUEST['_podlove_nonce'], 'podlove_export')) { + return; + } + $exporter = new \Podlove\Modules\ImportExport\Export\PodcastExporter(); $exporter->download(); exit; diff --git a/lib/modules/import_export/export/tracking_exporter.php b/lib/modules/import_export/export/tracking_exporter.php index 23de6eaa7..231cf5e30 100644 --- a/lib/modules/import_export/export/tracking_exporter.php +++ b/lib/modules/import_export/export/tracking_exporter.php @@ -19,6 +19,14 @@ public static function init_download() } if (isset($_GET['podlove_export_tracking']) && $_GET['podlove_export_tracking']) { + if (!current_user_can('administrator')) { + exit; + } + + if (!wp_verify_nonce($_REQUEST['_podlove_nonce'], 'podlove_export_tracking_download')) { + exit; + } + delete_transient('podlove_tracking_export_finished'); header('Content-Type: application/octet-stream'); @@ -43,9 +51,17 @@ public static function export_tracking() { global $wpdb; + if (!current_user_can('administrator')) { + exit; + } + + if (!wp_verify_nonce($_REQUEST['_podlove_nonce'], 'podlove_export_tracking')) { + exit; + } + // only one export at a time if (get_option('podlove_tracking_export_all') !== false) { - return; + exit; } update_option('podlove_tracking_export_all', $wpdb->get_var('SELECT COUNT(*) FROM '.\Podlove\Model\DownloadIntent::table_name())); diff --git a/lib/modules/import_export/import_export.php b/lib/modules/import_export/import_export.php index 7e8a81f3b..d4834d3db 100644 --- a/lib/modules/import_export/import_export.php +++ b/lib/modules/import_export/import_export.php @@ -123,7 +123,7 @@ public function tools_podcast_export()
    • - + "; } } }); @@ -187,20 +187,19 @@ public function tools_tracking_export() $.ajax({ url: ajaxurl, - data: {action: 'podlove-export-tracking'}, - dataType: 'json', - success: function(result) { + data: {action: 'podlove-export-tracking', _podlove_nonce: ''}, + dataType: 'json' + }).done(function(result) { console.log("tracking export finished"); - } + window.setTimeout(podlove_check_export_status, 2000); }); - window.setTimeout(podlove_check_export_status, 2000); }); // start immediately, in case the user refreshes the page podlove_check_export_status(); }(jQuery)); - + () - + - + - +