From 17acd0eb821daa0e3cd8f42893cbbbffb023cf0b Mon Sep 17 00:00:00 2001 From: nikitasinelnikov Date: Thu, 11 Jul 2019 18:50:41 +0300 Subject: [PATCH] - xss security fix; --- includes/admin/templates/role/role-edit.php | 43 +++++++++++---------- includes/core/um-actions-profile.php | 7 +++- includes/core/um-filters-account.php | 19 ++++++++- readme.txt | 11 +++++- ultimate-member.php | 2 +- 5 files changed, 57 insertions(+), 25 deletions(-) diff --git a/includes/admin/templates/role/role-edit.php b/includes/admin/templates/role/role-edit.php index 47bd571b..64c40949 100644 --- a/includes/admin/templates/role/role-edit.php +++ b/includes/admin/templates/role/role-edit.php @@ -77,34 +77,38 @@ if ( ! empty( $_POST['role'] ) ) { $data = $_POST['role']; - if ( empty( $data['name'] ) ) { + if ( 'add' == $_GET['tab'] ) { - $error .= __( 'Title is empty!', 'ultimate-member' ) . '
'; + $data['name'] = trim( esc_html( strip_tags( $data['name'] ) ) ); - } else { - - if ( 'add' == $_GET['tab'] ) { - - if ( preg_match( "/[a-z0-9]+$/i", $data['name'] ) ) { - $id = sanitize_title( $data['name'] ); - } else { - $auto_increment = UM()->options()->get( 'custom_roles_increment' ); - $auto_increment = ! empty( $auto_increment ) ? $auto_increment : 1; - $id = 'custom_role_' . $auto_increment; - } - - $redirect = add_query_arg( array( 'page'=>'um_roles', 'tab'=>'edit', 'id'=>$id, 'msg'=>'a' ), admin_url( 'admin.php' ) ); - } elseif ( 'edit' == $_GET['tab'] && ! empty( $_GET['id'] ) ) { - $id = $_GET['id']; - $redirect = add_query_arg( array( 'page' => 'um_roles', 'tab'=>'edit', 'id'=>$id, 'msg'=>'u' ), admin_url( 'admin.php' ) ); + if ( empty( $data['name'] ) ) { + $error .= __( 'Title is empty!', 'ultimate-member' ) . '
'; } + if ( preg_match( "/[a-z0-9]+$/i", $data['name'] ) ) { + $id = sanitize_title( $data['name'] ); + } else { + $auto_increment = UM()->options()->get( 'custom_roles_increment' ); + $auto_increment = ! empty( $auto_increment ) ? $auto_increment : 1; + $id = 'custom_role_' . $auto_increment; + } + + $redirect = add_query_arg( array( 'page'=>'um_roles', 'tab'=>'edit', 'id'=>$id, 'msg'=>'a' ), admin_url( 'admin.php' ) ); + } elseif ( 'edit' == $_GET['tab'] && ! empty( $_GET['id'] ) ) { + $id = $_GET['id']; + + $pre_role_meta = get_option( "um_role_{$id}_meta", array() ); + $data['name'] = $pre_role_meta['name']; + + $redirect = add_query_arg( array( 'page' => 'um_roles', 'tab'=>'edit', 'id'=>$id, 'msg'=>'u' ), admin_url( 'admin.php' ) ); } + $all_roles = array_keys( get_editable_roles() ); if ( 'add' == $_GET['tab'] ) { - if ( in_array( 'um_' . $id, $all_roles ) || in_array( $id, $all_roles ) ) + if ( in_array( 'um_' . $id, $all_roles ) || in_array( $id, $all_roles ) ) { $error .= __( 'Role already exists!', 'ultimate-member' ) . '
'; + } } if ( '' == $error ) { @@ -186,7 +190,6 @@ $screen_id = $current_screen->id; ?> - diff --git a/includes/core/um-actions-profile.php b/includes/core/um-actions-profile.php index ad3d7cf7..4e0c0635 100644 --- a/includes/core/um-actions-profile.php +++ b/includes/core/um-actions-profile.php @@ -1444,9 +1444,12 @@ function um_profile_menu( $args ) { $active_subnav = ( UM()->profile()->active_subnav() ) ? UM()->profile()->active_subnav() : $tab['subnav_default']; ?>
- $subtab ) { ?> + $subtab ) { - + $subnav_link = add_query_arg( 'subnav', $id_s ); + $subnav_link = apply_filters( 'um_user_profile_subnav_link', $subnav_link, $id_s, $subtab ); ?> + + diff --git a/includes/core/um-filters-account.php b/includes/core/um-filters-account.php index f1087fbd..30c43a92 100644 --- a/includes/core/um-filters-account.php +++ b/includes/core/um-filters-account.php @@ -59,4 +59,21 @@ function um_account_disable_name_fields( $fields ){ return $fields; } add_filter( "um_get_field__first_name","um_account_disable_name_fields", 10 ,1 ); -add_filter( "um_get_field__last_name","um_account_disable_name_fields", 10 ,1 ); \ No newline at end of file +add_filter( "um_get_field__last_name","um_account_disable_name_fields", 10 ,1 ); + + +/** + * Sanitize inputs on Account update + * + * @param $data + * + * @return mixed + */ +function um_account_sanitize_data( $data ) { + foreach ( $data as $key => $value ) { + $data[ $key ] = trim( esc_html( strip_tags( $value ) ) ); + } + + return $data; +} +add_filter( 'um_account_pre_updating_profile_array', 'um_account_sanitize_data', 10, 1 ); \ No newline at end of file diff --git a/readme.txt b/readme.txt index d1d9f8e4..436ef412 100644 --- a/readme.txt +++ b/readme.txt @@ -6,7 +6,7 @@ Donate link: Tags: community, member, membership, user-profile, user-registration Requires at least: 4.9 Tested up to: 5.2 -Stable tag: 2.0.51 +Stable tag: 2.0.52 License: GNU Version 2 or Any Later Version License URI: http://www.gnu.org/licenses/gpl-3.0.txt @@ -137,6 +137,15 @@ The plugin works with popular caching plugins by automatically excluding Ultimat = Important: UM2.0+ is a significant update to the code base from 1.3.88. Please make sure you take a full-site backup with restore point before updating the plugin = += 2.0.52: July 11, 2019 = + +* Enhancements: + - Extended hooks for 3rd party integrations + +* Bugfixes: + - Fixed UM Roles create/edit XSS security issue + - Fixed XSS security issue on account upgrade + = 2.0.51: July 09, 2019 = * Bugfixes: diff --git a/ultimate-member.php b/ultimate-member.php index a0909b3d..a65ccc0e 100644 --- a/ultimate-member.php +++ b/ultimate-member.php @@ -3,7 +3,7 @@ Plugin Name: Ultimate Member Plugin URI: http://ultimatemember.com/ Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress -Version: 2.0.51 +Version: 2.0.52 Author: Ultimate Member Author URI: http://ultimatemember.com/ Text Domain: ultimate-member