Version Description
- Fixed security vulnerability reported by "Props to Ov3rfly"
- Added the functionality that checks correctly for the AAM premium plugins updates
Download this release
Release Info
Developer | vasyltech |
Plugin | Advanced Access Manager |
Version | 5.9.9 |
Comparing to | |
See all releases |
Code changes from version 5.9.8.1 to 5.9.9
- aam.php +1 -1
- application/Backend/Manager.php +3 -5
- application/Backend/phtml/index.phtml +0 -36
- application/Core/Media.php +6 -4
- application/Core/Server.php +17 -1
- application/Extension/Repository.php +22 -0
- application/Shared/Manager.php +86 -1
- license.txt +0 -14
- readme.txt +6 -2
aam.php
CHANGED
@@ -3,7 +3,7 @@
|
|
3 |
/**
|
4 |
* Plugin Name: Advanced Access Manager
|
5 |
* Description: Collection of features to manage your WordPress website authentication, authorization and monitoring
|
6 |
-
* Version: 5.9.
|
7 |
* Author: Vasyl Martyniuk <vasyl@vasyltech.com>
|
8 |
* Author URI: https://vasyltech.com
|
9 |
* Text Domain: advanced-access-manager
|
3 |
/**
|
4 |
* Plugin Name: Advanced Access Manager
|
5 |
* Description: Collection of features to manage your WordPress website authentication, authorization and monitoring
|
6 |
+
* Version: 5.9.9
|
7 |
* Author: Vasyl Martyniuk <vasyl@vasyltech.com>
|
8 |
* Author URI: https://vasyltech.com
|
9 |
* Text Domain: advanced-access-manager
|
application/Backend/Manager.php
CHANGED
@@ -899,9 +899,7 @@ class AAM_Backend_Manager {
|
|
899 |
* @access protected
|
900 |
*/
|
901 |
protected function printLocalization($localKey) {
|
902 |
-
$subject
|
903 |
-
$endpoint1 = getenv('AAM_V1_ENDPOINT');
|
904 |
-
$endpoint2 = getenv('AAM_V2_ENDPOINT');
|
905 |
|
906 |
$locals = array(
|
907 |
'nonce' => wp_create_nonce('aam_ajax'),
|
@@ -924,8 +922,8 @@ class AAM_Backend_Manager {
|
|
924 |
'system' => array(
|
925 |
'domain' => wp_parse_url(site_url(), PHP_URL_HOST),
|
926 |
'uid' => AAM_Core_API::getOption('aam-uid', null, 'site'),
|
927 |
-
'apiV1Endpoint' =>
|
928 |
-
'apiV2Endpoint' =>
|
929 |
),
|
930 |
'translation' => AAM_Backend_View_Localization::get(),
|
931 |
'caps' => array(
|
899 |
* @access protected
|
900 |
*/
|
901 |
protected function printLocalization($localKey) {
|
902 |
+
$subject = AAM_Backend_Subject::getInstance();
|
|
|
|
|
903 |
|
904 |
$locals = array(
|
905 |
'nonce' => wp_create_nonce('aam_ajax'),
|
922 |
'system' => array(
|
923 |
'domain' => wp_parse_url(site_url(), PHP_URL_HOST),
|
924 |
'uid' => AAM_Core_API::getOption('aam-uid', null, 'site'),
|
925 |
+
'apiV1Endpoint' => AAM_Core_Server::getEndpoint('V1'),
|
926 |
+
'apiV2Endpoint' => AAM_Core_Server::getEndpoint('V2')
|
927 |
),
|
928 |
'translation' => AAM_Backend_View_Localization::get(),
|
929 |
'caps' => array(
|
application/Backend/phtml/index.phtml
CHANGED
@@ -107,42 +107,6 @@
|
|
107 |
</div>
|
108 |
<?php } ?>
|
109 |
|
110 |
-
<?php if (AAM_Extension_Repository::getInstance()->isWriteableDirectory() === false && $manageExtensions) { ?>
|
111 |
-
<?php $relativePath = AAM_Extension_Repository::getInstance()->getBasedir(true); ?>
|
112 |
-
<div class="metabox-holder extensions-metabox" id='extension-dir-warning' style="display:none;">
|
113 |
-
<div class="postbox">
|
114 |
-
<h3 class="hndle warning">
|
115 |
-
<span><?php echo __('Warning', AAM_KEY); ?></span>
|
116 |
-
</h3>
|
117 |
-
<div class="inside">
|
118 |
-
<div class="aam-postbox-inside text-center">
|
119 |
-
<p class='alert alert-warning text-larger highlighted-italic'>
|
120 |
-
<?php echo sprintf(AAM_Backend_View_Helper::preparePhrase('All AAM extension should be located in [%s] directory however it either does not exist or is not writable.', 'b'), $relativePath); ?>
|
121 |
-
</p>
|
122 |
-
<a href="#" class="btn btn-sm btn-success btn-block" id='fix-extension-dir-issue'><i class="icon-wrench"></i> <?php echo __('Click To Fix The Issue', AAM_KEY); ?></a>
|
123 |
-
</div>
|
124 |
-
</div>
|
125 |
-
</div>
|
126 |
-
</div>
|
127 |
-
|
128 |
-
<div class="modal fade" id="extension-dir-issue-modal" tabindex="-1" role="dialog">
|
129 |
-
<div class="modal-dialog" role="document">
|
130 |
-
<div class="modal-content">
|
131 |
-
<div class="modal-body">
|
132 |
-
<div class="form-group">
|
133 |
-
<p class="alert alert-warning text-larger">
|
134 |
-
<?php echo sprintf(AAM_Backend_View_Helper::preparePhrase('Failed to create a [%s] directory for AAM extension. To create it manually, login to your website via FTP and create [%s] directory. [Please Note!] It is a relative directory path from your website root (where wp-config.php file is located).', 'b', 'b', 'b'), $relativePath, $relativePath); ?>
|
135 |
-
</p>
|
136 |
-
</div>
|
137 |
-
</div>
|
138 |
-
<div class="modal-footer">
|
139 |
-
<button type="button" class="btn btn-default" data-dismiss="modal"><?php echo __('Ok', AAM_KEY); ?></button>
|
140 |
-
</div>
|
141 |
-
</div>
|
142 |
-
</div>
|
143 |
-
</div>
|
144 |
-
<?php } ?>
|
145 |
-
|
146 |
<?php $licenses = AAM_Extension_Repository::getInstance()->getCommercialLicenses(); ?>
|
147 |
<?php if (count($licenses) && $manageExtensions) { ?>
|
148 |
<div class="metabox-holder extensions-metabox" style="display:none;">
|
107 |
</div>
|
108 |
<?php } ?>
|
109 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
110 |
<?php $licenses = AAM_Extension_Repository::getInstance()->getCommercialLicenses(); ?>
|
111 |
<?php if (count($licenses) && $manageExtensions) { ?>
|
112 |
<div class="metabox-holder extensions-metabox" style="display:none;">
|
application/Core/Media.php
CHANGED
@@ -63,8 +63,6 @@ class AAM_Core_Media {
|
|
63 |
} else {
|
64 |
$this->printMedia();
|
65 |
}
|
66 |
-
} else {
|
67 |
-
$this->printMedia();
|
68 |
}
|
69 |
}
|
70 |
|
@@ -140,8 +138,12 @@ class AAM_Core_Media {
|
|
140 |
}
|
141 |
}
|
142 |
|
143 |
-
|
144 |
-
|
|
|
|
|
|
|
|
|
145 |
exit;
|
146 |
}
|
147 |
|
63 |
} else {
|
64 |
$this->printMedia();
|
65 |
}
|
|
|
|
|
66 |
}
|
67 |
}
|
68 |
|
138 |
}
|
139 |
}
|
140 |
|
141 |
+
$allowed = '\.(jpg|jpeg|png|svg|gif|ico|pdf|doc|docx|ppt|pptx|pps|ppsx|odt|xls|xlsx|psd)$';
|
142 |
+
// Props to Ov3rfly report
|
143 |
+
if (preg_match($allowed, $request)) {
|
144 |
+
@header('Content-Type: ' . (empty($mime) ? $type : $mime));
|
145 |
+
echo file_get_contents($request);
|
146 |
+
}
|
147 |
exit;
|
148 |
}
|
149 |
|
application/Core/Server.php
CHANGED
@@ -56,6 +56,22 @@ final class AAM_Core_Server {
|
|
56 |
return $result;
|
57 |
}
|
58 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
59 |
/**
|
60 |
* Send request
|
61 |
*
|
@@ -68,7 +84,7 @@ final class AAM_Core_Server {
|
|
68 |
protected static function send($request, $params, $timeout = 10) {
|
69 |
$response = self::parseResponse(
|
70 |
AAM_Core_API::cURL(
|
71 |
-
self::
|
72 |
)
|
73 |
);
|
74 |
|
56 |
return $result;
|
57 |
}
|
58 |
|
59 |
+
/**
|
60 |
+
* Undocumented function
|
61 |
+
*
|
62 |
+
* @param string $v
|
63 |
+
* @return void
|
64 |
+
*/
|
65 |
+
public static function getEndpoint($v = 'V1') {
|
66 |
+
$endpoint = getenv("AAM_API_{$v}_ENDPOINT");
|
67 |
+
|
68 |
+
if (empty($endpoint)) {
|
69 |
+
$endpoint = ($v === 'V1' ? self::SERVER_V1_URL : self::SERVER_V2_URL);
|
70 |
+
}
|
71 |
+
|
72 |
+
return $endpoint;
|
73 |
+
}
|
74 |
+
|
75 |
/**
|
76 |
* Send request
|
77 |
*
|
84 |
protected static function send($request, $params, $timeout = 10) {
|
85 |
$response = self::parseResponse(
|
86 |
AAM_Core_API::cURL(
|
87 |
+
self::getEndpoint('V1') . $request, $params, $timeout
|
88 |
)
|
89 |
);
|
90 |
|
application/Extension/Repository.php
CHANGED
@@ -328,6 +328,28 @@ class AAM_Extension_Repository {
|
|
328 |
|
329 |
return $status;
|
330 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
331 |
|
332 |
/**
|
333 |
*
|
328 |
|
329 |
return $status;
|
330 |
}
|
331 |
+
|
332 |
+
/**
|
333 |
+
* Get plugin version
|
334 |
+
*
|
335 |
+
* @return string
|
336 |
+
*
|
337 |
+
* @access public
|
338 |
+
*/
|
339 |
+
public static function version($id) {
|
340 |
+
if (file_exists(ABSPATH . 'wp-admin/includes/plugin.php')) {
|
341 |
+
require_once ABSPATH . 'wp-admin/includes/plugin.php';
|
342 |
+
}
|
343 |
+
|
344 |
+
$path = realpath(WP_PLUGIN_DIR . '/' . $id);
|
345 |
+
|
346 |
+
if (function_exists('get_plugin_data') && file_exists($path)) {
|
347 |
+
$data = get_plugin_data($path);
|
348 |
+
$version = (isset($data['Version']) ? $data['Version'] : null);
|
349 |
+
}
|
350 |
+
|
351 |
+
return (!empty($version) ? $version : null);
|
352 |
+
}
|
353 |
|
354 |
/**
|
355 |
*
|
application/Shared/Manager.php
CHANGED
@@ -38,7 +38,92 @@ class AAM_Shared_Manager {
|
|
38 |
*
|
39 |
* @return void
|
40 |
*/
|
41 |
-
protected function __construct() {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
42 |
|
43 |
/**
|
44 |
* Initialize core hooks
|
38 |
*
|
39 |
* @return void
|
40 |
*/
|
41 |
+
protected function __construct() {
|
42 |
+
// Plugin updates check
|
43 |
+
add_filter('http_response', array($this, 'checkForUpdates'), 10, 3);
|
44 |
+
|
45 |
+
// Plugin release details
|
46 |
+
add_filter('self_admin_url', array($this, 'pluginUpdateDetails'), 10, 3);
|
47 |
+
}
|
48 |
+
|
49 |
+
/**
|
50 |
+
* Undocumented function
|
51 |
+
*
|
52 |
+
* @param [type] $response
|
53 |
+
* @param [type] $r
|
54 |
+
* @param [type] $url
|
55 |
+
* @return void
|
56 |
+
*/
|
57 |
+
public function checkForUpdates($response, $r, $url) {
|
58 |
+
static $execute = true;
|
59 |
+
|
60 |
+
if (strpos($url, 'api.wordpress.org/plugins/update-check') !== false && $execute) {
|
61 |
+
$execute = false;
|
62 |
+
$list = array();
|
63 |
+
|
64 |
+
foreach(AAM_Core_API::getOption('aam-extensions', array()) as $id => $data) {
|
65 |
+
if (!empty($data['license'])) {
|
66 |
+
$list[$id] = $data['license'];
|
67 |
+
}
|
68 |
+
}
|
69 |
+
|
70 |
+
$raw = wp_remote_post(
|
71 |
+
AAM_Core_Server::getEndpoint('V2') . '/registry',
|
72 |
+
array(
|
73 |
+
'headers' => array(
|
74 |
+
'Accept' => 'application/json',
|
75 |
+
'Content-Type' => 'application/json'
|
76 |
+
),
|
77 |
+
'body' => wp_json_encode($list)
|
78 |
+
)
|
79 |
+
);
|
80 |
+
|
81 |
+
if (!is_wp_error($raw) && (intval(wp_remote_retrieve_response_code($raw)) === 200)) {
|
82 |
+
$original = json_decode($response['body'], true);
|
83 |
+
$repo = json_decode(wp_remote_retrieve_body($raw), true);
|
84 |
+
|
85 |
+
foreach ($repo['products'] as $item) {
|
86 |
+
$c = AAM_Extension_Repository::version($item['plugin']);
|
87 |
+
|
88 |
+
if (!empty($c) && (version_compare($c, $item['new_version']) === -1)) {
|
89 |
+
$original['plugins'][$item['plugin']] = $item;
|
90 |
+
}
|
91 |
+
}
|
92 |
+
$response['body'] = json_encode($original);
|
93 |
+
}
|
94 |
+
}
|
95 |
+
|
96 |
+
return $response;
|
97 |
+
}
|
98 |
+
|
99 |
+
/**
|
100 |
+
* Undocumented function
|
101 |
+
*
|
102 |
+
* @param [type] $url
|
103 |
+
* @param [type] $path
|
104 |
+
* @param [type] $scheme
|
105 |
+
* @return void
|
106 |
+
*/
|
107 |
+
public function pluginUpdateDetails($url, $path, $scheme) {
|
108 |
+
if (strpos($url, 'plugin-install.php?') !== false) {
|
109 |
+
$args = parse_url($url);
|
110 |
+
$query = array();
|
111 |
+
|
112 |
+
parse_str($args['query'], $query);
|
113 |
+
|
114 |
+
$plugin = !empty($query['plugin']) ? $query['plugin'] : null;
|
115 |
+
|
116 |
+
if (in_array($plugin, array('aam-plus-package', 'aam-role-hierarchy', 'aam-complete-package', 'aam-ip-check'))) {
|
117 |
+
$url = add_query_arg(array(
|
118 |
+
'TB_iframe' => true,
|
119 |
+
'width' => (isset($query['width']) ? $query['width'] : 640),
|
120 |
+
'height' => (isset($query['height']) ? $query['height'] : 662),
|
121 |
+
), 'https://aamplugin.com/addon/' . $plugin . '/changelog');
|
122 |
+
}
|
123 |
+
}
|
124 |
+
|
125 |
+
return $url;
|
126 |
+
}
|
127 |
|
128 |
/**
|
129 |
* Initialize core hooks
|
license.txt
DELETED
@@ -1,14 +0,0 @@
|
|
1 |
-
Copyright (C) Vasyl Martyniuk <vasyl@vasyltech.com>
|
2 |
-
|
3 |
-
This program is free software: you can redistribute it and/or modify
|
4 |
-
it under the terms of the GNU General Public License as published by
|
5 |
-
the Free Software Foundation, either version 3 of the License, or
|
6 |
-
(at your option) any later version.
|
7 |
-
|
8 |
-
This program is distributed in the hope that it will be useful,
|
9 |
-
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
10 |
-
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
11 |
-
GNU General Public License for more details.
|
12 |
-
|
13 |
-
You should have received a copy of the GNU General Public License
|
14 |
-
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
readme.txt
CHANGED
@@ -2,8 +2,8 @@
|
|
2 |
Contributors: vasyltech
|
3 |
Tags: access control, membership, backend menu, user role, restricted content, security, jwt
|
4 |
Requires at least: 4.0
|
5 |
-
Tested up to: 5.2.
|
6 |
-
Stable tag: 5.9.
|
7 |
|
8 |
All you need to manage access to you WordPress websites on frontend, backend and API levels for any role, user or visitors.
|
9 |
|
@@ -80,6 +80,10 @@ https://www.youtube.com/watch?v=mj5Xa_Wc16Y
|
|
80 |
|
81 |
== Changelog ==
|
82 |
|
|
|
|
|
|
|
|
|
83 |
= 5.9.8.1 =
|
84 |
* Making sure that all setcookie as flagged as HTTPOnly
|
85 |
|
2 |
Contributors: vasyltech
|
3 |
Tags: access control, membership, backend menu, user role, restricted content, security, jwt
|
4 |
Requires at least: 4.0
|
5 |
+
Tested up to: 5.2.3
|
6 |
+
Stable tag: 5.9.9
|
7 |
|
8 |
All you need to manage access to you WordPress websites on frontend, backend and API levels for any role, user or visitors.
|
9 |
|
80 |
|
81 |
== Changelog ==
|
82 |
|
83 |
+
= 5.9.9 =
|
84 |
+
* Fixed security vulnerability reported by "Props to Ov3rfly"
|
85 |
+
* Added the functionality that checks correctly for the AAM premium plugins updates
|
86 |
+
|
87 |
= 5.9.8.1 =
|
88 |
* Making sure that all setcookie as flagged as HTTPOnly
|
89 |
|