Version 3.7.3 for Vulnarablility fix

git-svn-id: https://plugins.svn.wordpress.org/wp-ultimate-csv-importer/trunk@1153788 b8457f37-d9ea-0310-8a92-e5e31aec5664

Readme.txt

@@ -1,20 +1,20 @@
-=== Import a CSV with Ultimate CSV Importer ===
+=== Import CSV made simple with Ultimate CSV Importer ===
 Contributors: smackcoders
 Donate link: http://www.smackcoders.com/donate.html
 Tags: wp all import, batch, csv, excel, import, spreadsheet, autoblog, Autoblogger, csvimporter, data, dataimport, importer, wpcsvimporter, wpimporter, acf, auto blog, csv import, csv to post, data import, Easy CSV Importer, eci, import plugin, admin, user, users, Advanced CSV Import, Advanced CSV Importer, affiliate, amazon, author, automatic, blog, bulk, bulk edit, bulk editor, categories, comments, content, csv file, csv format, csv importer, custom post, e-commerce, free, images, language, manage, media, meta, multisite, News, page, photos, pictures, plugin, Post, seo, shop, shortcode, tags, Taxonomy, text, title, video, eshop, woocommerce, wordpress, xml, youtube, export
 Requires at least: 4.1
 Tested up to: 4.2.1
-Stable tag: 3.7.2
-Version: 3.7.2
+Stable tag: 3.7.3
+Version: 3.7.3
 Author: smackcoders
 Author URI: http://profiles.wordpress.org/smackcoders/
 
 License: GPLv2 or later
 
-Import a CSV with Ultimate CSV Importer as posts, pages, eshop products, custom posts with custom fields in few simple clicks 
+Import CSV made simple with Ultimate CSV Importer to import/export posts, pages, eshop products, custom posts with custom fields in few simple clicks 
 
 == Description ==
-Import a CSV as wordpress posts made very simple and easy even for novice users as in few clicks and 3 simple steps with Ultimate CSV Importer plugin. Wordpress Ultimate CSV Importer V3.7.2 is updated with major issue fix and 4.2.1 compatibility.  Users can get product manual and sample csv files etc., from - http://www.wpultimatecsvimporter.com/
+Import CSV data to wordpress is made very easy even for novice users as in few clicks and 3 simple steps with Ultimate CSV Importer plugin. Wordpress Ultimate CSV Importer V3.7.3 is updated with major issue fix and 4.2.1 compatibility.  Users can get product manual and sample csv files etc., from - http://www.wpultimatecsvimporter.com/
 
 ** New Features of Wordpress Ultimate CSV Importer Pro V4.0 **
 
@@ -31,7 +31,7 @@ Import a CSV as wordpress posts made very simple and easy even for novice users
 * Mapping template feature with edit option.
 * Auto mapping and specific column update in Update feature.
 
-** Now stable version 3.7.2 available to download with hot linked featured image fix. Visit [www.wpultimatecsvimporter.com](http://www.wpultimatecsvimporter.com) for more news and future plans.
+** Now stable version 3.7.3 available to download with security issue fix. Visit [www.wpultimatecsvimporter.com](http://www.wpultimatecsvimporter.com) for more news and future plans.
 
 WP Ultimate CSV Importer Plugin proven much effective advanced CSV File Importer With Ultimate User Friendly Features. It is much easy now even for newbies to import csv file exported from any tool, app or software. Import as any wordpress post type and associated fields by simple mapping feature. Now import any CSV file as thousands of post, page and custom post types. This is admin side free plugin helps you in bulk edit, create and import posts type for your blog or site. 
 
@@ -197,6 +197,9 @@ This will solve your issue or get support from hosting if you dint have sufficie
 
 == Changelog ==
 
+= 3.7.3 =
+*Fixed: Vulnarablility security issue fix. 
+
 = 3.7.2 =
 * Added: wordpress 4.2 and 4.2.1 compatibility.
 * Fixed: Blank page conflict issue 
@@ -442,6 +445,9 @@ This will solve your issue or get support from hosting if you dint have sufficie
 
 == Upgrade Notice ==
 
+= 3.7.3 =
+* Upgrade now for Vulnarability fix.
+
 = 3.7.2 =
 * Important Upgrade for wordpress 4.2 and above
 

includes/WPImporter_includes_helper.php

@@ -1132,6 +1132,10 @@ function helpnotes()
 			</span>';
 		return $smackhelpnotes;
 	}
+	function create_nonce_key(){
+		return wp_create_nonce('smack_nonce');
+	}
+
 }
 
 class CallWPImporterObj extends WPImporter_includes_helper

js/ultimate-importer-free.js

@@ -7,10 +7,6 @@ jQuery( document ).ready(function() {
                   document.getElementById('log').innerHTML = '<p style="margin:15px;color:red;">NO LOGS YET NOW.</p>';
                 }
 
-//pieStats();
-//lineStats();
-
-
  }
  if (checkmodule == 'custompost') {
 		    var step = jQuery('#stepstatus').val();
@@ -22,7 +18,9 @@ jQuery( document ).ready(function() {
 	    }
  if (checkmodule != 'filemanager' && checkmodule != 'settings' && checkmodule !='support' && checkmodule !='export') {
 	 var checkfile = jQuery('#checkfile').val();
+	 var dir_path = jQuery('#dirpathval').val();
 	 var uploadedFile = jQuery('#uploadedFile').val();
+	 var noncekey = jQuery('#nonceKey').val();
 	 var select_delimeter = jQuery('#select_delim').val();
 	 var select_delim = jQuery('#select_delim').val();
 	 var get_log = jQuery('#log').val();
@@ -39,8 +37,8 @@ jQuery( document ).ready(function() {
 		 select_delim = select_delimeter;
 	 }
 	 if(uploadedFile != '' && select_delim != '') { 
-		 var doaction = 'record_no=1&file_name=' + uploadedFile + '&selected_delimeter=' + select_delim + '&checkmodule=' + checkmodule;
 		 var tmpLoc = jQuery('#tmpLoc').val();
+		 var doaction = 'record_no=1&file_name=' + uploadedFile + '&selected_delimeter=' + select_delim + '&checkmodule=' + checkmodule+'&temloc=' + tmpLoc+'&dir_path=' + dir_path + '&wpnonce=' + noncekey;
 		 if(tmpLoc != '' && tmpLoc != null) {
 			jQuery.ajax({
 				url: tmpLoc + 'templates/readfile.php',
@@ -70,6 +68,8 @@ document.getElementById('sec-two').style.display='';
 
 function gotoelement(id) {
     var gotoElement = document.getElementById('current_record').value;
+    var dir_path = jQuery('#dirpathval').val();
+    var noncekey = document.getElementById('nonceKey').value;
     var no_of_records = document.getElementById('totRecords').value;
     var uploadedFile = document.getElementById('uploadedFile').value;
     var delim = document.getElementById('select_delimeter').value;
@@ -103,7 +103,7 @@ function gotoelement(id) {
             return false;
         }
     }
-    var doaction = 'record_no=' + gotoElement + '&file_name=' + uploadedFile + '&delim='+ delim + '&checkmodule=' + checkmodule;
+    var doaction = 'record_no=' + gotoElement + '&file_name=' + uploadedFile + '&delim='+ delim + '&checkmodule=' + checkmodule+ '&dir_path=' + dir_path + '&wpnonce=' + noncekey;
     var tmpLoc = document.getElementById('tmpLoc').value;
     jQuery.ajax({
         url: tmpLoc + 'templates/readfile.php',
@@ -531,7 +531,8 @@ function enableinlineimageoption() {
 
 function importRecordsbySettings(siteurl)
 {
-        var importlimit = document.getElementById('importlimit').value; 
+        var importlimit = document.getElementById('importlimit').value;
+	var noncekey = document.getElementById('wpnoncekey').value; 
         var get_requested_count = importlimit; 
         var tot_no_of_records = document.getElementById('checktotal').value;
         var importas = document.getElementById('selectedImporter').value;
@@ -587,7 +588,7 @@ function importRecordsbySettings(siteurl)
 	if(importas == 'post' || importas == 'page' || importas == 'custompost' || importas == 'eshop')
 	advancemedia = document.getElementById('advance_media_handling').checked;
 	var postdata = new Array();
-	postdata = {'dupContent':dupContent,'dupTitle':dupTitle,'importlimit':importlimit,'limit':currentlimit,'totRecords':tot_no_of_records,'selectedImporter':importas,'uploadedFile':uploadedFile,'tmpcount':tmpCnt,'importinlineimage':importinlineimage,'inlineimagehandling':imagehandling,'inline_image_location':inline_image_location,'advance_media':advancemedia,}
+	postdata = {'dupContent':dupContent,'dupTitle':dupTitle,'importlimit':importlimit,'limit':currentlimit,'totRecords':tot_no_of_records,'selectedImporter':importas,'uploadedFile':uploadedFile,'tmpcount':tmpCnt,'importinlineimage':importinlineimage,'inlineimagehandling':imagehandling,'inline_image_location':inline_image_location,'advance_media':advancemedia,'wpnonce':noncekey}
 
         var tmpLoc = document.getElementById('tmpLoc').value;
 	jQuery.ajax({
@@ -980,6 +981,9 @@ function addexportfilter(id) {
 			document.getElementById('authors').style.display = '';
 			document.getElementById('postauthor').style.display = '';
 		}
+		else if(id == 'getdatawithdelimeter'){
+			document.getElementById('delimeter').style.display = '';			
+		}
 	} else if (document.getElementById(id).checked == false) {
                 if(id == 'getdataforspecificperiod') {
 			document.getElementById('specificperiodexport').style.display = 'none';
@@ -998,6 +1002,9 @@ function addexportfilter(id) {
                         document.getElementById('authors').style.display = 'none';
                         document.getElementById('postauthor').style.display = 'none';
                 }
+		else if(id == 'getdatawithdelimeter'){
+                        document.getElementById('delimeter').style.display = 'none';
+                }
 	}
 }