Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Version 0.98 - CSRF/XSS Security Fixes
Bumps version to 0.98. Addresses potential XSS/CSRF security issues in plugin. Changes admin.php to use the esc_attr() and esc_url() on the Fastly option values prior to outputting them in the context of the HTML to be rendered in the admin panel. While it appears that the values of these options could not be set from an unprivileged context we should be escaping them prior to rendering irregardless. Previously the FastlyAdmin::ajaxSetPage() and FastlyAdmin::ajaxSignUp() handlers in lib/admin.php were not enforcing the presence of a CSRF token. This commit also modifies these handlers to use the wp_verify_nonce() function. The static/fastly.js AJAX posts were modified to supply a wp_create_nonce() token injected into the scripts context by wp_localize_script(). The wp_register_script() and associated calls were moved to a wp_enqueue_scripts event handler in order to ensure that wp_create_nonce() is defined/loaded at the time we try to use it. Changes all calls to update_option() with dynamic content to use esc_sql() on the data before passing it to update_option() to avoid potential for SQLi. Thanks to Zack Tollman for the original vulnerability reports. git-svn-id: https://plugins.svn.wordpress.org/fastly/trunk@1081712 b8457f37-d9ea-0310-8a92-e5e31aec5664
- Loading branch information
fastly
committed
Feb 3, 2015
1 parent
6456dd2
commit d7fe425
Showing
10 changed files
with
1,854 additions
and
1,796 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| # The Wordpress Plugin | ||
|
|
||
| Integrates Fastly with Wordpress' publishing tools. | ||
|
|
||
| ## Installation | ||
|
|
||
| You can either install from source (you're looking at it), or from the Wordpress [plugin directory](http://wordpress.org/plugins/fastly/). | ||
|
|
||
| 0. If you don't already have it send us a support request asking to have the Wordpress feature turned on for your account. | ||
| 1. Add a new WordPress config to a Service and set up the path to the Wordpress install. Examples: | ||
| - If your blog is at `http://blog.example.com/`, your path is `/` | ||
| - If your blog is at `http://example.com/blog/`, your path is `/blog/` | ||
| 2. Deploy the new Version of the Service. | ||
| 3. With your API key and the Service id in hand, install the plugin under Wordpress. | ||
| 4. Set up the Fastly plugin inside your Wordpress config panel - you should just have to input the API key and the Service id that you noted in the last step. | ||
| 5. That's it! Everything should just work. :metal: If you have any problems, email us. | ||
|
|
||
| _Note: you may have to disable other caching plugins like W3TotalCache to avoid getting odd cache behaviour._ | ||
|
|
||
| ## What's going on? | ||
|
|
||
| Take a look at the inline comments in the [code](https://github.com/fastly/WordPress-Plugin/tree/master/lib) for an in depth description. But, the plugin: | ||
|
|
||
| - Pulls in the [Fastly API](http://docs.fastly.com/api) | ||
| - Wires Instant Purging into the publishing process, keeping content up to date | ||
| - Includes an admin panel in `wp-admin` | ||
|
|
||
| ## License | ||
|
|
||
| Fastly.com WordPress Plugin | ||
| Copyright (C) 2011,2012,2013 Fastly.com | ||
|
|
||
| This program is free software: you can redistribute it and/or modify | ||
| it under the terms of the GNU General Public License as published by | ||
| the Free Software Foundation, either version 3 of the License, or | ||
| (at your option) any later version. | ||
|
|
||
| This program is distributed in the hope that it will be useful, | ||
| but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| GNU General Public License for more details. | ||
|
|
||
| You should have received a copy of the GNU General Public License | ||
| along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,68 +1,68 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| Plugin Name: Fastly | ||
| Plugin URI: http://fastly.com/ | ||
| Description: Configuration and cache purging for the Fastly CDN. | ||
| Author: Fastly.com | ||
| Version: 0.97 | ||
| Author URI: http://fastly.com/ | ||
| */ | ||
|
|
||
| /** | ||
| * Main plugin code. | ||
| * @package Fastly | ||
| * @version 0.97 | ||
| * @author Ryan Sandor Richards | ||
| * @copyright 2011 Fastly.com, All Rights Reserved | ||
| */ | ||
|
|
||
| // Basic plugin definitions | ||
| define('FASTLY_VERSION', '0.97'); | ||
| define('FASTLY_PLUGIN_URL', plugin_dir_url( __FILE__ )); | ||
|
|
||
| // Includes | ||
| include_once dirname( __FILE__ ) . '/lib/purge.php'; | ||
| include_once dirname( __FILE__ ) . '/lib/admin.php'; | ||
| include_once dirname( __FILE__ ) . '/lib/api.php'; | ||
|
|
||
| // Check for JSON support | ||
| if (!function_exists('json_decode')) { | ||
| require_once dirname( __FILE__ ) . '/lib/JSON.php'; | ||
| define('FASTLY_JSON', false); | ||
| } | ||
|
|
||
| // Plugin Options | ||
| add_option('fastly_hostname', ''); | ||
| add_option('fastly_api_key', ''); | ||
| add_option('fastly_service_id', ''); | ||
| add_option('fastly_api_hostname', 'https://api.fastly.com'); | ||
| add_option('fastly_api_port', null); | ||
| add_option('fastly_page', 'welcome'); | ||
| add_option('fastly_log_purges', '0'); | ||
|
|
||
| // Setup Purging | ||
| new FastlyPurge(); | ||
|
|
||
| // Setup admin (if needed) | ||
| if (is_admin()) { | ||
| new FastlyAdmin(); | ||
| } | ||
|
|
||
| // Custom action links for the plugin. | ||
| function fastly_action_links($links, $file) { | ||
| static $this_plugin; | ||
| if (!$this_plugin) { | ||
| $this_plugin = plugin_basename(__FILE__); | ||
| } | ||
| if ($file == $this_plugin) { | ||
| $settings_link = '<a href="' . get_bloginfo('wpurl') . '/wp-admin/options-general.php?page=fastly-admin-panel">Settings</a>'; | ||
| array_unshift($links, $settings_link); | ||
| } | ||
| return $links; | ||
| } | ||
| add_filter('plugin_action_links', 'fastly_action_links', 10, 2); | ||
|
|
||
| // "Look out honey, cause I'm using technology..." - Iggy Pop | ||
|
|
||
| ?> | ||
| <?php | ||
|
|
||
| /* | ||
| Plugin Name: Fastly | ||
| Plugin URI: http://fastly.com/ | ||
| Description: Configuration and cache purging for the Fastly CDN. | ||
| Author: Fastly.com | ||
| Version: 0.98 | ||
| Author URI: http://fastly.com/ | ||
| */ | ||
|
|
||
| /** | ||
| * Main plugin code. | ||
| * @package Fastly | ||
| * @version 0.98 | ||
| * @author Ryan Sandor Richards | ||
| * @copyright 2011 Fastly.com, All Rights Reserved | ||
| */ | ||
|
|
||
| // Basic plugin definitions | ||
| define('FASTLY_VERSION', '0.98'); | ||
| define('FASTLY_PLUGIN_URL', plugin_dir_url( __FILE__ )); | ||
|
|
||
| // Includes | ||
| include_once dirname( __FILE__ ) . '/lib/purge.php'; | ||
| include_once dirname( __FILE__ ) . '/lib/admin.php'; | ||
| include_once dirname( __FILE__ ) . '/lib/api.php'; | ||
|
|
||
| // Check for JSON support | ||
| if (!function_exists('json_decode')) { | ||
| require_once dirname( __FILE__ ) . '/lib/JSON.php'; | ||
| define('FASTLY_JSON', false); | ||
| } | ||
|
|
||
| // Plugin Options | ||
| add_option('fastly_hostname', ''); | ||
| add_option('fastly_api_key', ''); | ||
| add_option('fastly_service_id', ''); | ||
| add_option('fastly_api_hostname', 'https://api.fastly.com'); | ||
| add_option('fastly_api_port', null); | ||
| add_option('fastly_page', 'welcome'); | ||
| add_option('fastly_log_purges', '0'); | ||
|
|
||
| // Setup Purging | ||
| new FastlyPurge(); | ||
|
|
||
| // Setup admin (if needed) | ||
| if (is_admin()) { | ||
| new FastlyAdmin(); | ||
| } | ||
|
|
||
| // Custom action links for the plugin. | ||
| function fastly_action_links($links, $file) { | ||
| static $this_plugin; | ||
| if (!$this_plugin) { | ||
| $this_plugin = plugin_basename(__FILE__); | ||
| } | ||
| if ($file == $this_plugin) { | ||
| $settings_link = '<a href="' . get_bloginfo('wpurl') . '/wp-admin/options-general.php?page=fastly-admin-panel">Settings</a>'; | ||
| array_unshift($links, $settings_link); | ||
| } | ||
| return $links; | ||
| } | ||
| add_filter('plugin_action_links', 'fastly_action_links', 10, 2); | ||
|
|
||
| // "Look out honey, cause I'm using technology..." - Iggy Pop | ||
|
|
||
| ?> |
Oops, something went wrong.