Security update

git-svn-id: https://plugins.svn.wordpress.org/w3-total-cache/trunk@1041802 b8457f37-d9ea-0310-8a92-e5e31aec5664

inc/define.php

@@ -5,7 +5,7 @@
 }
 
 define('W3TC', true);
-define('W3TC_VERSION', '0.9.4');
+define('W3TC_VERSION', '0.9.4.1');
 define('W3TC_POWERED_BY', 'W3 Total Cache/' . W3TC_VERSION);
 define('W3TC_EMAIL', 'w3tc@w3-edge.com');
 define('W3TC_TEXT_DOMAIN', 'w3-total-cache');

lib/W3/AdminActions/DefaultActionsAdmin.php

@@ -61,8 +61,13 @@ function action_default_stop_previewing() {
     function action_default_save_licence_key() {
         $license = W3_Request::get_string('license_key');
         try {
+            $old_config = new W3_Config();
+
             $this->_config->set('plugin.license_key', $license);
             $this->_config->save();
+
+            w3_instance('W3_Licensing')->possible_state_change($this->_config,
++                $old_config);
         } catch(Exception $ex){
             echo json_encode(array('result' => 'failed'));
             exit;

lib/W3/AdminActions/EdgeModeActionsAdmin.php

@@ -44,11 +44,8 @@ public function action_edge_mode_enable() {
             try {
                 w3_wp_write_to_file($config_path, $new_config_data);
             } catch (FilesystemOperationException $ex) {
-                throw new FilesystemModifyException(
-                    $ex->getMessage(), $ex->credentials_form(),
-                    'Edit file <strong>' . $config_path .
-                    '</strong> and add the next lines:', $config_path,
-                    $this->wp_config_evaluation_mode());
+                throw new Exception('Configuration file not writable. Please edit file <strong>' . $config_path .
+                    '</strong> and add the next lines: '. $this->wp_config_evaluation_mode());
             }
             try {
                 $this->_config_admin->set('notes.edge_mode', false);

lib/W3/Cdn/Base.php

@@ -614,6 +614,7 @@ function _get_scheme() {
      */
     function _log($local_path, $remote_path, $error) {
         $data = sprintf("[%s] [%s => %s] %s\n", date('r'), $local_path, $remote_path, $error);
+        $data = strtr($data, '<>', '..');
 
         $filename = w3_debug_log('cdn');
 

lib/W3/Db/mssql.php

@@ -1056,6 +1056,7 @@ function db_connect( $query = "SELECT" ) {
 
                 $dbhname = "dbh" . $action;
                 $this->$dbhname = @mssql_connect( $details[ 'db_host' ], $details[ 'db_user' ], $details[ 'db_password' ] );
+                $this->is_mysql = false;
 
                 if (!$this->$dbhname ) {
                         $this->bail( sprintf( /*WP_I18N_DB_CONN_ERROR*/"

lib/W3/Enterprise/SnsBase.php

@@ -64,6 +64,8 @@ protected function _log($message, $backtrace = null) {
             $debug = print_r($backtrace, true);
             $data .= $debug . "\n";
         }
+        $data = strtr($data, '<>', '..');
+
         $filename = w3_debug_log('sns');
 
         return @file_put_contents($filename, $data, FILE_APPEND);

lib/W3/Licensing.php

@@ -141,7 +141,7 @@ function update_license_status() {
 
             if ($license) {
                 $status = $license->license;
-                if ('host_valid' == $status) {
+                if (in_array($status, array('valid', 'host_valid'))) {
                     $version = 'pro';
                 } elseif (in_array($status, array('site_inactive','valid')) && w3tc_is_pro_dev_mode()) {
                     $status = 'valid';

lib/W3/Minify.php

@@ -335,6 +335,7 @@ function set_file_custom_data($file, $data) {
      */
     function log($msg) {
         $data = sprintf("[%s] [%s] [%s] %s\n", date('r'), $_SERVER['REQUEST_URI'], (!empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '-'), $msg);
+        $data = strtr($data, '<>', '..');
 
         $filename = w3_debug_log('minify');
         return @file_put_contents($filename, $data, FILE_APPEND);

lib/W3/PgCache.php

@@ -1054,7 +1054,7 @@ function _get_debug_info($cache, $reason, $status, $time) {
         $engine = $this->_config->get_string('pgcache.engine');
         $debug_info = "<!-- W3 Total Cache: Page cache debug info:\r\n";
         $debug_info .= sprintf("%s%s\r\n", str_pad('Engine: ', 20), w3_get_engine_name($engine));
-        $debug_info .= sprintf("%s%s\r\n", str_pad('Cache key: ', 20), $this->_page_key);
+        $debug_info .= sprintf("%s%s\r\n", str_pad('Cache key: ', 20), w3_escape_comment($this->_page_key));
         $debug_info .= sprintf("%s%s\r\n", str_pad('Caching: ', 20), ($cache ? 'enabled' : 'disabled'));
 
         if (!$cache) {
@@ -1071,7 +1071,7 @@ function _get_debug_info($cache, $reason, $status, $time) {
             $debug_info .= "Header info:\r\n";
 
             foreach ($headers as $header_name => $header_value) {
-                $debug_info .= sprintf("%s%s\r\n", str_pad($header_name . ': ', 20), w3_escape_comment($header_value));
+                $debug_info .= sprintf("%s%s\r\n", str_pad(w3_escape_comment($header_name) . ': ', 20), w3_escape_comment($header_value));
             }
         }
 

lib/W3/Plugin/NotificationsAdmin.php

@@ -102,7 +102,7 @@ public function notify_edge_mode() {
         w3_require_once(W3TC_INC_FUNCTIONS_DIR . '/admin_ui.php');
         $message = sprintf(__('<p>You can now keep W3 Total Cache up-to-date without having to worry about new features breaking your website. There will be more releases with bug fixes, security fixes and settings updates. </p>
         <p>Also, you can now try out our new features as soon as they\'re ready. %s to enable "edge mode" and unlock pre-release features. %s</p>', 'w3-total-cache')
-            ,'<a href="' . w3_admin_url('admin.php?page='. $this->_page .'&w3tc_edge_mode_enable').'" class="button">' . __('Click Here', 'w3-total-cache') . '</a>'
+            ,'<a href="' . w3_admin_url(wp_nonce_url('admin.php', 'w3tc') . '&page='. $this->_page .'&w3tc_edge_mode_enable').'" class="button">' . __('Click Here', 'w3-total-cache') . '</a>'
             , w3_button_hide_note(__('Hide this message', 'w3-total-cache'), 'edge_mode', '', true,'','w3tc_default_hide_note_custom')
         );
         w3_e_notification_box($message, 'edge-mode');

lib/W3/Plugin/TotalCacheAdmin.php

@@ -143,11 +143,8 @@ function load() {
         $action_handler->set_default($this);
         $action_handler->set_current_page($this->_page);
         if ($action && $action_handler->exists($action)) {
-            if (strpos($action, 'view') !== false)
-                if (!wp_verify_nonce(W3_Request::get_string('_wpnonce'), 'w3tc'))
-                    wp_nonce_ays('w3tc');
-            else
-                check_admin_referer('w3tc');
+            if (!wp_verify_nonce(W3_Request::get_string('_wpnonce'), 'w3tc'))
+                wp_nonce_ays('w3tc');
 
             try {
                 $action_handler->execute($action);

lib/W3/Varnish.php

@@ -166,6 +166,7 @@ function _request($varnish_server, $url) {
     function _log($url, $msg) {
         if ($this->_debug) {
             $data = sprintf("[%s] [%s] %s\n", date('r'), $url, $msg);
+            $data = strtr($data, '<>', '..');
 
             $filename = w3_debug_log('varnish');
 

pub/files.php

@@ -31,7 +31,7 @@
 $stored_nonce = get_site_option('w3tc_support_request') ? get_site_option('w3tc_support_request') : get_option('w3tc_support_request');
 $stored_attachment = get_site_option('w3tc_support_request') ? get_site_option('attachment_' . $md5) : get_option('attachment_' . $md5);
 
-if (file_exists($attachment_location) && $nonce == $stored_nonce && $stored_attachment == $attachment_location) {
+if (file_exists($attachment_location) && $nonce == $stored_nonce && !empty($stored_nonce) && $stored_attachment == $attachment_location) {
     w3_require_once(W3TC_INC_DIR . '/functions/mime.php');
     $type = w3_get_mime_type($attachment_location);
     header($_SERVER["SERVER_PROTOCOL"] . " 200 OK");

pub/js/options.js

@@ -691,9 +691,9 @@ jQuery(function() {
             jQuery('#plugin_license_key_verify').val(original_button_value);
             if (data == 'expired') {
                 alert('The license key has expired. Please renew it.');
-            }else if(data == 'host_valid') {
+            }else if(data == 'host_valid' || data == 'valid') {
                 alert('License key is correct.');
-            }else if (data == 'valid') {
+            }else if (data == 'another_site_active') {
                 alert('License key is correct but already in use on another site. See the FAQ for how to enable Pro version in development mode.');
             }else {
                 alert('The license key is not valid. Please check it and try again.');

readme.txt

@@ -1,9 +1,9 @@
 === Plugin Name ===
 Contributors: fredericktownes
-Tags: wpo, web performance optimization, performance, availability, scaling, scalability, user experience, cache, caching, page cache, css cache, js cache, db cache, disk cache, disk caching, database cache, http compression, gzip, deflate, minify, cdn, content delivery network, media library, performance, speed, multiple hosts, css, merge, combine, unobtrusive javascript, compress, optimize, optimizer, javascript, js, cascading style sheet, plugin, yslow, yui, google, google rank, google page speed, mod_pagespeed, new relic, newrelic, aws, s3, cloudfront, sns, elasticache, rds, flash media server, amazon web services, cloud files, rackspace, akamai, max cdn, limelight, cloudflare, mod_cloudflare, microsoft, microsoft azure, iis, nginx, litespeed, apache, varnish, xcache, apc, eacclerator, wincache, mysql, w3 total cache, batcache, wp cache, wp super cache, quick cache, wp minify, bwp-minify, buddypress
+Tags: w3totalcache, w3 totalcache, w3total cache, wpo, web performance optimization, performance, availability, scaling, scalability, user experience, cache, caching, page cache, css cache, js cache, db cache, disk cache, disk caching, database cache, http compression, gzip, deflate, minify, cdn, content delivery network, media library, performance, speed, multiple hosts, css, merge, combine, unobtrusive javascript, compress, optimize, optimizer, javascript, js, cascading style sheet, plugin, yslow, yui, google, google rank, google page speed, mod_pagespeed, new relic, newrelic, aws, s3, cloudfront, sns, elasticache, rds, flash media server, amazon web services, cloud files, rackspace, akamai, max cdn, limelight, cloudflare, mod_cloudflare, microsoft, microsoft azure, iis, nginx, litespeed, apache, varnish, xcache, apc, eacclerator, wincache, mysql, w3 total cache, batcache, wp cache, wp super cache, quick cache, wp minify, bwp-minify, buddypress
 Requires at least: 3.2
-Tested up to: 4.0
-Stable tag: 0.9.4
+Tested up to: 4.0.1
+Stable tag: 0.9.4.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -747,6 +747,10 @@ Please reach out to all of these people and support their projects if you're so
 
 == Changelog ==
 
+= 0.9.4.1 =
+* Fixed security issue if debug mode is enabled XSS vector exists HTML comments. CVE-2014-8724, Tobias Glemser
+* Fixed security issue with missing nonces, Ryan Satterfield
+
 = 0.9.4 =
 * Fixed undefined w3tc_button_link
 * Fixed support and other form submissions
@@ -859,6 +863,9 @@ Please reach out to all of these people and support their projects if you're so
 
 == Upgrade Notice ==
 
+= 0.9.4.1 =
+Thanks for using W3 Total Cache! This release includes important security updates designed to contribute to a secure WordPress installation.
+
 = 0.9.4 =
 Thanks for using W3 Total Cache! This release introduces hundreds of well-tested stability fixes since the last release as well as a new mode called "edge mode," which allows us to make releases more often containing new features that are still undergoing testing or active iteration.
 

w3-total-cache.php

@@ -2,7 +2,7 @@
 /*
 Plugin Name: W3 Total Cache
 Description: The highest rated and most complete WordPress performance plugin. Dramatically improve the speed and user experience of your site. Add browser, page, object and database caching as well as minify and content delivery network (CDN) to WordPress.
-Version: 0.9.4
+Version: 0.9.4.1
 Plugin URI: http://www.w3-edge.com/wordpress-plugins/w3-total-cache/
 Author: Frederick Townes
 Author URI: http://www.linkedin.com/in/w3edge