Skip to content

Commit

Permalink
De 933 check possible security issues for wordpress mailgun plugin (#156
Browse files Browse the repository at this point in the history 
)

* Changed `Tested Up` version of WP

* Changed `Tested Up` version of WP

* Fix bug with wp_mail filter. release new version

* Fix possible security issues. In progress

* Sanitizing and escaping vars. Possible security issues

Fix possible security issues. In progress
  • Loading branch information
@oleksandr-mykhailenko
oleksandr-mykhailenko committed Jan 18, 2023
1 parent e3ac418 commit 06259aa
Show file tree
Hide file tree
Showing 8 changed files with 48 additions and 42 deletions.
6 changes: 3 additions & 3 deletions includes/admin.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ public function __construct()
*/
public function init()
{
$sitename = strtolower($_SERVER['SERVER_NAME']);
$sitename = sanitize_text_field(strtolower($_SERVER['SERVER_NAME']));
if (substr($sitename, 0, 4) === 'www.') {
$sitename = substr($sitename, 4);
}
Expand Down Expand Up @@ -166,7 +166,7 @@ public function admin_footer_js()
ajaxurl,
{
action: 'mailgun-test',
_wpnonce: '<?php echo wp_create_nonce(); ?>'
_wpnonce: '<?php echo esc_attr(wp_create_nonce()); ?>'
}
)
.complete(function () {
Expand Down Expand Up @@ -386,7 +386,7 @@ public function ajax_send_test()
nocache_headers();
header('Content-Type: application/json');

if (!current_user_can('manage_options') || !wp_verify_nonce($_GET['_wpnonce'])):
if (!current_user_can('manage_options') || !wp_verify_nonce(sanitize_text_field($_GET['_wpnonce']))):
die(
json_encode(array(
'message' => __('Unauthorized', 'mailgun'),
Expand Down
10 changes: 5 additions & 5 deletions includes/lists-page.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,15 +46,15 @@

<span class="alignright">
<a target="_blank" href="http://www.mailgun.com/">
<img src="<?php echo $icon?>" alt="Mailgun" style="width: 50px;"/>
<img src="<?php echo esc_attr($icon)?>" alt="Mailgun" style="width: 50px;"/>
</a>
</span>

<h2><?php _e('Mailgun Lists', 'mailgun'); ?></h2>

<?php settings_fields('mailgun'); ?>

<h3><?php _e('Available Mailing Lists', 'mailgun'); ?> | <a href="<?php echo admin_url('options-general.php?page=mailgun'); ?>">Back to settings</a></h3>
<h3><?php _e('Available Mailing Lists', 'mailgun'); ?> | <a href="<?php echo esc_attr(admin_url('options-general.php?page=mailgun')); ?>">Back to settings</a></h3>

<p><?php _e("{$missing_error}You must use a valid Mailgun domain name and API key to access lists", 'mailgun'); ?></p>

Expand All @@ -73,10 +73,10 @@
<?php foreach ($lists_arr as $list) : ?>

<tr>
<td><?php echo $list['address']; ?></td>
<td><?php echo $list['description']; ?></td>
<td><?php echo esc_textarea($list['address']); ?></td>
<td><?php echo esc_textarea($list['description']); ?></td>
<td>
[mailgun id="<?php echo $list['address']; ?>"]
[mailgun id="<?php echo esc_textarea($list['address']); ?>"]
</td>
</tr>

Expand Down
2 changes: 1 addition & 1 deletion includes/mg-filter.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ function mg_detect_from_address($from_addr_header = null): string
if (function_exists('get_current_site')) {
$sitedomain = get_current_site()->domain;
} else {
$sitedomain = strtolower($_SERVER['SERVER_NAME']);
$sitedomain = strtolower(sanitize_text_field($_SERVER['SERVER_NAME']));
if (substr($sitedomain, 0, 4) === 'www.') {
$sitedomain = substr($sitedomain, 4);
}
Expand Down
24 changes: 12 additions & 12 deletions includes/options-page.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
<div id="icon-options-general" class="icon32"><br/></div>
<span class="alignright">
<a target="_blank" href="http://www.mailgun.com/">
<img src="<?php echo $icon ?>" alt="Mailgun" style="width:50px;"/>
<img src="<?php echo esc_attr($icon) ?>" alt="Mailgun" style="width:50px;"/>
</a>
</span>
<h2><?php _e('Mailgun', 'mailgun'); ?></h2>
Expand All @@ -75,7 +75,7 @@
)
), esc_url($url), '_blank'
);
echo $link;
echo wp_kses_data($link);
?>
</p>

Expand All @@ -92,7 +92,7 @@
)
), esc_url($url), '_blank'
);
echo $link;
echo wp_kses_data($link);
?>
</p>

Expand All @@ -107,11 +107,11 @@
</th>
<td>
<?php if ($mailgun_region_const): ?>
<input type="hidden" name="mailgun[region]" value="<?php echo $mailgun_region ?>">
<input type="hidden" name="mailgun[region]" value="<?php echo esc_attr($mailgun_region) ?>">
<?php endif ?>

<select id="mailgun-region"
name="mailgun[region]" <?php echo $mailgun_region_const ? 'disabled="disabled"' : '' ?>>
name="mailgun[region]" <?php echo esc_attr($mailgun_region_const) ? 'disabled="disabled"' : '' ?>>
<option value="us"<?php selected('us', $mailgun_region); ?>><?php _e('U.S./North America', 'mailgun') ?></option>
<option value="eu"<?php selected('eu', $mailgun_region); ?>><?php _e('Europe', 'mailgun') ?></option>
</select>
Expand All @@ -128,7 +128,7 @@
</th>
<td>
<?php if (!is_null($mailgun_use_api_const)): ?>
<input type="hidden" name="mailgun[useAPI]" value="<?php echo $mailgun_use_api ?>">
<input type="hidden" name="mailgun[useAPI]" value="<?php echo esc_attr($mailgun_use_api) ?>">
<?php endif ?>

<select id="mailgun-api"
Expand Down Expand Up @@ -218,7 +218,7 @@
</th>
<td>
<?php if (!is_null($mailgun_secure_const)): ?>
<input type="hidden" name="mailgun[secure]" value="<?php echo $mailgun_secure ?>">
<input type="hidden" name="mailgun[secure]" value="<?php echo esc_attr($mailgun_secure) ?>">
<?php endif ?>

<select name="mailgun[secure]" <?php echo !is_null($mailgun_secure_const) ? 'disabled="disabled"' : '' ?>>
Expand All @@ -238,7 +238,7 @@
</th>
<td>
<?php if ($mailgun_sectype_const): ?>
<input type="hidden" name="mailgun[sectype]" value="<?php echo $mailgun_sectype ?>">
<input type="hidden" name="mailgun[sectype]" value="<?php echo esc_attr($mailgun_sectype) ?>">
<?php endif ?>

<select name="mailgun[sectype]" <?php echo $mailgun_sectype_const ? 'disabled="disabled"' : '' ?>>
Expand Down Expand Up @@ -275,7 +275,7 @@
)
), esc_url($url), '_blank'
);
echo $link;
echo wp_kses_data($link);
?>
</p>
</td>
Expand All @@ -302,7 +302,7 @@
)
), esc_url($url), '_blank'
);
echo $link;
echo wp_kses_data($link);
?>
</p>
</td>
Expand Down Expand Up @@ -387,7 +387,7 @@ class="regular-text"
)
), esc_url($url1), esc_url($url2), '_blank'
);
echo $link;
echo wp_kses_data($link);
?>
</p>
</td>
Expand Down Expand Up @@ -429,7 +429,7 @@ class="regular-text"
)
), esc_url($url)
);
echo $link;
echo wp_kses_data($link);
?>
</td>
</tr>
Expand Down
10 changes: 5 additions & 5 deletions includes/widget.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,20 +82,20 @@ public function form($instance)
?>
<div class="mailgun-list-widget-back">
<p>
<label for="<?php echo $this->get_field_id('list_title'); ?>"><?php _e('Title (optional):'); ?></label>
<input class="widefat" id="<?php echo $this->get_field_id('list_title'); ?>" name="<?php echo $this->get_field_name('list_title'); ?>" type="text" value="<?php echo esc_attr($list_title); ?>" />
<label for="<?php echo esc_attr($this->get_field_id('list_title')); ?>"><?php _e('Title (optional):'); ?></label>
<input class="widefat" id="<?php echo esc_attr($this->get_field_id('list_title')); ?>" name="<?php echo esc_attr($this->get_field_name('list_title')); ?>" type="text" value="<?php echo esc_attr($list_title); ?>" />
</p>
<p>
<label for="<?php echo $this->get_field_id('list_description'); ?>"><?php _e('Description (optional):'); ?></label>
<input class="widefat" id="<?php echo $this->get_field_id('list_description'); ?>" name="<?php echo $this->get_field_name('list_description'); ?>" type="text" value="<?php echo esc_attr($list_description); ?>" />
<input class="widefat" id="<?php echo esc_attr($this->get_field_id('list_description')); ?>" name="<?php echo esc_attr($this->get_field_name('list_description')); ?>" type="text" value="<?php echo esc_attr($list_description); ?>" />
</p>
<p>
<label for="<?php echo $this->get_field_id('list_address'); ?>"><?php _e('List addresses (required):'); ?></label>
<input class="widefat" id="<?php echo $this->get_field_id('list_address'); ?>" name="<?php echo $this->get_field_name('list_address'); ?>" type="text" value="<?php echo esc_attr($list_address); ?>" />
<input class="widefat" id="<?php echo esc_attr($this->get_field_id('list_address')); ?>" name="<?php echo esc_attr($this->get_field_name('list_address')); ?>" type="text" value="<?php echo esc_attr($list_address); ?>" />
</p>
<p>
<label for="<?php echo $this->get_field_id('collect_name'); ?>"><?php _e('Collect name:'); ?></label>
<input class="widefat" id="<?php echo $this->get_field_id('collect_name'); ?>" name="<?php echo $this->get_field_name('collect_name'); ?>" type="checkbox" <?php echo esc_attr($collect_name); ?> />
<input class="widefat" id="<?php echo esc_attr($this->get_field_id('collect_name')); ?>" name="<?php echo esc_attr($this->get_field_name('collect_name')); ?>" type="checkbox" <?php echo esc_attr($collect_name); ?> />
</p>
</div>
<?php
Expand Down
28 changes: 14 additions & 14 deletions mailgun.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
* Plugin Name: Mailgun
* Plugin URI: http://wordpress.org/extend/plugins/mailgun/
* Description: Mailgun integration for WordPress
* Version: 1.8.10
* Version: 1.9
* Tested up to: 6.1
* Author: Mailgun
* Author URI: http://www.mailgun.com/
Expand Down Expand Up @@ -301,10 +301,10 @@ public function get_lists(): array
*/
public function add_list()
{
$name = $_POST['name'] ?? null;
$email = $_POST['email'] ?? null;
$name = sanitize_text_field($_POST['name'] ?? null);
$email = sanitize_text_field($_POST['email'] ?? null);

$list_addresses = $_POST['addresses'];
$list_addresses = sanitize_text_field($_POST['addresses']);

if (!empty($list_addresses)) {
$result = [];
Expand Down Expand Up @@ -360,20 +360,20 @@ public function list_form(string $list_address, array $args = [], array $instanc
// All list info from the API; used for list info when more than one list is available to subscribe to
$all_list_addresses = $this->get_lists();
?>
<div class="mailgun-list-widget-front <?php echo $widget_class_id; ?> widget">
<form class="list-form <?php echo $form_class_id; ?>">
<div class="mailgun-list-widget-front <?php echo esc_attr($widget_class_id); ?> widget">
<form class="list-form <?php echo esc_attr($form_class_id); ?>">
<div class="mailgun-list-widget-inputs">
<?php if (isset($args[ 'list_title' ])): ?>
<div class="mailgun-list-title">
<h4 class="widget-title">
<span><?php echo $args[ 'list_title' ]; ?></span>
<span><?php echo wp_kses_data($args[ 'list_title' ]); ?></span>
</h4>
</div>
<?php endif; ?>
<?php if (isset($args[ 'list_description' ])): ?>
<div class="mailgun-list-description">
<p class="widget-description">
<span><?php echo $args[ 'list_description' ]; ?></span>
<span><?php echo wp_kses_data($args[ 'list_description' ]); ?></span>
</p>
</div>
<?php endif; ?>
Expand All @@ -399,15 +399,15 @@ public function list_form(string $list_address, array $args = [], array $instanc
?>
<li>
<input type="checkbox" class="mailgun-list-name"
name="addresses[<?php echo $la[ 'address' ]; ?>]"/> <?php echo ($la[ 'name' ] ?: $la[ 'address' ]); ?>
name="addresses[<?php echo esc_attr($la[ 'address' ]); ?>]"/> <?php echo esc_attr($la[ 'name' ] ?: $la[ 'address' ]); ?>
</li>
<?php endforeach; ?>
</ul>
<?php else: ?>
<input type="hidden" name="addresses[<?php echo $list_addresses[ 0 ]; ?>]" value="on"/>
<input type="hidden" name="addresses[<?php echo esc_attr($list_addresses[ 0 ]); ?>]" value="on"/>
<?php endif; ?>

<input class="mailgun-list-submit-button" data-form-id="<?php echo $form_class_id; ?>" type="button"
<input class="mailgun-list-submit-button" data-form-id="<?php echo esc_attr($form_class_id); ?>" type="button"
value="Subscribe"/>
<input type="hidden" name="mailgun-submission" value="1"/>

Expand Down Expand Up @@ -454,9 +454,9 @@ public function list_form(string $list_address, array $args = [], array $instanc

// success
if ((data.status === 200)) {
jQuery('.<?php echo $widget_class_id; ?> .widget-list-panel').css('display', 'none')
jQuery('.<?php echo $widget_class_id; ?> .list-form').css('display', 'none')
jQuery('.<?php echo $widget_class_id; ?> .result-panel').css('display', 'block')
jQuery('.<?php echo esc_attr($widget_class_id); ?> .widget-list-panel').css('display', 'none')
jQuery('.<?php echo esc_attr($widget_class_id); ?> .list-form').css('display', 'none')
jQuery('.<?php echo esc_attr($widget_class_id); ?> .result-panel').css('display', 'block')
// error
} else {
alert(data_msg)
Expand Down
5 changes: 4 additions & 1 deletion readme.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Contributors: mailgun, sivel, lookahead.io, m35dev
Tags: mailgun, smtp, http, api, mail, email
Requires at least: 3.3
Tested up to: 6.1.1
Stable tag: 1.8.10
Stable tag: 1.9
Requires PHP: 5.6
License: GPLv2 or later

Expand Down Expand Up @@ -130,6 +130,9 @@ MAILGUN_FROM_ADDRESS Type: string


== Changelog ==
= 1.9 (2023-01-18): =
- Sanitizing and escaping vars. Possible security issues

= 1.8.10 (2022-12-26): =
- Fixed bug with not overriding `from name` for Woocommerce

Expand Down
5 changes: 4 additions & 1 deletion readme.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Contributors: mailgun, sivel, lookahead.io, m35dev
Tags: mailgun, smtp, http, api, mail, email
Requires at least: 4.4
Tested up to: 6.1.1
Stable tag: 1.8.10
Stable tag: 1.9
Requires PHP: 5.6
License: GPLv2 or later

Expand Down Expand Up @@ -128,6 +128,9 @@ MAILGUN_FROM_ADDRESS Type: string


== Changelog ==
= 1.9 (2023-01-18): =
- Sanitizing and escaping vars. Possible security issues

= 1.8.10 (2022-12-26): =
- Fixed bug with not overriding `from name` for Woocommerce

Expand Down

0 comments on commit 06259aa

Please sign in to comment.