Skip to content

Commit

Permalink
Merge branch 'develop' into fix/restore-keyboard-access-to-donation-l…
Browse files Browse the repository at this point in the history
…evels-and-frequency
  • Loading branch information
JoshuaHungDinh authored Jan 6, 2025
2 parents e3753f6 + 38bb1f5 commit 9f31d92
Show file tree
Hide file tree
Showing 10 changed files with 76 additions and 17 deletions.
2 changes: 1 addition & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

# Bin files
/bin/*
!/bin/.gitkeep
!/bin/strauss-installar.sh

# Numerous always-ignore extensions
.diff
Expand Down
Empty file removed bin/.gitkeep
Empty file.
41 changes: 41 additions & 0 deletions bin/strauss-installar.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
#!/bin/bash

# Function to get the installed version of strauss
get_installed_version() {
local version_output
version_output=$(php ./bin/strauss.phar --version)
echo "$version_output" | sed -n -e 's/^.*strauss //p'
}

# Function to check if the latest release version is not installed
is_update_needed() {
local latest_release=$1
local current_version

if [[ ! -f ./bin/strauss.phar ]]; then
return 0
fi

current_version=$(get_installed_version)
[[ "$current_version" != "$latest_release" ]]
}

# Function to download and install the latest release
download_and_install() {
local latest_release=$1
rm -f ./bin/strauss.phar
curl -o bin/strauss.phar -L -C - https://github.com/BrianHenryIE/strauss/releases/download/"$latest_release"/strauss.phar
echo "$latest_release" > ./bin/strauss-version.txt
}

# Main script execution
main() {
local latest_release
latest_release="0.20.1" # strauss release version
if is_update_needed "$latest_release"; then
echo "Updating strauss to $latest_release ..."
download_and_install "$latest_release"
fi
}

main
5 changes: 3 additions & 2 deletions composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,10 @@
"test": "./vendor/bin/phpunit --colors --stop-on-failure",
"unreleased": "./vendor/bin/since-unreleased.sh",
"strauss": [
"test -f ./bin/strauss.phar || curl -o bin/strauss.phar -L -C - https://github.com/BrianHenryIE/strauss/releases/download/0.14.0/strauss.phar",
"bin/strauss-installar.sh",
"vendor/stellarwp/validation/bin/set-domain domain=give",
"@php bin/strauss.phar"
"@php bin/strauss.phar",
"@composer dump-autoload"
],
"post-install-cmd": [
"@strauss",
Expand Down
4 changes: 2 additions & 2 deletions give.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
* Description: The most robust, flexible, and intuitive way to accept donations on WordPress.
* Author: GiveWP
* Author URI: https://givewp.com/
* Version: 3.19.2
* Version: 3.19.3
* Requires at least: 6.5
* Requires PHP: 7.2
* Text Domain: give
Expand Down Expand Up @@ -411,7 +411,7 @@ private function setup_constants()
{
// Plugin version.
if (!defined('GIVE_VERSION')) {
define('GIVE_VERSION', '3.19.2');
define('GIVE_VERSION', '3.19.3');
}

// Plugin Root File.
Expand Down
5 changes: 3 additions & 2 deletions includes/formatting.php
Original file line number Diff line number Diff line change
Expand Up @@ -735,6 +735,7 @@ function give_get_cache_key($action, $query_args)
* Clean variables using sanitize_text_field. Arrays are cleaned recursively.
* Non-scalar values are ignored.
*
* @since 3.19.3 Don't unserialize data by default and return an empty string when data is serialized and $allow_serialized_data is false
* @since 3.17.2 Safe unserialize data by default
* @since 1.8
*
Expand All @@ -748,8 +749,8 @@ function give_clean($var, $allow_serialized_data = false)
return array_map('give_clean', $var);
}

if ( ! $allow_serialized_data) {
$var = Utils::safeUnserialize($var);
if ( Utils::isSerialized($var)) {
$var = $allow_serialized_data ? Utils::safeUnserialize($var) : '';
}

return is_scalar($var) ? sanitize_text_field(wp_unslash($var)) : $var;
Expand Down
5 changes: 4 additions & 1 deletion readme.txt
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Tags: donation, donate, recurring donations, fundraising, crowdfunding
Requires at least: 6.5
Tested up to: 6.7
Requires PHP: 7.2
Stable tag: 3.19.2
Stable tag: 3.19.3
License: GPLv3
License URI: http://www.gnu.org/licenses/gpl-3.0.html

Expand Down Expand Up @@ -266,6 +266,9 @@ You can report security bugs through the Patchstack Vulnerability Disclosure Pro
10. Use almost any payment gateway integration with GiveWP through our add-ons or by creating your own add-on.

== Changelog ==
= 3.19.3: December 24th, 2024 =
* Security: Added additional sanitization to the donation form request to prevent malicious serialized data (CVE-2024-12877)

= 3.19.2: December 17th, 2024 =
* Fix: Resolved an issue with the custom donation amount field where using certain languages like Swedish were resulting in additional zero values being added

Expand Down
3 changes: 2 additions & 1 deletion src/DonationForms/ViewModels/DonationFormViewModel.php
Original file line number Diff line number Diff line change
Expand Up @@ -252,6 +252,7 @@ public function exports(): array
* 5. Finally, call the specific WP function wp_print_footer_scripts()
* - This will only print the footer scripts that are enqueued within our route.
*
* @unreleased Adds class for form design
* @since 3.11.0 Sanitize customCSS property
* @since 3.0.0
*/
Expand All @@ -277,7 +278,7 @@ public function render(): string
endif; ?>

<?php
$classNames = ['givewp-donation-form'];
$classNames = ['givewp-donation-form', "givewp-donation-form-design--{$this->designId()}"];

if ($this->previewMode) {
$classNames[] = 'givewp-donation-form--preview';
Expand Down
14 changes: 11 additions & 3 deletions src/Helpers/Utils.php
Original file line number Diff line number Diff line change
Expand Up @@ -130,9 +130,9 @@ public static function removeBackslashes($data)
}

/**
* The regular expression attempts to capture the basic structure of a serialized array
* or object. This is more robust than the is_serialized() function but still not perfect.
* The regular expression attempts to capture the basic structure of all data types that can be serialized by PHP.
*
* @since 3.19.3 Support all types of serialized data instead of only objects and arrays
* @since 3.17.2
*/
public static function containsSerializedDataRegex($data): bool
Expand All @@ -141,7 +141,15 @@ public static function containsSerializedDataRegex($data): bool
return false;
}

$pattern = '/(a:\d+:\{.*\})|(O:\d+:"[^"]+":\{.*\})/';
$pattern = '/
(a:\d+:\{.*\}) | # Matches arrays (e.g: a:2:{i:0;s:5:"hello";i:1;i:42;})
(O:\d+:"[^"]+":\{.*\}) | # Matches objects (e.g: O:8:"stdClass":1:{s:4:"name";s:5:"James";})
(s:\d+:"[^"]*";) | # Matches strings (e.g: s:5:"hello";)
(i:\d+;) | # Matches integers (e.g: i:42;)
(b:[01];) | # Matches booleans (e.g: b:1; or b:0;)
(d:\d+(\.\d+)?;) | # Matches floats (e.g: d:3.14;)
(N;) # Matches NULL (e.g: N;)
/x';

return preg_match($pattern, $data) === 1;
}
Expand Down
14 changes: 9 additions & 5 deletions tests/Unit/Helpers/UtilsTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ public function testMaybeSafeUnserialize($data, bool $expected)
}

/**
* @since 3.19.3 Test all types of serialized data
* @since 3.17.2
*/
public function serializedDataProvider(): array
Expand All @@ -90,15 +91,18 @@ public function serializedDataProvider(): array
[serialize('bar'), true],
['\\' . serialize('backslash-bypass'), true],
['\\\\' . serialize('double-backslash-bypass'), true],
[
// String with serialized data hidden in the middle of the content
'Lorem ipsum dolor sit amet, {a:2:{i:0;s:5:\"hello\";i:1;s:5:\"world\";}} consectetur adipiscing elit.',
true,
],
['foo', false],
[serialize('qux'), true],
['bar', false],
['foo bar', false],
// Strings with serialized data hidden in the middle of the content
['Lorem ipsum a:2:{i:0;s:5:"hello";i:1;i:42;} dolor sit amet', true], // array
['Lorem ipsum O:8:"stdClass":1:{s:4:"name";s:5:"James";} dolor sit amet', true], // object
['Lorem ipsum s:5:"hello"; dolor sit amet', true], // string
['Lorem ipsum i:42; dolor sit amet', true], // integer
['Lorem ipsum b:1; dolor sit amet', true], // boolean
['Lorem ipsum d:3.14; dolor sit amet', true], // float
['Lorem ipsum N; dolor sit amet', true], // NULL
];
}
}

0 comments on commit 9f31d92

Please sign in to comment.