Skip to content
Permalink
Browse files

Added nonce check to CSV importer actions

  • Loading branch information...
rodrigoprimo committed Jul 2, 2019
1 parent 1881366 commit cabf9de71aa7f321e68dfeaf6000af2b45eeaba9
@@ -278,7 +278,7 @@ public function do_ajax_product_import() {
array(
'position' => 'done',
'percentage' => 100,
'url' => add_query_arg( array( 'nonce' => wp_create_nonce( 'product-csv' ) ), admin_url( 'edit.php?post_type=product&page=product_importer&step=done' ) ),
'url' => add_query_arg( array( '_wpnonce' => wp_create_nonce( 'woocommerce-csv-importer' ) ), admin_url( 'edit.php?post_type=product&page=product_importer&step=done' ) ),
'imported' => count( $results['imported'] ),
'failed' => count( $results['failed'] ),
'updated' => count( $results['updated'] ),
@@ -366,6 +366,7 @@ public function handle_upload() {
* Mapping step.
*/
protected function mapping_form() {
check_admin_referer( 'woocommerce-csv-importer' );
$args = array(
'lines' => 1,
'delimiter' => $this->delimiter,
@@ -399,6 +400,10 @@ protected function mapping_form() {
* Import the file if it exists and is valid.
*/
public function import() {
// Displaying this page triggers Ajax action to run the import with a valid nonce,
// therefore this page needs to be nonce protected as well.
check_admin_referer( 'woocommerce-csv-importer' );
if ( ! self::is_file_valid_csv( $this->file ) ) {
$this->add_error( __( 'Invalid file type. The importer supports CSV and TXT file formats.', 'woocommerce' ) );
$this->output_errors();
@@ -411,7 +416,6 @@ public function import() {
return;
}
// phpcs:disable WordPress.Security.NonceVerification.NoNonceVerification -- Nonce already verified in WC_Admin_Importers::do_ajax_product_import()
if ( ! empty( $_POST['map_from'] ) && ! empty( $_POST['map_to'] ) ) {
$mapping_from = wc_clean( wp_unslash( $_POST['map_from'] ) );
$mapping_to = wc_clean( wp_unslash( $_POST['map_to'] ) );
@@ -422,7 +426,6 @@ public function import() {
wp_redirect( esc_url_raw( $this->get_next_step_link( 'upload' ) ) );
exit;
}
// phpcs:enable
wp_localize_script(
'wc-product-import',
@@ -447,13 +450,12 @@ public function import() {
* Done step.
*/
protected function done() {
// phpcs:disable WordPress.Security.NonceVerification.NoNonceVerification
check_admin_referer( 'woocommerce-csv-importer' );
$imported = isset( $_GET['products-imported'] ) ? absint( $_GET['products-imported'] ) : 0;
$updated = isset( $_GET['products-updated'] ) ? absint( $_GET['products-updated'] ) : 0;
$failed = isset( $_GET['products-failed'] ) ? absint( $_GET['products-failed'] ) : 0;
$skipped = isset( $_GET['products-skipped'] ) ? absint( $_GET['products-skipped'] ) : 0;
$errors = array_filter( (array) get_user_option( 'product_import_error_log' ) );
// phpcs:enable
include_once dirname( __FILE__ ) . '/views/html-csv-import-done.php';
}

0 comments on commit cabf9de

Please sign in to comment.
You can’t perform that action at this time.