WordPress.org
Get WordPress

Plugin Directory

Changeset 2060758


Ignore:
Timestamp:
04/01/2019 06:05:01 AM (7 years ago)
Author:
mndpsingh287
Message:

fixed security issues

Location:
duplicate-page/trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • duplicate-page/trunk/duplicatepage.php

    r2050443 r2060758  
    55Description: Duplicate Posts, Pages and Custom Posts using single click.
    66Author: mndpsingh287
    7 Version: 3.3
     7Version: 3.4
    88Author URI: https://profiles.wordpress.org/mndpsingh287/
    99License: GPLv2
     
    1818        /*
    1919        * AutoLoad Hooks
    20         */
    21         public function __construct()
     20        */       
     21        public function __construct() 
    2222        {
    2323            $opt = get_option('duplicate_page_options');
     
    100100        public function dt_duplicate_post_as_draft()
    101101        {
     102           /*
     103           * get Nonce value
     104           */
     105           $nonce = $_REQUEST['nonce'];
     106            /*
     107            * get the original post id
     108            */
     109           $post_id = (isset($_GET['post']) ? intval($_GET['post']) : intval($_POST['post']));
     110
     111           if(wp_verify_nonce( $nonce, 'dt-duplicate-page-'.$post_id) && current_user_can('edit_posts')) {
     112           // verify Nonce 
    102113            global $wpdb;
    103114            $opt = get_option('duplicate_page_options');
     
    108119                wp_die('No post to duplicate has been supplied!');
    109120            }
    110             $returnpage = '';
    111             /*
    112             * get the original post id
    113             */
    114             $post_id = (isset($_GET['post']) ? $_GET['post'] : $_POST['post']);
     121            $returnpage = '';           
    115122            /*
    116123            * and all the original post data then
     
    188195                wp_die('Error! Post creation failed, could not find original post: '.$post_id);
    189196            }
     197          } else {
     198            wp_die('Security check issue, Please try again.');
     199          }
    190200        }
    191201
     
    198208            $post_status = !empty($opt['duplicate_post_status']) ? $opt['duplicate_post_status'] : 'draft';
    199209            if (current_user_can('edit_posts')) {
    200                 $actions['duplicate'] = '<a href="admin.php?action=dt_duplicate_post_as_draft&amp;post='.$post->ID.'" title="Duplicate this as '.$post_status.'" rel="permalink">'.__('Duplicate This', 'duplicate-page').'</a>';
     210                $actions['duplicate'] = '<a href="admin.php?action=dt_duplicate_post_as_draft&amp;post='.$post->ID.'&amp;nonce='.wp_create_nonce( 'dt-duplicate-page-'.$post->ID ).'" title="Duplicate this as '.$post_status.'" rel="permalink">'.__('Duplicate This', 'duplicate-page').'</a>';
    201211            }
    202212
     
    214224            $html = '<div id="major-publishing-actions">';
    215225            $html .= '<div id="export-action">';
    216             $html .= '<a href="admin.php?action=dt_duplicate_post_as_draft&amp;post='.$post->ID.'" title="Duplicate this as '.$post_status.'" rel="permalink">'.__('Duplicate This', 'duplicate-page').'</a>';
     226            $html .= '<a href="admin.php?action=dt_duplicate_post_as_draft&amp;post='.$post->ID.'&amp;nonce='.wp_create_nonce( 'dt-duplicate-page-'.$post->ID ).'" title="Duplicate this as '.$post_status.'" rel="permalink">'.__('Duplicate This', 'duplicate-page').'</a>';
    217227            $html .= '</div>';
    218228            $html .= '</div>';
     
    258268              jQuery(window).load(function(e){
    259269                var dp_post_id = "<?php echo $post->ID; ?>";
     270                var dtnonce = "<?php echo wp_create_nonce( 'dt-duplicate-page-'.$post->ID );?>";
    260271                var dp_post_title = "Duplicate this as <?php echo $post_status; ?>";
    261272                var dp_duplicate_link = '<div class="duplicate_page_link_guten">';
    262                     dp_duplicate_link += '<a href="admin.php?action=dt_duplicate_post_as_draft&amp;post='+dp_post_id+'" title="'+dp_post_title+'">Duplicate This</a>';
     273                    dp_duplicate_link += '<a href="admin.php?action=dt_duplicate_post_as_draft&amp;post='+dp_post_id+'&amp;nonce='+dtnonce+'" title="'+dp_post_title+'">Duplicate This</a>';
    263274                    dp_duplicate_link += '</div>';
    264275                jQuery('.edit-post-post-status').append(dp_duplicate_link);
     
    289300                'id' => 'duplicate_this',
    290301                'title' => __('Duplicate This as '.$post_status.'', 'duplicate-page'),
    291                 'href' => admin_url().'admin.php?action=dt_duplicate_post_as_draft&amp;post='.$post->ID,
     302                'href' => admin_url().'admin.php?action=dt_duplicate_post_as_draft&amp;post='.$post->ID.'&amp;nonce='.wp_create_nonce( 'dt-duplicate-page-'.$post->ID )
    292303                ));
    293304            }

  • duplicate-page/trunk/readme.txt

    r2050443 r2060758  
    44Requires at least: 3.4
    55Tested up to: 5.1.1
    6 Stable tag: 3.3
     6Stable tag: 3.4
    77License: GPLv2 or later
    88License URI: http://www.gnu.org/licenses/gpl-2.0.html
     
    5656
    5757== Changelog ==
     58
     59= 3.4 (23rd March, 2019) =
     60
     61* Security issues fixes addressed by Securi Team(https://sucuri.net/)
    5862
    5963= 3.3 (14th March, 2019) =
Note: See TracChangeset for help on using the changeset viewer.