Merge pull request #544 from Freemius/feature/security-fix-master-2.4.3

Security fix on top of master for 2.4.3 tag

includes/class-freemius.php

@@ -3550,6 +3550,8 @@ static function _add_debug_section() {
          * @since  1.1.7.3
          */
         static function _toggle_debug_mode() {
+            check_admin_referer( 'fs_toggle_debug_mode' );
+
             if ( ! is_super_admin() ) {
                 return;
             }
@@ -3571,10 +3573,19 @@ static function _toggle_debug_mode() {
          * @since  1.2.1.6
          */
         static function _get_debug_log() {
+            check_admin_referer( 'fs_get_debug_log' );
+
+            if ( ! is_super_admin() ) {
+                return;
+            }
+
+            $limit  = min( ! empty( $_POST['limit'] ) ? absint( $_POST['limit'] ) : 200, 200 );
+            $offset = min( ! empty( $_POST['offset'] ) ? absint( $_POST['offset'] ) : 200, 200 );
+
             $logs = FS_Logger::load_db_logs(
                 fs_request_get( 'filters', false, 'post' ),
-                ! empty( $_POST['limit'] ) && is_numeric( $_POST['limit'] ) ? $_POST['limit'] : 200,
-                ! empty( $_POST['offset'] ) && is_numeric( $_POST['offset'] ) ? $_POST['offset'] : 0
+                $limit,
+                $offset
             );
 
             self::shoot_ajax_success( $logs );
@@ -4447,6 +4458,12 @@ function _add_connectivity_issue_message( $api_result, $is_first_failure = true
          * @since  1.0.9
          */
         function _email_about_firewall_issue() {
+            check_admin_referer( 'fs_resolve_firewall_issues' );
+
+            if ( ! current_user_can( is_multisite() ? 'manage_options' : 'activate_plugins' ) ) {
+                return;
+            }
+
             $this->_admin_notices->remove_sticky( 'failed_connect_api' );
 
             $pong = $this->ping();
@@ -4521,6 +4538,12 @@ function _email_about_firewall_issue() {
          * @since  1.1.7.4
          */
         function _retry_connectivity_test() {
+            check_admin_referer( 'fs_retry_connectivity_test' );
+
+            if ( ! current_user_can( is_multisite() ? 'manage_options' : 'activate_plugins' ) ) {
+                return;
+            }
+
             $this->_admin_notices->remove_sticky( 'failed_connect_api_first' );
 
             $pong = $this->ping();

includes/managers/class-fs-admin-notice-manager.php

@@ -175,7 +175,12 @@ protected function __construct(
          *
          */
         function dismiss_notice_ajax_callback() {
-            $this->_sticky_storage->remove( $_POST['message_id'] );
+            check_admin_referer( 'fs_dismiss_notice_action' );
+
+            if ( ! is_numeric( $_POST['message_id'] ) ) {
+                $this->_sticky_storage->remove( $_POST['message_id'] );
+            }
+
             wp_die();
         }
 
@@ -469,4 +474,4 @@ private function get_notices_type() {
         }
 
         #endregion
-    }
+    }

includes/sdk/Exceptions/ArgumentNotExistException.php

@@ -1,9 +1,13 @@
 <?php
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
 	if ( ! class_exists( 'Freemius_InvalidArgumentException' ) ) {
 		exit;
 	}
 
 	if ( ! class_exists( 'Freemius_ArgumentNotExistException' ) ) {
 		class Freemius_ArgumentNotExistException extends Freemius_InvalidArgumentException {
 		}
-	}
+	}

includes/sdk/Exceptions/EmptyArgumentException.php

@@ -1,9 +1,13 @@
 <?php
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
 	if ( ! class_exists( 'Freemius_InvalidArgumentException' ) ) {
 		exit;
 	}
 
 	if ( ! class_exists( 'Freemius_EmptyArgumentException' ) ) {
 		class Freemius_EmptyArgumentException extends Freemius_InvalidArgumentException {
 		}
-	}
+	}

includes/sdk/Exceptions/Exception.php

@@ -1,4 +1,8 @@
 <?php
+        if ( ! defined( 'ABSPATH' ) ) {
+            exit;
+        }
+
 	if ( ! class_exists( 'Freemius_Exception' ) ) {
 		/**
 		 * Thrown when an API call returns an exception.
@@ -71,4 +75,4 @@ public function __toString() {
 				return $str . $this->getMessage();
 			}
 		}
-	}
+	}

includes/sdk/Exceptions/InvalidArgumentException.php

@@ -1,8 +1,12 @@
 <?php
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
 	if ( ! class_exists( 'Freemius_Exception' ) ) {
 		exit;
 	}
 
 	if ( ! class_exists( 'Freemius_InvalidArgumentException' ) ) {
 		class Freemius_InvalidArgumentException extends Freemius_Exception { }
-	}
+	}

includes/sdk/Exceptions/OAuthException.php

@@ -1,4 +1,8 @@
 <?php
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
 	if ( ! class_exists( 'Freemius_Exception' ) ) {
 		exit;
 	}
@@ -9,4 +13,4 @@ public function __construct( $pResult ) {
 				parent::__construct( $pResult );
 			}
 		}
-	}
+	}

includes/sdk/FreemiusBase.php

@@ -15,6 +15,10 @@
 	 * under the License.
 	 */
 
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
 	if ( ! defined( 'FS_API__VERSION' ) ) {
 		define( 'FS_API__VERSION', '1' );
 	}

includes/sdk/FreemiusWordPress.php

@@ -14,6 +14,9 @@
 	 * License for the specific language governing permissions and limitations
 	 * under the License.
 	 */
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
 
 	require_once dirname( __FILE__ ) . '/FreemiusBase.php';
 
@@ -709,4 +712,4 @@ private static function ThrowSquidAclException( $pResult = '' ) {
 		}
 
 		#endregion
-	}
+	}

package.json

@@ -4,7 +4,7 @@
   "author": "Freemius, Inc.",
   "license": "GPL-3.0",
   "homepage": "https://freemius.com",
-  "version": "2.4.2",
+  "version": "2.4.3",
   "main": "gulpfile.js",
   "dependencies": {},
   "scripts": {

require.php

@@ -6,6 +6,10 @@
 	 * @since       1.1.9
 	 */
 
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
 	// Configuration should be loaded first.
 	require_once dirname( __FILE__ ) . '/config.php';
 	require_once WP_FS__DIR_INCLUDES . '/fs-core-functions.php';
@@ -46,4 +50,4 @@
     require_once WP_FS__DIR_INCLUDES . '/class-fs-admin-notices.php';
 	require_once WP_FS__DIR_INCLUDES . '/class-freemius-abstract.php';
 	require_once WP_FS__DIR_INCLUDES . '/sdk/Exceptions/Exception.php';
-	require_once WP_FS__DIR_INCLUDES . '/class-freemius.php';
+	require_once WP_FS__DIR_INCLUDES . '/class-freemius.php';

start.php

@@ -15,7 +15,7 @@
 	 *
 	 * @var string
 	 */
-	$this_sdk_version = '2.4.2';
+	$this_sdk_version = '2.4.3';
 
 	#region SDK Selection Logic --------------------------------------------------------------------
 

templates/account/partials/addon.php

@@ -1,4 +1,9 @@
 <?php
+
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
     /**
      * @var array    $VARS
      * @var Freemius $fs
@@ -443,4 +448,4 @@ class="edit"><?php echo esc_html( $activate_text ) ?></a>
         </td>
         <!--/ Optional Delete Action -->
     <?php endif ?>
-</tr>
+</tr>

templates/ajax-loader.php

@@ -1 +1,6 @@
-<div class="fs-ajax-loader" style="display: none"><?php for ( $i = 1; $i <= 8; $i ++ ) : ?><div class="fs-ajax-loader-bar fs-ajax-loader-bar-<?php echo $i ?>"></div><?php endfor ?></div>
+<?php
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+?>
+<div class="fs-ajax-loader" style="display: none"><?php for ( $i = 1; $i <= 8; $i ++ ) : ?><div class="fs-ajax-loader-bar fs-ajax-loader-bar-<?php echo $i ?>"></div><?php endfor ?></div>

templates/debug.php

@@ -37,6 +37,8 @@
 
                     $.post( ajaxurl, {
                         action: 'fs_toggle_debug_mode',
+                        // As such we don't need to use `wp_json_encode` method but using it to follow wp.org guideline.
+                        _wpnonce   : <?php echo wp_json_encode( wp_create_nonce( 'fs_toggle_debug_mode' ) ); ?>,
                         is_on : ($(this).hasClass( 'fs-on' ) ? 1 : 0)
                     }, function ( response ) {
                         if ( 1 == response ) {
@@ -111,7 +113,8 @@
             if (optionName) {
                 $.post(ajaxurl, {
                     action     : 'fs_get_db_option',
-                    _wpnonce   : '<?php echo wp_create_nonce( 'fs_get_db_option' ) ?>',
+                    // As such we don't need to use `wp_json_encode` method but using it to follow wp.org guideline.
+                    _wpnonce   : <?php echo wp_json_encode( wp_create_nonce( 'fs_get_db_option' ) ); ?>,
                     option_name: optionName
                 }, function (response) {
                     if (response.data.value)
@@ -131,7 +134,8 @@
                 if (optionValue) {
                     $.post(ajaxurl, {
                         action      : 'fs_set_db_option',
-                        _wpnonce   : '<?php echo wp_create_nonce( 'fs_set_db_option' ) ?>',
+                        // As such we don't need to use `wp_json_encode` method but using it to follow wp.org guideline.
+                        _wpnonce    : <?php echo wp_json_encode( wp_create_nonce( 'fs_set_db_option' ) ); ?>,
                         option_name : optionName,
                         option_value: optionValue
                     }, function () {
@@ -724,6 +728,8 @@ class="dashicons dashicons-download"></i> <?php fs_esc_html_echo_inline( 'Downlo
 
                 $.post(ajaxurl, {
                     action : 'fs_get_debug_log',
+                    // As such we don't need to use `wp_json_encode` method but using it to follow wp.org guideline.
+                    _wpnonce : <?php echo wp_json_encode( wp_create_nonce( 'fs_get_debug_log' ) ); ?>,
                     filters: filters,
                     offset : offset,
                     limit  : limit

templates/firewall-issues-js.php

@@ -22,10 +22,12 @@
 				notice           = $( this ).parents( '.fs-notice' ),
 				ajaxActionSuffix = notice.attr( 'data-manager-id' ).replace( ':', '-' );
 
-			var data = {
-				action    : 'fs_resolve_firewall_issues_' + ajaxActionSuffix,
-				error_type: error_type
-			};
+            var data = {
+                action   : 'fs_resolve_firewall_issues_' + ajaxActionSuffix,
+                // As such we don't need to use `wp_json_encode` method but using it to follow wp.org guideline.
+                _wpnonce : <?php echo wp_json_encode( wp_create_nonce( 'fs_resolve_firewall_issues' ) ); ?>,
+                error_type: error_type
+            };
 
 			if ( 'squid' === error_type ) {
 				data.hosting_company = prompt( 'What is the name or URL of your hosting company?' );
@@ -39,7 +41,9 @@
 			}
 
 			if ( 'retry_ping' === error_type ) {
-				data.action = 'fs_retry_connectivity_test_' + ajaxActionSuffix;
+                data.action   = 'fs_retry_connectivity_test_' + ajaxActionSuffix;
+                // As such we don't need to use `wp_json_encode` method but using it to follow wp.org guideline.
+                data._wpnonce = <?php echo wp_json_encode( wp_create_nonce( 'fs_retry_connectivity_test' ) ); ?>;
 			}
 
 			$( this ).css({'cursor': 'wait'});
@@ -56,4 +60,4 @@
 			});
 		});
 	});
-</script>
+</script>

templates/partials/network-activation.php

@@ -1,4 +1,9 @@
 <?php
+
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
     /**
      * @var array $VARS
      * @var Freemius $fs
@@ -86,4 +91,4 @@
             </tbody>
         </table>
     </div>
-</div>
+</div>

templates/sticky-admin-notice-js.php

@@ -23,7 +23,9 @@
 
 			notice.fadeOut( 'fast', function() {
 				var data = {
-					action    : 'fs_dismiss_notice_action_' + ajaxActionSuffix,
+					action   : 'fs_dismiss_notice_action_' + ajaxActionSuffix,
+                    // As such we don't need to use `wp_json_encode` method but using it to follow wp.org guideline.
+                    _wpnonce : <?php echo wp_json_encode( wp_create_nonce( 'fs_dismiss_notice_action' ) ); ?>,
 					message_id: id
 				};
 
@@ -36,4 +38,4 @@
 			});
 		});
 	});
-</script>
+</script>