Fix full path disclosure vulnerability and increment version.

git-svn-id: https://plugins.svn.wordpress.org/ad-blocking-detector/trunk@899810 b8457f37-d9ea-0310-8a92-e5e31aec5664
wp-plugins · Apr 22, 2014 · 3312b9c · 3312b9c
1 parent 5d210d3
commit 3312b9c
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 6 deletions.
diff --git a/ad-blocking-detector.php b/ad-blocking-detector.php
@@ -3,7 +3,7 @@
  * Plugin Name: Ad Blocking Detector
  * Plugin URI: http://adblockingdetector.jtmorris.net
  * Description: A plugin to detect ad blocking browser extensions and display alternative content to site visitors.
- * Version: 1.2.1
+ * Version: 1.2.2
  * Author: John Morris
  * Author URI: http://jtmorris.net
  * License: GPL2
@@ -38,7 +38,26 @@
 include_once ( ABD_ROOT_PATH . 'includes/shortcodes.php' );
 
 
-//	Start SESSION to facilitate data transfers
-if ( !session_id() ) {
-	session_start();
-}
+//      Start SESSION to facilitate data transfers
+//      Error Prevention: http://www.php.net/manual/en/function.session-start.php#82957
+function my_session_start()
+{
+        if (isset($_COOKIE['PHPSESSID'])) {
+                $sessid = $_COOKIE['PHPSESSID'];
+        }
+        else if (isset($_GET['PHPSESSID'])) {
+                $sessid = $_GET['PHPSESSID'];
+        }
+        else {
+                session_start();
+                return false;
+        }
+
+        if (!preg_match('/^[a-z0-9]{32}$/', $sessid)) {
+                return false;
+        }
+        session_start();
+
+        return true;
+}
+my_session_start();
diff --git a/readme.txt b/readme.txt
@@ -4,7 +4,7 @@ Donate link: http://adblockingdetector.jtmorris.net/
 Tags: adblock, adblocker, ad blocker, adblock plus, detector, advertisement
 Requires at least: 3.8
 Tested up to: 3.9
-Stable tag: 1.2.1
+Stable tag: 1.2.2
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -74,6 +74,8 @@ to display rotating ads while harnessing the power of ad block detection.  You c
 
 
 == Changelog ==
+= 1.2.2 =
+* Fixed PHP warnings when PHPSESSID cookie contains illegal characters.
 = 1.2.1 =
 * Add support for WordPress 3.9.
 = 1.2.0 =
@@ -100,6 +102,8 @@ to display rotating ads while harnessing the power of ad block detection.  You c
 
 
 == Upgrade Notice ==
+= 1.2.2 =
+SECURITY UPDATE: This update plugs a security hole that, in cicumstances, gave [Full Path Disclosure](https://www.owasp.org/index.php/Full_Path_Disclosure).
 = 1.2.0 =
 Added a powerful new feature: shortcode support. Now you can [integrate content from other plugins](http://adblockingdetector.jtmorris.net/display-rotating-ads/) with Ad Blocking Detector.
 = 1.1.3 =