Changeset 2955166

Timestamp:

08/18/2023 04:11:46 AM (12 months ago)

Author:

sayful

Message:

Fix a security issue related to plugin data tracking consent option.

Location:

carousel-slider/trunk

Files:

• carousel-slider.php (modified) (2 diffs)
• includes/Admin/Feedback.php (modified) (11 diffs)
• readme.txt (modified) (2 diffs)

carousel-slider/trunk/carousel-slider.php

@@ -4 +4 @@
  * Plugin URI: https://sayfulislam.com/?utm_source=wp-plugins&utm_campaign=plugin-uri&utm_medium=wp-dash
  * Description: <strong>Carousel Slider</strong> allows you to create beautiful, touch enabled, responsive carousels and sliders. It let you create SEO friendly Image carousel from Media Library or from custom URL, Video carousel using Youtube and Vimeo video, Post carousel, Hero banner slider and various types of WooCommerce products carousels.
- * Version: 2.2.2
+ * Version: 2.2.
  * Author: Sayful Islam
  * Author URI: https://sayfulislam.com/?utm_source=wp-plugins&utm_campaign=author-uri&utm_medium=wp-dash
@@ -53 +53 @@
          * @var string
          */
-        private $version = '2.2.2';
+        private $version = '2.2.';
 
         /**

carousel-slider/trunk/includes/Admin/Feedback.php

@@ -42 +42 @@
 
             add_action( 'wp_ajax_carousel_slider_deactivate_feedback', [ self::$instance, 'deactivate_feedback' ] );
+
 
             add_action( 'admin_notices', [ self::$instance, 'admin_notice' ] );
-            add_action( 'admin_init', [ self::$instance, 'handle_optin_optout' ] );
 
             add_filter( 'cron_schedules', [ self::$instance, 'add_weekly_schedule' ] );
@@ -56 +56 @@
      * Add weekly cron schedule
      *
-     * @param array $schedules List of schedules.
+     * @param  List of schedules.
      *
      * @return array
@@ -91 +91 @@
      */
     public function deactivate_feedback() {
-        if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], '_carousel_slider_deactivate_feedback_nonce' ) ) {
+        if ( ! isset( $_POST['_wpnonce'] ) ||
+             ! wp_verify_nonce( $_POST['_wpnonce'], '_carousel_slider_deactivate_feedback_nonce' )
+        ) {
             wp_send_json_error();
         }
@@ -159 +161 @@
             'not_working'            => [
                 'title'             => esc_html__( 'I couldn\'t get the plugin to work', 'carousel-slider' ),
-                'input_placeholder' => esc_html__( 'Could you tell us a bit more whats not working?', 'carousel-slider' ),
+                'input_placeholder' => esc_html__(
+                    'Could you tell us a bit more whats not working?',
+                    'carousel-slider'
+                ),
             ],
             'missing_a_feature'      => [
@@ -171 +176 @@
             'carousel_slider_pro'    => [
                 'title' => esc_html__( 'I have Carousel Slider Pro', 'carousel-slider' ),
-                'alert' => esc_html__( 'Wait! Don\'t deactivate Carousel Slider. You have to activate both Carousel Slider and Carousel Slider Pro in order for the plugin to work.', 'carousel-slider' ),
+                'alert' => esc_html__(
+                    'Wait! Don\'t deactivate Carousel Slider. You have to activate both Carousel Slider and Carousel Slider Pro in order for the plugin to work.',
+                    'carousel-slider'
+                ),
             ],
             'other'                  => [
@@ -190 +198 @@
 
                     <div class="feedback-dialog__form-caption">
-                        <?php echo esc_html__( 'If you have a moment, please share why you are deactivating Carousel Slider:', 'carousel-slider' ); ?>
+                        <?php
+                        echo esc_html__(
+                            'If you have a moment, please share why you are deactivating Carousel Slider:',
+                            'carousel-slider'
+                        );
+                        ?>
                     </div>
                     <div class="feedback-dialog__form-body">
@@ -203 +216 @@
                                 <?php if ( ! empty( $reason['input_placeholder'] ) ) : ?>
                                     <textarea
-                                        class="carousel-slider-feedback-text"
-                                        name="reason_<?php echo esc_attr( $reason_key ); ?>"
-                                        placeholder="<?php echo esc_attr( $reason['input_placeholder'] ); ?>"
-                                        rows="2"
+                                        class="carousel-slider-feedback-text"
+                                        name="reason_<?php echo esc_attr( $reason_key ); ?>"
+                                        placeholder="<?php echo esc_attr( $reason['input_placeholder'] ); ?>"
+                                        rows="2"
                                     ></textarea>
                                 <?php endif; ?>
@@ -237 +250 @@
 
     /**
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
      * Show tracker notice to admin
      *
@@ -250 +280 @@
 
         /* translators: 1 - Plugin name */
-        $message = sprintf( __( 'Want to help make <strong>%1$s</strong> even more awesome? Allow %1$s to collect non-sensitive diagnostic data and usage information.', 'carousel-slider' ), 'Carousel Slider' );
-
-        $message .= ' (<a class="carousel-slider-insights-data-we-collect" href="#">' . __( 'what we collect', 'carousel-slider' ) . '</a>)';
-        $message .= '<p class="description" style="display:none;">' . implode( ', ', $this->data_we_collect() ) . '. No sensitive data is tracked. ';
+        $message = sprintf(
+            __(
+                'Want to help make <strong>%1$s</strong> even more awesome? Allow %1$s to collect non-sensitive diagnostic data and usage information.',
+                'carousel-slider'
+            ),
+            'Carousel Slider'
+        );
+
+        $message .= ' (<a class="carousel-slider-insights-data-we-collect" href="#">' . __(
+            'what we collect',
+            'carousel-slider'
+        ) . '</a>)';
+        $message .= '<p class="description" style="display:none;">' . implode(
+            ', ',
+            $this->data_we_collect()
+        ) . '. No sensitive data is tracked. ';
         $message .= '<a href="' . Api::PRIVACY_URL . '" target="_blank">Learn more</a> about how Carousel Slider collects and handle your data.</p>';
 
-        $optin_url  = add_query_arg( 'carousel_slider_tracker_optin', 'true' );
-        $optout_url = add_query_arg( 'carousel_slider_tracker_optout', 'true' );
+        $optin_url  =  );
+        $optout_url =  );
 
         $html  = '<div class="updated"><p>';
         $html .= $message;
         $html .= '</p><p class="submit">';
-        $html .= '&nbsp;<a href="' . esc_url( $optin_url ) . '" class="button-primary button-large">' . __( 'Allow', 'carousel-slider' ) . '</a>';
-        $html .= '&nbsp;<a href="' . esc_url( $optout_url ) . '" class="button-secondary button-large">' . __( 'No thanks', 'carousel-slider' ) . '</a>';
+        $html .= '&nbsp;<a href="' . esc_url( $optin_url ) . '" class="button-primary button-large">' . __(
+            'Allow',
+            'carousel-slider'
+        ) . '</a>';
+        $html .= '&nbsp;<a href="' . esc_url( $optout_url ) . '" class="button-secondary button-large">' . __(
+            'No thanks',
+            'carousel-slider'
+        ) . '</a>';
         $html .= '</p></div>';
 
@@ -283 +331 @@
      */
     public function handle_optin_optout() {
-        // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-        if ( isset( $_GET['carousel_slider_tracker_optin'] ) && 'true' === $_GET['carousel_slider_tracker_optin'] ) {
-            $this->optin();
-
-            // phpcs:ignore WordPress.Security.SafeRedirect.wp_redirect_wp_redirect
-            wp_redirect( remove_query_arg( 'carousel_slider_tracker_optin' ) );
-            exit;
-        }
-
-        // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-        if ( isset( $_GET['carousel_slider_tracker_optout'] ) && 'true' === $_GET['carousel_slider_tracker_optout'] ) {
-            $this->optout();
-
-            // phpcs:ignore WordPress.Security.SafeRedirect.wp_redirect_wp_redirect
-            wp_redirect( remove_query_arg( 'carousel_slider_tracker_optout' ) );
-            exit;
+        if (
+            current_user_can( 'manage_options' ) &&
+            isset( $_GET['_token'] ) &&
+            wp_verify_nonce( $_GET['_token'], 'carousel_slider_tracker' )
+        ) {
+            if ( isset( $_GET['carousel_slider_tracker_optin'] ) && 'true' === $_GET['carousel_slider_tracker_optin'] ) {
+                $this->optin();
+
+                wp_safe_redirect( admin_url() );
+                exit;
+            }
+
+            if ( isset( $_GET['carousel_slider_tracker_optout'] ) && 'true' === $_GET['carousel_slider_tracker_optout'] ) {
+                $this->optout();
+
+                wp_safe_redirect( admin_url() );
+                exit;
+            }
         }
     }
@@ -411 +461 @@
      * Send tracking data to server
      *
-     * @param boolean $override Re-sent even if it is already sent data.
+     * @param  Re-sent even if it is already sent data.
      *
      * @return void

carousel-slider/trunk/readme.txt

@@ -6 +6 @@
 Tested up to: 6.3
 Requires PHP: 7.0
-Stable tag: 2.2.2
+Stable tag: 2.2.
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl-3.0.txt
@@ -97 +97 @@
 == Changelog ==
 
+
+
+
 = version 2.2.2 - 2023-08-08 =
 * Dev - Tested with WordPress 6.3 and WooCommerce 7.9