Skip to content
Permalink
Browse files Browse the repository at this point in the history
Version 0.98 - CSRF/XSS Security Fixes
Bumps version to 0.98. Addresses potential XSS/CSRF security issues in plugin.

Changes admin.php to use the esc_attr() and esc_url() on the Fastly
option values prior to outputting them in the context of the HTML to be
rendered in the admin panel. While it appears that the values of these
options could not be set from an unprivileged context we should be
escaping them prior to rendering irregardless.

Previously the FastlyAdmin::ajaxSetPage() and FastlyAdmin::ajaxSignUp()
handlers in lib/admin.php were not enforcing the presence of a CSRF
token. This commit also modifies these handlers to use the
wp_verify_nonce() function. The static/fastly.js AJAX posts were
modified to supply a wp_create_nonce() token injected into the scripts
context by wp_localize_script(). The wp_register_script() and associated
calls were moved to a wp_enqueue_scripts event handler in order to
ensure that wp_create_nonce() is defined/loaded at the time we try to
use it.

Changes all calls to update_option() with dynamic content to use
esc_sql() on the data before passing it to update_option() to avoid
potential for SQLi.

Thanks to Zack Tollman for the original vulnerability reports.




git-svn-id: https://plugins.svn.wordpress.org/fastly/trunk@1081712 b8457f37-d9ea-0310-8a92-e5e31aec5664
  • Loading branch information
fastly committed Feb 3, 2015
1 parent 6456dd2 commit d7fe425
Show file tree
Hide file tree
Showing 10 changed files with 1,854 additions and 1,796 deletions.
16 changes: 0 additions & 16 deletions README

This file was deleted.

45 changes: 45 additions & 0 deletions README.md
@@ -0,0 +1,45 @@
# The Wordpress Plugin

Integrates Fastly with Wordpress' publishing tools.

## Installation

You can either install from source (you're looking at it), or from the Wordpress [plugin directory](http://wordpress.org/plugins/fastly/).

0. If you don't already have it send us a support request asking to have the Wordpress feature turned on for your account.
1. Add a new WordPress config to a Service and set up the path to the Wordpress install. Examples:
- If your blog is at `http://blog.example.com/`, your path is `/`
- If your blog is at `http://example.com/blog/`, your path is `/blog/`
2. Deploy the new Version of the Service.
3. With your API key and the Service id in hand, install the plugin under Wordpress.
4. Set up the Fastly plugin inside your Wordpress config panel - you should just have to input the API key and the Service id that you noted in the last step.
5. That's it! Everything should just work. :metal: If you have any problems, email us.

_Note: you may have to disable other caching plugins like W3TotalCache to avoid getting odd cache behaviour._

## What's going on?

Take a look at the inline comments in the [code](https://github.com/fastly/WordPress-Plugin/tree/master/lib) for an in depth description. But, the plugin:

- Pulls in the [Fastly API](http://docs.fastly.com/api)
- Wires Instant Purging into the publishing process, keeping content up to date
- Includes an admin panel in `wp-admin`

## License

Fastly.com WordPress Plugin
Copyright (C) 2011,2012,2013 Fastly.com

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.

136 changes: 68 additions & 68 deletions fastly.php
@@ -1,68 +1,68 @@
<?php

/*
Plugin Name: Fastly
Plugin URI: http://fastly.com/
Description: Configuration and cache purging for the Fastly CDN.
Author: Fastly.com
Version: 0.97
Author URI: http://fastly.com/
*/

/**
* Main plugin code.
* @package Fastly
* @version 0.97
* @author Ryan Sandor Richards
* @copyright 2011 Fastly.com, All Rights Reserved
*/

// Basic plugin definitions
define('FASTLY_VERSION', '0.97');
define('FASTLY_PLUGIN_URL', plugin_dir_url( __FILE__ ));

// Includes
include_once dirname( __FILE__ ) . '/lib/purge.php';
include_once dirname( __FILE__ ) . '/lib/admin.php';
include_once dirname( __FILE__ ) . '/lib/api.php';

// Check for JSON support
if (!function_exists('json_decode')) {
require_once dirname( __FILE__ ) . '/lib/JSON.php';
define('FASTLY_JSON', false);
}

// Plugin Options
add_option('fastly_hostname', '');
add_option('fastly_api_key', '');
add_option('fastly_service_id', '');
add_option('fastly_api_hostname', 'https://api.fastly.com');
add_option('fastly_api_port', null);
add_option('fastly_page', 'welcome');
add_option('fastly_log_purges', '0');

// Setup Purging
new FastlyPurge();

// Setup admin (if needed)
if (is_admin()) {
new FastlyAdmin();
}

// Custom action links for the plugin.
function fastly_action_links($links, $file) {
static $this_plugin;
if (!$this_plugin) {
$this_plugin = plugin_basename(__FILE__);
}
if ($file == $this_plugin) {
$settings_link = '<a href="' . get_bloginfo('wpurl') . '/wp-admin/options-general.php?page=fastly-admin-panel">Settings</a>';
array_unshift($links, $settings_link);
}
return $links;
}
add_filter('plugin_action_links', 'fastly_action_links', 10, 2);

// "Look out honey, cause I'm using technology..." - Iggy Pop

?>
<?php

/*
Plugin Name: Fastly
Plugin URI: http://fastly.com/
Description: Configuration and cache purging for the Fastly CDN.
Author: Fastly.com
Version: 0.98
Author URI: http://fastly.com/
*/

/**
* Main plugin code.
* @package Fastly
* @version 0.98
* @author Ryan Sandor Richards
* @copyright 2011 Fastly.com, All Rights Reserved
*/

// Basic plugin definitions
define('FASTLY_VERSION', '0.98');
define('FASTLY_PLUGIN_URL', plugin_dir_url( __FILE__ ));

// Includes
include_once dirname( __FILE__ ) . '/lib/purge.php';
include_once dirname( __FILE__ ) . '/lib/admin.php';
include_once dirname( __FILE__ ) . '/lib/api.php';

// Check for JSON support
if (!function_exists('json_decode')) {
require_once dirname( __FILE__ ) . '/lib/JSON.php';
define('FASTLY_JSON', false);
}

// Plugin Options
add_option('fastly_hostname', '');
add_option('fastly_api_key', '');
add_option('fastly_service_id', '');
add_option('fastly_api_hostname', 'https://api.fastly.com');
add_option('fastly_api_port', null);
add_option('fastly_page', 'welcome');
add_option('fastly_log_purges', '0');

// Setup Purging
new FastlyPurge();

// Setup admin (if needed)
if (is_admin()) {
new FastlyAdmin();
}

// Custom action links for the plugin.
function fastly_action_links($links, $file) {
static $this_plugin;
if (!$this_plugin) {
$this_plugin = plugin_basename(__FILE__);
}
if ($file == $this_plugin) {
$settings_link = '<a href="' . get_bloginfo('wpurl') . '/wp-admin/options-general.php?page=fastly-admin-panel">Settings</a>';
array_unshift($links, $settings_link);
}
return $links;
}
add_filter('plugin_action_links', 'fastly_action_links', 10, 2);

// "Look out honey, cause I'm using technology..." - Iggy Pop

?>

0 comments on commit d7fe425

Please sign in to comment.