refactor: generate nonce based on feed url #1162
Conversation
|
Plugin build for 9eb7053 is ready 🛎️!
Note You can preview the changes in the Playground |
| $feed_url = $this->normalize_urls( $sc['feeds'] ); | ||
| $nonce = isset( $atts['nonce'] ) ? $atts['nonce'] : ''; | ||
|
|
||
| if ( ! wp_verify_nonce( $nonce, $feed_url ) ) { |
There was a problem hiding this comment.
I am not sure if it is the case, but one small concern is the fragility of the verification based on the normalized URL. If it happens to be an issue, I think we can switch to make the nonce to be based only on the domain of the URL.
There was a problem hiding this comment.
When we generate the nonce based solely on the domain of the URL, an authenticated user could potentially access internal resources by supplying a valid internal resource URL along with the nonce.
There was a problem hiding this comment.
I think is fine how it is right now since we normalize the url on nonce generation and on nonce verification so the result should be consistent.
|
🎉 This PR is included in version 5.1.2 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Summary
Generate the nonce based on the feed URL for the
/wp-json/feedzy/v1/lazyendpoint.Check before Pull Request is ready:
Closes https://github.com/Codeinwp/feedzy-rss-feeds-pro/issues/939#issuecomment-3552901449