Changeset 2745551

Timestamp:

06/20/2022 09:42:04 PM (4 years ago)

Author:

grimmdude

Message:

1.4.2 - Add CSRF protection, fix misc PHP notices.

Location:

sharebar

Files:

• tags/1.4.2 (added)
• tags/1.4.2/css (added)
• tags/1.4.2/css/colorpicker.css (added)
• tags/1.4.2/css/sharebar.css (added)
• tags/1.4.2/images (added)
• tags/1.4.2/images/blank.gif (added)
• tags/1.4.2/images/colorpicker_background.png (added)
• tags/1.4.2/images/colorpicker_hex.png (added)
• tags/1.4.2/images/colorpicker_hsb_b.png (added)
• tags/1.4.2/images/colorpicker_hsb_h.png (added)
• tags/1.4.2/images/colorpicker_hsb_s.png (added)
• tags/1.4.2/images/colorpicker_indic.gif (added)
• tags/1.4.2/images/colorpicker_overlay.png (added)
• tags/1.4.2/images/colorpicker_rgb_b.png (added)
• tags/1.4.2/images/colorpicker_rgb_g.png (added)
• tags/1.4.2/images/colorpicker_rgb_r.png (added)
• tags/1.4.2/images/colorpicker_select.gif (added)
• tags/1.4.2/images/colorpicker_submit.png (added)
• tags/1.4.2/images/custom_background.png (added)
• tags/1.4.2/images/custom_hex.png (added)
• tags/1.4.2/images/custom_hsb_b.png (added)
• tags/1.4.2/images/custom_hsb_h.png (added)
• tags/1.4.2/images/custom_hsb_s.png (added)
• tags/1.4.2/images/custom_indic.gif (added)
• tags/1.4.2/images/custom_rgb_b.png (added)
• tags/1.4.2/images/custom_rgb_g.png (added)
• tags/1.4.2/images/custom_rgb_r.png (added)
• tags/1.4.2/images/custom_submit.png (added)
• tags/1.4.2/images/down.gif (added)
• tags/1.4.2/images/select.png (added)
• tags/1.4.2/images/select2.png (added)
• tags/1.4.2/images/slider.png (added)
• tags/1.4.2/images/up.gif (added)
• tags/1.4.2/js (added)
• tags/1.4.2/js/colorpicker.js (added)
• tags/1.4.2/js/sharebar-admin.js (added)
• tags/1.4.2/js/sharebar.js (added)
• tags/1.4.2/readme.txt (added)
• tags/1.4.2/screenshot-1.gif (added)
• tags/1.4.2/screenshot-2.gif (added)
• tags/1.4.2/screenshot-3.gif (added)
• tags/1.4.2/screenshot-4.gif (added)
• tags/1.4.2/sharebar-admin.php (added)
• tags/1.4.2/sharebar.php (added)
• trunk/readme.txt (modified) (2 diffs)
• trunk/sharebar-admin.php (modified) (12 diffs)
• trunk/sharebar.php (modified) (6 diffs)

sharebar/trunk/readme.txt

@@ -3 +3 @@
 Tags: sharing, social networks, marketing, social media, sharebar, sharebox, sharethis, facebook share, twitter, pinterest, reddit, stumbleupon, social buttons, marketing
 Requires at least: 2.0
-Tested up to: 5.1
-Stable tag: 1.4.1
+Tested up to: 6.0
+Stable tag: 1.4.2
 
 Sharebar adds a dynamic and fully customizable vertical box to the left of a blog post that contains links/buttons to popular social networking sites.
@@ -61 +61 @@
 
 == Changelog ==
+= 1.4.2 =
+* Add CSRF protection to admin forms.
+* Fix misc PHP notices.
+
 = 1.4.1 =
 * Use enqueue_scripts for frontend CSS.

sharebar/trunk/sharebar-admin.php

@@ -20 +20 @@
         exit();
     }
-    $id = sanitize($_GET['id'] ? $_GET['id'] : $_POST['id']);
-    $pos = sanitize($_GET['pos'] ? $_GET['pos'] : $_POST['pos']);
-    $status = sanitize($_GET['status'] ? $_GET['status'] : $_POST['status']);
-    $task = sanitize($_GET['t'] ? $_GET['t'] : $_POST['t']);
-    $do = sanitize($_POST['do']);
+
+    $id = sanitize(isset($_REQUEST['id']) ? $_REQUEST['id'] : null);
+    $pos = sanitize(isset($_REQUEST['pos']) ? $_REQUEST['pos'] : null);
+    $status = sanitize(isset($_REQUEST['status']) ? $_REQUEST['status'] : null);
+    $task = sanitize(isset($_REQUEST['t']) ? $_REQUEST['t'] : null);
+    $do = sanitize(isset($_REQUEST['do']) ? $_REQUEST['do'] : null);
     
     if($id) $item = $wpdb->get_row($wpdb->prepare("SELECT * FROM ".$wpdb->prefix."sharebar WHERE id=%d", $id));
 
-    if($do == 'update') $wpdb->query($wpdb->prepare("UPDATE ".$wpdb->prefix."sharebar SET enabled='%d', position='%d', name='%s', big='". $_POST['big'] ."', small='". $_POST['small'] ."' WHERE id='%d'", sanitize($_POST['enabled']), sanitize($_POST['position']), sanitize($_POST['name']), $id));
-    elseif($do == 'add') $wpdb->query($wpdb->prepare("INSERT INTO ".$wpdb->prefix."sharebar (position, name, big, small) VALUES('%d','%s', '". $_POST['big'] ."', '". $_POST['small'] ."')", sanitize($_POST['position']), sanitize($_POST['name'])));
-    elseif($do == 'delete') $wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."sharebar WHERE id=%d LIMIT 1", $id));
-    elseif($do == 'reset') sharebar_reset();
+    if($do == 'update') {
+        check_admin_referer( 'wp_sharebar_add_update' );
+        $wpdb->query($wpdb->prepare("UPDATE ".$wpdb->prefix."sharebar SET enabled='%d', position='%d', name='%s', big='%s', small='%s' WHERE id='%d'", sanitize($_POST['enabled']), sanitize($_POST['position']), $_POST['name'], $_POST['big'], $_POST['small'], $id));
+    }
+    elseif($do == 'add') {
+        check_admin_referer( 'wp_sharebar_add_update' );
+        $wpdb->query($wpdb->prepare("INSERT INTO ".$wpdb->prefix."sharebar (position, name, big, small) VALUES('%d','%s', '%s', '%s')", sanitize($_POST['position']), $_POST['name'], $_POST['big'], $_POST['small']));
+    }
+    elseif($do == 'delete') {
+        check_admin_referer( 'wp_sharebar_delete' );
+        $wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."sharebar WHERE id=%d LIMIT 1", $id));
+    }
+    elseif($do == 'reset') {
+        check_admin_referer( 'wp_sharebar_reset' );
+        sharebar_reset();
+    }
     elseif($do == 'settings'){
+        check_admin_referer( 'wp_sharebar_settings' );
         $binaries = array("auto_posts","auto_pages","horizontal","credit");
-        foreach($binaries as $binary) $_POST[$binary] = $_POST[$binary] ? 1:0;
+        foreach($binaries as $binary) $_POST[$binary] = isset($_POST[$binary]) ? 1:0;
         $_POST['width'] = $_POST['width'] ? $_POST['width']:1000;
         sharebar_settings($_POST);
         foreach($sharebar_options as $option) $$option = get_option('sharebar_'.$option);
     }elseif($do == 'update-all'){
+        check_admin_referer( 'wp_sharebar_update_all' );
         $buttons = $_POST['buttons'];
         $uptask = $_POST['update-task'];
@@ -132 +147 @@
         if($task == 'edit'){
             echo '<table class="thebutton">';
-            echo "<tr><th class='name'><strong>".$item->name.":</strong></th></tr>";
-            echo "<tr><td>".$item->big."</td>";
-            echo "<td>".$item->small."</td></tr>";
+            echo "<tr><th class='name'><strong>".esc_html($item->name).":</strong></th></tr>";
+            echo "<tr><td>".($item->big)."</td>";
+            echo "<td>".($item->small)."</td></tr>";
             echo '</table>';
         }
-        if($item->enabled) $enabled = " checked='true'";
+        if(isset($item) && $item->enabled) $enabled = " checked='true'";
     ?>
     <form action="?page=<?php echo $_GET['page']; ?>" method="post">
+        <?php wp_nonce_field( 'wp_sharebar_add_update' ); ?>
         <p class="mediumtext alignleft">
             <label for="name" class="wide">Name:</label>
-            <input type="text" name="name" id="name" value="<?php echo $item->name; ?>" class="mediumtext" />
+            <input type="text" name="name" id="name" value="<?php echo isset($item) ? esc_attr($item->name) : ''; ?>" class="mediumtext" />
         </p>
         <p class="smalltext alignleft">
             <label for="position" class="wide">Position:</label>
-            <input type="text" name="position" id="position" value="<?php echo $item->position; ?>" class="smalltext" />
+            <input type="number" name="position" min="0" id="position" value="<?php echo isset($item) ? esc_attr($item->position) : ''; ?>" class="smalltext" />
         </p>
         <p class="checkfield alignleft">
@@ -155 +171 @@
         <p>
             <label for="big" class="wide">Big Button:</label>
-            <textarea name="big" id="big" class="text" rows=5><?php echo $item->big; ?></textarea>
+            <textarea name="big" id="big" class="text" rows=5><?php echo isset($item) ? esc_attr($item->big) : ''; ?></textarea>
         </p>
         <p>
             <label for="small" class="wide">Small Button:</label>
-            <textarea name="small" id="small" class="text" rows=5><?php echo $item->small; ?></textarea>
+            <textarea name="small" id="small" class="text" rows=5><?php echo isset($item) ? esc_attr($item->small) : ''; ?></textarea>
         </p>
         <input type="hidden" name="do" value="<?php if($task == 'edit') echo "update"; else echo "add"; ?>" />
-        <input type="hidden" name="id" value="<?php echo $item->id; ?>" />
+        <input type="hidden" name="id" value="<?php echo esc_attr($item->id); ?>" />
         <input type="hidden" name="status" value="Share button has been <?php if($task == 'edit') echo "updated"; else echo "added"; ?>." />
         <input type="submit" value="<?php if($task == 'edit') echo "Update Button"; else echo "Add Button"; ?>" class="alignleft button-primary" />
@@ -173 +189 @@
     <?php
         echo '<table class="thebutton">';
-        echo "<tr><th class='name'><strong>".$item->name.":</strong></th></tr>";
+        echo "<tr><th class='name'><strong>".esc_html($item->name).":</strong></th></tr>";
         echo "<tr><td>".$item->big."</td>";
         echo "<td>".$item->small."</td></tr>";
@@ -179 +195 @@
     ?>
     <p>Are you sure you want to delete this button?</p>
-    <form action="?page=<?php echo $_GET['page']; ?>" method="post">
+    <form action="?page=<?php echo esc_attr($_GET['page']); ?>" method="post">
+        <?php wp_nonce_field( 'wp_sharebar_delete' ); ?>
         <input type="hidden" name="do" value="delete" />
-        <input type="hidden" name="id" value="<?php echo $item->id; ?>" />
+        <input type="hidden" name="id" value="<?php echo esc_attr($item->id); ?>" />
         <input type="hidden" name="status" value="Button has been deleted." />
         <input type="submit" value="Delete" class="alignleft button-primary" />
     </form>
-    <a href="?page=<?php echo $_GET['page']; ?>" class="alignleft" style="margin: 2px 0 0 10px;">Cancel</a>
+    <a href="?page=<?php echo esc_attr($_GET['page']); ?>" class="alignleft" style="margin: 2px 0 0 10px;">Cancel</a>
         
 <?php }elseif($task == 'reset'){ ?>
@@ -192 +209 @@
     <p>Are you sure you want to reset <strong>ALL</strong> share buttons?  This cannot be undone and you will lose any customizations - all buttons will be reset to defaults.</p>
     <form action="?page=<?php echo $_GET['page']; ?>" method="post">
+        <?php wp_nonce_field( 'wp_sharebar_reset' ); ?>
         <input type="hidden" name="do" value="reset" />
         <input type="hidden" name="status" value="All buttons have been reset to inital configuration." />
         <input type="submit" value="Reset ALL Buttons" class="alignleft button-primary" />
     </form>
-    <a href="?page=<?php echo $_GET['page']; ?>" class="alignleft" style="margin: 2px 0 0 10px;">Cancel</a>
+    <a href="?page=<?php echo esc_attr($_GET['page']); ?>" class="alignleft" style="margin: 2px 0 0 10px;">Cancel</a>
         
 <?php }elseif($task == 'settings'){ ?>
@@ -202 +220 @@
     <h3>Sharebar Settings</h3>
     <form action="?page=<?php echo $_GET['page']; ?>&t=settings" method="post">
+        <?php wp_nonce_field( 'wp_sharebar_settings' ); ?>
         <h4>Add Sharebar</h4>
         <p>The following settings allow you to automatically add the Sharebars to your posts and pages.  If you would like to add them manually, make sure that both are unchecked and paste the PHP code into your template instead.</p>
@@ -225 +244 @@
         </p>
         <p>
-            <input type="text" name="leftoffset" id="leftoffset" class="minitext" value="<?php echo $leftoffset; ?>" /><label for="leftoffset">Left Offset (used when positioned to left)</label>
-        </p>
-        <p>
-            <input type="text" name="rightoffset" id="rightoffset" class="minitext" value="<?php echo $rightoffset; ?>" /><label for="rightoffset">Right Offset (used when positioned to right)</label>
+            <input type="text" name="leftoffset" id="leftoffset" class="minitext" value="<?php echo esc_attr($leftoffset); ?>" /><label for="leftoffset">Left Offset (used when positioned to left)</label>
+        </p>
+        <p>
+            <input type="text" name="rightoffset" id="rightoffset" class="minitext" value="<?php echo esc_attr($rightoffset); ?>" /><label for="rightoffset">Right Offset (used when positioned to right)</label>
         </p>
         <p>
@@ -244 +263 @@
         <p>
             <label for="twitter_username">Sharebar Background Color:</label>
-            <input type="text" name="sbg" id="sbg" class="smalltext" value="<?php echo $sbg; ?>" />
+            <input type="text" name="sbg" id="sbg" class="smalltext" value="<?php echo esc_attr($sbg); ?>" />
         </p>
         <p>
             <label for="twitter_username">Sharebar Border Color:</label>
-            <input type="text" name="sborder" id="sborder" class="smalltext" value="<?php echo $sborder; ?>" />
+            <input type="text" name="sborder" id="sborder" class="smalltext" value="<?php echo esc_attr($sborder); ?>" />
         </p>
         <br />
@@ -255 +274 @@
         <input type="submit" value="Update Settings" class="alignleft button-primary" />
     </form>
-    <a href="?page=<?php echo $_GET['page']; ?>" class="alignleft" style="margin: 2px 0 0 10px;">Cancel</a>
+    <a href="?page=<?php echo esc_attr($_GET['page']); ?>" class="alignleft" style="margin: 2px 0 0 10px;">Cancel</a>
         
 <?php }elseif($task == 'donate'){ ?>
@@ -318 +337 @@
     
     <form action="?page=<?php echo $_GET['page']; ?>" method="post">
+    <?php wp_nonce_field( 'wp_sharebar_update_all' ); ?>
     <table id="sharebar-tl">
         <thead><tr><th><a href="/" class="toggle-all">All</a></th><th class='leftj'>Name</th><th>Position</th><th>Big Button</th><th>Small Button</th><th>Actions</th></tr></thead>
@@ -330 +350 @@
                 $name = $result->name;
             }
-            echo "\t\t<tr$dis><td><input type='checkbox' name='buttons[]' id='buttons' value='".$result->id."' class='checkbox c23' /></td><td class='leftj'>".$name."</td><td>".$result->position."<a href='?page=Sharebar&pos=moveup&id=".$result->id."'><img src='" . plugins_url() ."/sharebar/images/up.gif'/></a><a href='?page=Sharebar&pos=movedown&id=".$result->id."'><img src='" . plugins_url() ."/sharebar/images/down.gif'/></a></td><td>".$result->big."</td><td>".$result->small."</td><td><a href='?page=".$_GET['page']."&t=edit&id=".$result->id."'>Edit</a> | <a href='?page=".$_GET['page']."&t=delete&id=".$result->id."'>Delete</a></td></tr>\n";
+            echo "\t\t<tr$dis><td><input type='checkbox' name='buttons[]' id='buttons' value='".$result->id."' class='checkbox c23' /></td><td class='leftj'>".$name."</td><td>".$result->position."<a href='?page=Sharebar&pos=moveup&id=".$result->id."'><img src='" . plugins_url() ."/sharebar/images/up.gif'/></a><a href='?page=Sharebar&pos=movedown&id=".$result->id."'><img src='" . plugins_url() ."/sharebar/images/down.gif'/></a></td><td>".$result->big."</td><td>".$result->small."</td><td><a href='?page=".esc_attr($_GET['page'])."&t=edit&id=".esc_attr($result->id)."'>Edit</a> | <a href='?page=".esc_attr($_GET['page'])."&t=delete&id=".esc_attr($result->id)."'>Delete</a></td></tr>\n";
         } ?>
         </tbody>

sharebar/trunk/sharebar.php

@@ -4 +4 @@
 Plugin URI: http://devgrow.com/sharebar-wordpress-plugin/
 Description: Adds a dynamic bar with sharing icons (Facebook, Twitter, etc.) that changes based on browser size and page location. 
-Version: 1.4.1
+Version: 1.4.2
 Author: Monji Dolon
 Author URI: http://mdolon.com/
@@ -115 +115 @@
         $credit = get_option('sharebar_credit');
         $str = '<ul id="sharebar" style="background:#'.$sbg.';border-color:#'.$sborder.';">';
-        $results = $wpdb->get_results($wpdb->prepare("SELECT * FROM ".$wpdb->prefix."sharebar WHERE enabled=1 ORDER BY position, id ASC", null)); $str .= "\n";
+        $results = $wpdb->get_results("SELECT * FROM ".$wpdb->prefix."sharebar WHERE enabled=1 ORDER BY position, id ASC"); $str .= "\n";
         foreach($results as $result){ $str .= '<li>'.sharebar_filter($result->big).'</li>'; }
         if($credit) $str .= '<li class="credit"><a rel="nofollow" href="http://sumo.com/" target="_blank">Sumo</a></li>';
@@ -127 +127 @@
         global $wpdb;
         $str = '<ul id="sharebarx">';
-        $results = $wpdb->get_results($wpdb->prepare("SELECT * FROM ".$wpdb->prefix."sharebar WHERE enabled=1 ORDER BY position, id ASC", null)); $str .= "\n";
+        $results = $wpdb->get_results("SELECT * FROM ".$wpdb->prefix."sharebar WHERE enabled=1 ORDER BY position, id ASC"); $str .= "\n";
         foreach($results as $result) { $str .= '<li>'.sharebar_filter($result->small).'</li>'; }
         $str .= '</ul>';
@@ -136 +136 @@
 function sharebar_button($name, $size = 'big'){
     global $wpdb;
-    $item = $wpdb->get_row($wpdb->prepare("SELECT * FROM ".$wpdb->prefix."sharebar WHERE name='$name'"));
+    $item = $wpdb->get_row($wpdb->prepare("SELECT * FROM ".$wpdb->prefix."sharebar WHERE name='%s'", $name));
     if($size == 'big') echo stripslashes($item->big); else echo stripslashes($item->small);
 }
@@ -173 +173 @@
  
 function sharebar_admin_actions(){
-    if(current_user_can('manage_options')) add_options_page("Sharebar", "Sharebar", 1, "Sharebar", "sharebar_menu");
+    if(current_user_can('manage_options')) add_options_page("Sharebar", "Sharebar", 'manage_options', "Sharebar", "sharebar_menu");
 }
 
@@ -247 +247 @@
     }
     else {
+        /*
         if (get_magic_quotes_gpc()) {
             $input = stripslashes($input);
         }
+        */
         $input  = cleanInput($input);
         $output = esc_sql($input);