Skip to content
This repository was archived by the owner on Mar 1, 2024. It is now read-only.

Commit 9a1cc9f

Browse files
author
fredericktownes
committed
Security update
git-svn-id: https://plugins.svn.wordpress.org/w3-total-cache/trunk@1041802 b8457f37-d9ea-0310-8a92-e5e31aec5664
1 parent 4fa611d commit 9a1cc9f

17 files changed

+2005
-22
lines changed

Diff for: configs/0.9.4-ConfigKeys.php

+1,971
Large diffs are not rendered by default.

Diff for: inc/define.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
}
66

77
define('W3TC', true);
8-
define('W3TC_VERSION', '0.9.4');
8+
define('W3TC_VERSION', '0.9.4.1');
99
define('W3TC_POWERED_BY', 'W3 Total Cache/' . W3TC_VERSION);
1010
define('W3TC_EMAIL', 'w3tc@w3-edge.com');
1111
define('W3TC_TEXT_DOMAIN', 'w3-total-cache');

Diff for: lib/W3/AdminActions/DefaultActionsAdmin.php

+5
Original file line numberDiff line numberDiff line change
@@ -61,8 +61,13 @@ function action_default_stop_previewing() {
6161
function action_default_save_licence_key() {
6262
$license = W3_Request::get_string('license_key');
6363
try {
64+
$old_config = new W3_Config();
65+
6466
$this->_config->set('plugin.license_key', $license);
6567
$this->_config->save();
68+
69+
w3_instance('W3_Licensing')->possible_state_change($this->_config,
70+
+ $old_config);
6671
} catch(Exception $ex){
6772
echo json_encode(array('result' => 'failed'));
6873
exit;

Diff for: lib/W3/AdminActions/EdgeModeActionsAdmin.php

+2-5
Original file line numberDiff line numberDiff line change
@@ -44,11 +44,8 @@ public function action_edge_mode_enable() {
4444
try {
4545
w3_wp_write_to_file($config_path, $new_config_data);
4646
} catch (FilesystemOperationException $ex) {
47-
throw new FilesystemModifyException(
48-
$ex->getMessage(), $ex->credentials_form(),
49-
'Edit file <strong>' . $config_path .
50-
'</strong> and add the next lines:', $config_path,
51-
$this->wp_config_evaluation_mode());
47+
throw new Exception('Configuration file not writable. Please edit file <strong>' . $config_path .
48+
'</strong> and add the next lines: '. $this->wp_config_evaluation_mode());
5249
}
5350
try {
5451
$this->_config_admin->set('notes.edge_mode', false);

Diff for: lib/W3/Cdn/Base.php

+1
Original file line numberDiff line numberDiff line change
@@ -614,6 +614,7 @@ function _get_scheme() {
614614
*/
615615
function _log($local_path, $remote_path, $error) {
616616
$data = sprintf("[%s] [%s => %s] %s\n", date('r'), $local_path, $remote_path, $error);
617+
$data = strtr($data, '<>', '..');
617618

618619
$filename = w3_debug_log('cdn');
619620

Diff for: lib/W3/Db/mssql.php

+1
Original file line numberDiff line numberDiff line change
@@ -1056,6 +1056,7 @@ function db_connect( $query = "SELECT" ) {
10561056

10571057
$dbhname = "dbh" . $action;
10581058
$this->$dbhname = @mssql_connect( $details[ 'db_host' ], $details[ 'db_user' ], $details[ 'db_password' ] );
1059+
$this->is_mysql = false;
10591060

10601061
if (!$this->$dbhname ) {
10611062
$this->bail( sprintf( /*WP_I18N_DB_CONN_ERROR*/"

Diff for: lib/W3/Enterprise/SnsBase.php

+2
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,8 @@ protected function _log($message, $backtrace = null) {
6464
$debug = print_r($backtrace, true);
6565
$data .= $debug . "\n";
6666
}
67+
$data = strtr($data, '<>', '..');
68+
6769
$filename = w3_debug_log('sns');
6870

6971
return @file_put_contents($filename, $data, FILE_APPEND);

Diff for: lib/W3/Licensing.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -141,7 +141,7 @@ function update_license_status() {
141141

142142
if ($license) {
143143
$status = $license->license;
144-
if ('host_valid' == $status) {
144+
if (in_array($status, array('valid', 'host_valid'))) {
145145
$version = 'pro';
146146
} elseif (in_array($status, array('site_inactive','valid')) && w3tc_is_pro_dev_mode()) {
147147
$status = 'valid';

Diff for: lib/W3/Minify.php

+1
Original file line numberDiff line numberDiff line change
@@ -335,6 +335,7 @@ function set_file_custom_data($file, $data) {
335335
*/
336336
function log($msg) {
337337
$data = sprintf("[%s] [%s] [%s] %s\n", date('r'), $_SERVER['REQUEST_URI'], (!empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '-'), $msg);
338+
$data = strtr($data, '<>', '..');
338339

339340
$filename = w3_debug_log('minify');
340341
return @file_put_contents($filename, $data, FILE_APPEND);

Diff for: lib/W3/PgCache.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -1054,7 +1054,7 @@ function _get_debug_info($cache, $reason, $status, $time) {
10541054
$engine = $this->_config->get_string('pgcache.engine');
10551055
$debug_info = "<!-- W3 Total Cache: Page cache debug info:\r\n";
10561056
$debug_info .= sprintf("%s%s\r\n", str_pad('Engine: ', 20), w3_get_engine_name($engine));
1057-
$debug_info .= sprintf("%s%s\r\n", str_pad('Cache key: ', 20), $this->_page_key);
1057+
$debug_info .= sprintf("%s%s\r\n", str_pad('Cache key: ', 20), w3_escape_comment($this->_page_key));
10581058
$debug_info .= sprintf("%s%s\r\n", str_pad('Caching: ', 20), ($cache ? 'enabled' : 'disabled'));
10591059

10601060
if (!$cache) {
@@ -1071,7 +1071,7 @@ function _get_debug_info($cache, $reason, $status, $time) {
10711071
$debug_info .= "Header info:\r\n";
10721072

10731073
foreach ($headers as $header_name => $header_value) {
1074-
$debug_info .= sprintf("%s%s\r\n", str_pad($header_name . ': ', 20), w3_escape_comment($header_value));
1074+
$debug_info .= sprintf("%s%s\r\n", str_pad(w3_escape_comment($header_name) . ': ', 20), w3_escape_comment($header_value));
10751075
}
10761076
}
10771077

Diff for: lib/W3/Plugin/NotificationsAdmin.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -102,7 +102,7 @@ public function notify_edge_mode() {
102102
w3_require_once(W3TC_INC_FUNCTIONS_DIR . '/admin_ui.php');
103103
$message = sprintf(__('<p>You can now keep W3 Total Cache up-to-date without having to worry about new features breaking your website. There will be more releases with bug fixes, security fixes and settings updates. </p>
104104
<p>Also, you can now try out our new features as soon as they\'re ready. %s to enable "edge mode" and unlock pre-release features. %s</p>', 'w3-total-cache')
105-
,'<a href="' . w3_admin_url('admin.php?page='. $this->_page .'&w3tc_edge_mode_enable').'" class="button">' . __('Click Here', 'w3-total-cache') . '</a>'
105+
,'<a href="' . w3_admin_url(wp_nonce_url('admin.php', 'w3tc') . '&page='. $this->_page .'&w3tc_edge_mode_enable').'" class="button">' . __('Click Here', 'w3-total-cache') . '</a>'
106106
, w3_button_hide_note(__('Hide this message', 'w3-total-cache'), 'edge_mode', '', true,'','w3tc_default_hide_note_custom')
107107
);
108108
w3_e_notification_box($message, 'edge-mode');

Diff for: lib/W3/Plugin/TotalCacheAdmin.php

+2-5
Original file line numberDiff line numberDiff line change
@@ -143,11 +143,8 @@ function load() {
143143
$action_handler->set_default($this);
144144
$action_handler->set_current_page($this->_page);
145145
if ($action && $action_handler->exists($action)) {
146-
if (strpos($action, 'view') !== false)
147-
if (!wp_verify_nonce(W3_Request::get_string('_wpnonce'), 'w3tc'))
148-
wp_nonce_ays('w3tc');
149-
else
150-
check_admin_referer('w3tc');
146+
if (!wp_verify_nonce(W3_Request::get_string('_wpnonce'), 'w3tc'))
147+
wp_nonce_ays('w3tc');
151148

152149
try {
153150
$action_handler->execute($action);

Diff for: lib/W3/Varnish.php

+1
Original file line numberDiff line numberDiff line change
@@ -166,6 +166,7 @@ function _request($varnish_server, $url) {
166166
function _log($url, $msg) {
167167
if ($this->_debug) {
168168
$data = sprintf("[%s] [%s] %s\n", date('r'), $url, $msg);
169+
$data = strtr($data, '<>', '..');
169170

170171
$filename = w3_debug_log('varnish');
171172

Diff for: pub/files.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@
3131
$stored_nonce = get_site_option('w3tc_support_request') ? get_site_option('w3tc_support_request') : get_option('w3tc_support_request');
3232
$stored_attachment = get_site_option('w3tc_support_request') ? get_site_option('attachment_' . $md5) : get_option('attachment_' . $md5);
3333

34-
if (file_exists($attachment_location) && $nonce == $stored_nonce && $stored_attachment == $attachment_location) {
34+
if (file_exists($attachment_location) && $nonce == $stored_nonce && !empty($stored_nonce) && $stored_attachment == $attachment_location) {
3535
w3_require_once(W3TC_INC_DIR . '/functions/mime.php');
3636
$type = w3_get_mime_type($attachment_location);
3737
header($_SERVER["SERVER_PROTOCOL"] . " 200 OK");

Diff for: pub/js/options.js

+2-2
Original file line numberDiff line numberDiff line change
@@ -691,9 +691,9 @@ jQuery(function() {
691691
jQuery('#plugin_license_key_verify').val(original_button_value);
692692
if (data == 'expired') {
693693
alert('The license key has expired. Please renew it.');
694-
}else if(data == 'host_valid') {
694+
}else if(data == 'host_valid' || data == 'valid') {
695695
alert('License key is correct.');
696-
}else if (data == 'valid') {
696+
}else if (data == 'another_site_active') {
697697
alert('License key is correct but already in use on another site. See the FAQ for how to enable Pro version in development mode.');
698698
}else {
699699
alert('The license key is not valid. Please check it and try again.');

Diff for: readme.txt

+10-3
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
=== Plugin Name ===
22
Contributors: fredericktownes
3-
Tags: wpo, web performance optimization, performance, availability, scaling, scalability, user experience, cache, caching, page cache, css cache, js cache, db cache, disk cache, disk caching, database cache, http compression, gzip, deflate, minify, cdn, content delivery network, media library, performance, speed, multiple hosts, css, merge, combine, unobtrusive javascript, compress, optimize, optimizer, javascript, js, cascading style sheet, plugin, yslow, yui, google, google rank, google page speed, mod_pagespeed, new relic, newrelic, aws, s3, cloudfront, sns, elasticache, rds, flash media server, amazon web services, cloud files, rackspace, akamai, max cdn, limelight, cloudflare, mod_cloudflare, microsoft, microsoft azure, iis, nginx, litespeed, apache, varnish, xcache, apc, eacclerator, wincache, mysql, w3 total cache, batcache, wp cache, wp super cache, quick cache, wp minify, bwp-minify, buddypress
3+
Tags: w3totalcache, w3 totalcache, w3total cache, wpo, web performance optimization, performance, availability, scaling, scalability, user experience, cache, caching, page cache, css cache, js cache, db cache, disk cache, disk caching, database cache, http compression, gzip, deflate, minify, cdn, content delivery network, media library, performance, speed, multiple hosts, css, merge, combine, unobtrusive javascript, compress, optimize, optimizer, javascript, js, cascading style sheet, plugin, yslow, yui, google, google rank, google page speed, mod_pagespeed, new relic, newrelic, aws, s3, cloudfront, sns, elasticache, rds, flash media server, amazon web services, cloud files, rackspace, akamai, max cdn, limelight, cloudflare, mod_cloudflare, microsoft, microsoft azure, iis, nginx, litespeed, apache, varnish, xcache, apc, eacclerator, wincache, mysql, w3 total cache, batcache, wp cache, wp super cache, quick cache, wp minify, bwp-minify, buddypress
44
Requires at least: 3.2
5-
Tested up to: 4.0
6-
Stable tag: 0.9.4
5+
Tested up to: 4.0.1
6+
Stable tag: 0.9.4.1
77
License: GPLv2 or later
88
License URI: http://www.gnu.org/licenses/gpl-2.0.html
99

@@ -747,6 +747,10 @@ Please reach out to all of these people and support their projects if you're so
747747

748748
== Changelog ==
749749

750+
= 0.9.4.1 =
751+
* Fixed security issue if debug mode is enabled XSS vector exists HTML comments. CVE-2014-8724, Tobias Glemser
752+
* Fixed security issue with missing nonces, Ryan Satterfield
753+
750754
= 0.9.4 =
751755
* Fixed undefined w3tc_button_link
752756
* Fixed support and other form submissions
@@ -859,6 +863,9 @@ Please reach out to all of these people and support their projects if you're so
859863

860864
== Upgrade Notice ==
861865

866+
= 0.9.4.1 =
867+
Thanks for using W3 Total Cache! This release includes important security updates designed to contribute to a secure WordPress installation.
868+
862869
= 0.9.4 =
863870
Thanks for using W3 Total Cache! This release introduces hundreds of well-tested stability fixes since the last release as well as a new mode called "edge mode," which allows us to make releases more often containing new features that are still undergoing testing or active iteration.
864871

Diff for: w3-total-cache.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
/*
33
Plugin Name: W3 Total Cache
44
Description: The highest rated and most complete WordPress performance plugin. Dramatically improve the speed and user experience of your site. Add browser, page, object and database caching as well as minify and content delivery network (CDN) to WordPress.
5-
Version: 0.9.4
5+
Version: 0.9.4.1
66
Plugin URI: http://www.w3-edge.com/wordpress-plugins/w3-total-cache/
77
Author: Frederick Townes
88
Author URI: http://www.linkedin.com/in/w3edge

0 commit comments

Comments
 (0)