From dcf3d1121815429cc024370fef5d4ac1ec94b0ba Mon Sep 17 00:00:00 2001 From: Jakob Bouchard Date: Sun, 13 Oct 2024 22:28:06 -0400 Subject: [PATCH 1/3] Fix CSRF possibility --- hestia-nginx-cache.php | 4 ++-- includes/admin.php | 15 +++++++++++---- languages/hestia-nginx-cache-fr_CA.po | 2 +- languages/hestia-nginx-cache-pt_BR.po | 2 +- languages/hestia-nginx-cache.pot | 2 +- readme.txt | 5 ++++- 6 files changed, 20 insertions(+), 10 deletions(-) diff --git a/hestia-nginx-cache.php b/hestia-nginx-cache.php index 473110c..b57f27b 100644 --- a/hestia-nginx-cache.php +++ b/hestia-nginx-cache.php @@ -11,7 +11,7 @@ * Plugin Name: Hestia Nginx Cache * Description: Hestia Nginx Cache Integration for WordPress. Auto-purges the Nginx cache when needed. * Plugin URI: https://github.com/jakobbouchard/hestia-nginx-cache - * Version: 2.4.0 + * Version: 2.4.1 * Requires at least: 4.8 * Requires PHP: 5.4 * Author: Jakob Bouchard @@ -28,7 +28,7 @@ class Hestia_Nginx_Cache { public const NAME = 'hestia-nginx-cache'; - public const VERSION = '2.4.0'; + public const VERSION = '2.4.1'; private static $instance = null; public static $plugin_basename = null; diff --git a/includes/admin.php b/includes/admin.php index 70c59d2..9604822 100644 --- a/includes/admin.php +++ b/includes/admin.php @@ -263,6 +263,13 @@ public function embed_admin_notices() public function purge() { + if (!wp_verify_nonce($_POST['wp_nonce'], 'hestia-nginx-cache-purge-wp-nonce')) { + wp_send_json_error([ + 'message' => esc_html__('The Hestia Nginx Cache could not be purged!', 'hestia-nginx-cache'), + 'error' => esc_html__('Invalid nonce.', 'hestia-nginx-cache') + ]); + } + $result = $this->plugin->purge(true); if ($result) { $exit_code = wp_remote_retrieve_header($result, 'Hestia-Exit-Code'); @@ -280,10 +287,10 @@ public function purge() $args['error'] = 'Unknown error'; } wp_send_json_error($args); - } elseif (wp_verify_nonce($_POST['wp_nonce'], 'hestia-nginx-cache-purge-wp-nonce')) { - wp_send_json_success([ - 'message' => esc_html__('The Hestia Nginx Cache was purged successfully.', 'hestia-nginx-cache') - ]); } + + wp_send_json_success([ + 'message' => esc_html__('The Hestia Nginx Cache was purged successfully.', 'hestia-nginx-cache') + ]); } } diff --git a/languages/hestia-nginx-cache-fr_CA.po b/languages/hestia-nginx-cache-fr_CA.po index 5e42ea9..444f565 100644 --- a/languages/hestia-nginx-cache-fr_CA.po +++ b/languages/hestia-nginx-cache-fr_CA.po @@ -1,6 +1,6 @@ msgid "" msgstr "" -"Project-Id-Version: Hestia Nginx Cache 2.4.0\n" +"Project-Id-Version: Hestia Nginx Cache 2.4.1\n" "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/hestia-nginx-cache\n" "Last-Translator: Jakob Bouchard \n" "Language-Team: Unknown\n" diff --git a/languages/hestia-nginx-cache-pt_BR.po b/languages/hestia-nginx-cache-pt_BR.po index 3b464c3..b363e85 100644 --- a/languages/hestia-nginx-cache-pt_BR.po +++ b/languages/hestia-nginx-cache-pt_BR.po @@ -1,6 +1,6 @@ msgid "" msgstr "" -"Project-Id-Version: Hestia Nginx Cache 2.4.0\n" +"Project-Id-Version: Hestia Nginx Cache 2.4.1\n" "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/hestia-nginx-" "cache\n" "Last-Translator: Maison da Silva\n" diff --git a/languages/hestia-nginx-cache.pot b/languages/hestia-nginx-cache.pot index 0268bfd..ff0cc95 100644 --- a/languages/hestia-nginx-cache.pot +++ b/languages/hestia-nginx-cache.pot @@ -2,7 +2,7 @@ # This file is distributed under the GPL v3. msgid "" msgstr "" -"Project-Id-Version: Hestia Nginx Cache 2.4.0\n" +"Project-Id-Version: Hestia Nginx Cache 2.4.1\n" "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/hestia-nginx-cache\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" diff --git a/readme.txt b/readme.txt index 692f161..446d746 100644 --- a/readme.txt +++ b/readme.txt @@ -5,7 +5,7 @@ Tags: cache, flush, purge, hestia, nginx Requires at least: 4.8 Tested up to: 6.6 Requires PHP: 5.4 -Stable tag: 2.4.0 +Stable tag: 2.4.1 License: GPL v3 License URI: http://www.gnu.org/licenses/gpl-3.0.txt @@ -70,6 +70,9 @@ If your issues persist, do not hesitate to contact me via email! == Changelog == += 2.4.1 = +* Add WP CLI support. + = 2.4.0 = * Add WP CLI support. From 352f7c0dfb8c0a167547f4e872d150daa5fd3e13 Mon Sep 17 00:00:00 2001 From: Jakob Bouchard Date: Sun, 3 Nov 2024 15:55:00 -0500 Subject: [PATCH 2/3] Update changelog --- readme.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme.txt b/readme.txt index 446d746..7b7fdbb 100644 --- a/readme.txt +++ b/readme.txt @@ -71,7 +71,7 @@ If your issues persist, do not hesitate to contact me via email! == Changelog == = 2.4.1 = -* Add WP CLI support. +* Fix CSRF possibility (thanks to Marek Mikita for reporting via PatchStack). = 2.4.0 = * Add WP CLI support. From 4b886c8ac8ded4fb5e116224767af92c65646608 Mon Sep 17 00:00:00 2001 From: Jakob Bouchard Date: Mon, 4 Nov 2024 20:21:05 -0500 Subject: [PATCH 3/3] Check for permissions when purging --- includes/admin.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/includes/admin.php b/includes/admin.php index 9604822..2f50ed3 100644 --- a/includes/admin.php +++ b/includes/admin.php @@ -263,6 +263,13 @@ public function embed_admin_notices() public function purge() { + if (!current_user_can('edit_posts')) { + wp_send_json_error([ + 'message' => esc_html__('The Hestia Nginx Cache could not be purged!', 'hestia-nginx-cache'), + 'error' => esc_html__('Not enough permissions.', 'hestia-nginx-cache') + ]); + } + if (!wp_verify_nonce($_POST['wp_nonce'], 'hestia-nginx-cache-purge-wp-nonce')) { wp_send_json_error([ 'message' => esc_html__('The Hestia Nginx Cache could not be purged!', 'hestia-nginx-cache'),