Advanced Access Manager - Version 5.9.9

Version Description

  • Fixed security vulnerability reported by "Props to Ov3rfly"
  • Added the functionality that checks correctly for the AAM premium plugins updates
Download this release

Release Info

Developer vasyltech
Plugin Icon 128x128 Advanced Access Manager
Version 5.9.9
Comparing to
See all releases

Code changes from version 5.9.8.1 to 5.9.9

Files changed (9) hide show
  1. aam.php +1 -1
  2. application/Backend/Manager.php +3 -5
  3. application/Backend/phtml/index.phtml +0 -36
  4. application/Core/Media.php +6 -4
  5. application/Core/Server.php +17 -1
  6. application/Extension/Repository.php +22 -0
  7. application/Shared/Manager.php +86 -1
  8. license.txt +0 -14
  9. readme.txt +6 -2
aam.php CHANGED
@@ -3,7 +3,7 @@
3
  /**
4
  * Plugin Name: Advanced Access Manager
5
  * Description: Collection of features to manage your WordPress website authentication, authorization and monitoring
6
- * Version: 5.9.8.1
7
  * Author: Vasyl Martyniuk <vasyl@vasyltech.com>
8
  * Author URI: https://vasyltech.com
9
  * Text Domain: advanced-access-manager
3
  /**
4
  * Plugin Name: Advanced Access Manager
5
  * Description: Collection of features to manage your WordPress website authentication, authorization and monitoring
6
+ * Version: 5.9.9
7
  * Author: Vasyl Martyniuk <vasyl@vasyltech.com>
8
  * Author URI: https://vasyltech.com
9
  * Text Domain: advanced-access-manager
application/Backend/Manager.php CHANGED
@@ -899,9 +899,7 @@ class AAM_Backend_Manager {
899
  * @access protected
900
  */
901
  protected function printLocalization($localKey) {
902
- $subject = AAM_Backend_Subject::getInstance();
903
- $endpoint1 = getenv('AAM_V1_ENDPOINT');
904
- $endpoint2 = getenv('AAM_V2_ENDPOINT');
905
 
906
  $locals = array(
907
  'nonce' => wp_create_nonce('aam_ajax'),
@@ -924,8 +922,8 @@ class AAM_Backend_Manager {
924
  'system' => array(
925
  'domain' => wp_parse_url(site_url(), PHP_URL_HOST),
926
  'uid' => AAM_Core_API::getOption('aam-uid', null, 'site'),
927
- 'apiV1Endpoint' => ($endpoint1 ? $endpoint1 : AAM_Core_Server::SERVER_V1_URL),
928
- 'apiV2Endpoint' => ($endpoint2 ? $endpoint2 : AAM_Core_Server::SERVER_V2_URL)
929
  ),
930
  'translation' => AAM_Backend_View_Localization::get(),
931
  'caps' => array(
899
  * @access protected
900
  */
901
  protected function printLocalization($localKey) {
902
+ $subject = AAM_Backend_Subject::getInstance();
 
 
903
 
904
  $locals = array(
905
  'nonce' => wp_create_nonce('aam_ajax'),
922
  'system' => array(
923
  'domain' => wp_parse_url(site_url(), PHP_URL_HOST),
924
  'uid' => AAM_Core_API::getOption('aam-uid', null, 'site'),
925
+ 'apiV1Endpoint' => AAM_Core_Server::getEndpoint('V1'),
926
+ 'apiV2Endpoint' => AAM_Core_Server::getEndpoint('V2')
927
  ),
928
  'translation' => AAM_Backend_View_Localization::get(),
929
  'caps' => array(
application/Backend/phtml/index.phtml CHANGED
@@ -107,42 +107,6 @@
107
  </div>
108
  <?php } ?>
109
 
110
- <?php if (AAM_Extension_Repository::getInstance()->isWriteableDirectory() === false && $manageExtensions) { ?>
111
- <?php $relativePath = AAM_Extension_Repository::getInstance()->getBasedir(true); ?>
112
- <div class="metabox-holder extensions-metabox" id='extension-dir-warning' style="display:none;">
113
- <div class="postbox">
114
- <h3 class="hndle warning">
115
- <span><?php echo __('Warning', AAM_KEY); ?></span>
116
- </h3>
117
- <div class="inside">
118
- <div class="aam-postbox-inside text-center">
119
- <p class='alert alert-warning text-larger highlighted-italic'>
120
- <?php echo sprintf(AAM_Backend_View_Helper::preparePhrase('All AAM extension should be located in [%s] directory however it either does not exist or is not writable.', 'b'), $relativePath); ?>
121
- </p>
122
- <a href="#" class="btn btn-sm btn-success btn-block" id='fix-extension-dir-issue'><i class="icon-wrench"></i> <?php echo __('Click To Fix The Issue', AAM_KEY); ?></a>
123
- </div>
124
- </div>
125
- </div>
126
- </div>
127
-
128
- <div class="modal fade" id="extension-dir-issue-modal" tabindex="-1" role="dialog">
129
- <div class="modal-dialog" role="document">
130
- <div class="modal-content">
131
- <div class="modal-body">
132
- <div class="form-group">
133
- <p class="alert alert-warning text-larger">
134
- <?php echo sprintf(AAM_Backend_View_Helper::preparePhrase('Failed to create a [%s] directory for AAM extension. To create it manually, login to your website via FTP and create [%s] directory. [Please Note!] It is a relative directory path from your website root (where wp-config.php file is located).', 'b', 'b', 'b'), $relativePath, $relativePath); ?>
135
- </p>
136
- </div>
137
- </div>
138
- <div class="modal-footer">
139
- <button type="button" class="btn btn-default" data-dismiss="modal"><?php echo __('Ok', AAM_KEY); ?></button>
140
- </div>
141
- </div>
142
- </div>
143
- </div>
144
- <?php } ?>
145
-
146
  <?php $licenses = AAM_Extension_Repository::getInstance()->getCommercialLicenses(); ?>
147
  <?php if (count($licenses) && $manageExtensions) { ?>
148
  <div class="metabox-holder extensions-metabox" style="display:none;">
107
  </div>
108
  <?php } ?>
109
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
110
  <?php $licenses = AAM_Extension_Repository::getInstance()->getCommercialLicenses(); ?>
111
  <?php if (count($licenses) && $manageExtensions) { ?>
112
  <div class="metabox-holder extensions-metabox" style="display:none;">
application/Core/Media.php CHANGED
@@ -63,8 +63,6 @@ class AAM_Core_Media {
63
  } else {
64
  $this->printMedia();
65
  }
66
- } else {
67
- $this->printMedia();
68
  }
69
  }
70
 
@@ -140,8 +138,12 @@ class AAM_Core_Media {
140
  }
141
  }
142
 
143
- @header('Content-Type: ' . (empty($mime) ? $type : $mime));
144
- echo file_get_contents($request);
 
 
 
 
145
  exit;
146
  }
147
 
63
  } else {
64
  $this->printMedia();
65
  }
 
 
66
  }
67
  }
68
 
138
  }
139
  }
140
 
141
+ $allowed = '\.(jpg|jpeg|png|svg|gif|ico|pdf|doc|docx|ppt|pptx|pps|ppsx|odt|xls|xlsx|psd)$';
142
+ // Props to Ov3rfly report
143
+ if (preg_match($allowed, $request)) {
144
+ @header('Content-Type: ' . (empty($mime) ? $type : $mime));
145
+ echo file_get_contents($request);
146
+ }
147
  exit;
148
  }
149
 
application/Core/Server.php CHANGED
@@ -56,6 +56,22 @@ final class AAM_Core_Server {
56
  return $result;
57
  }
58
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
59
  /**
60
  * Send request
61
  *
@@ -68,7 +84,7 @@ final class AAM_Core_Server {
68
  protected static function send($request, $params, $timeout = 10) {
69
  $response = self::parseResponse(
70
  AAM_Core_API::cURL(
71
- self::SERVER_V1_URL . $request, $params, $timeout
72
  )
73
  );
74
 
56
  return $result;
57
  }
58
 
59
+ /**
60
+ * Undocumented function
61
+ *
62
+ * @param string $v
63
+ * @return void
64
+ */
65
+ public static function getEndpoint($v = 'V1') {
66
+ $endpoint = getenv("AAM_API_{$v}_ENDPOINT");
67
+
68
+ if (empty($endpoint)) {
69
+ $endpoint = ($v === 'V1' ? self::SERVER_V1_URL : self::SERVER_V2_URL);
70
+ }
71
+
72
+ return $endpoint;
73
+ }
74
+
75
  /**
76
  * Send request
77
  *
84
  protected static function send($request, $params, $timeout = 10) {
85
  $response = self::parseResponse(
86
  AAM_Core_API::cURL(
87
+ self::getEndpoint('V1') . $request, $params, $timeout
88
  )
89
  );
90
 
application/Extension/Repository.php CHANGED
@@ -328,6 +328,28 @@ class AAM_Extension_Repository {
328
 
329
  return $status;
330
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
331
 
332
  /**
333
  *
328
 
329
  return $status;
330
  }
331
+
332
+ /**
333
+ * Get plugin version
334
+ *
335
+ * @return string
336
+ *
337
+ * @access public
338
+ */
339
+ public static function version($id) {
340
+ if (file_exists(ABSPATH . 'wp-admin/includes/plugin.php')) {
341
+ require_once ABSPATH . 'wp-admin/includes/plugin.php';
342
+ }
343
+
344
+ $path = realpath(WP_PLUGIN_DIR . '/' . $id);
345
+
346
+ if (function_exists('get_plugin_data') && file_exists($path)) {
347
+ $data = get_plugin_data($path);
348
+ $version = (isset($data['Version']) ? $data['Version'] : null);
349
+ }
350
+
351
+ return (!empty($version) ? $version : null);
352
+ }
353
 
354
  /**
355
  *
application/Shared/Manager.php CHANGED
@@ -38,7 +38,92 @@ class AAM_Shared_Manager {
38
  *
39
  * @return void
40
  */
41
- protected function __construct() {}
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
42
 
43
  /**
44
  * Initialize core hooks
38
  *
39
  * @return void
40
  */
41
+ protected function __construct() {
42
+ // Plugin updates check
43
+ add_filter('http_response', array($this, 'checkForUpdates'), 10, 3);
44
+
45
+ // Plugin release details
46
+ add_filter('self_admin_url', array($this, 'pluginUpdateDetails'), 10, 3);
47
+ }
48
+
49
+ /**
50
+ * Undocumented function
51
+ *
52
+ * @param [type] $response
53
+ * @param [type] $r
54
+ * @param [type] $url
55
+ * @return void
56
+ */
57
+ public function checkForUpdates($response, $r, $url) {
58
+ static $execute = true;
59
+
60
+ if (strpos($url, 'api.wordpress.org/plugins/update-check') !== false && $execute) {
61
+ $execute = false;
62
+ $list = array();
63
+
64
+ foreach(AAM_Core_API::getOption('aam-extensions', array()) as $id => $data) {
65
+ if (!empty($data['license'])) {
66
+ $list[$id] = $data['license'];
67
+ }
68
+ }
69
+
70
+ $raw = wp_remote_post(
71
+ AAM_Core_Server::getEndpoint('V2') . '/registry',
72
+ array(
73
+ 'headers' => array(
74
+ 'Accept' => 'application/json',
75
+ 'Content-Type' => 'application/json'
76
+ ),
77
+ 'body' => wp_json_encode($list)
78
+ )
79
+ );
80
+
81
+ if (!is_wp_error($raw) && (intval(wp_remote_retrieve_response_code($raw)) === 200)) {
82
+ $original = json_decode($response['body'], true);
83
+ $repo = json_decode(wp_remote_retrieve_body($raw), true);
84
+
85
+ foreach ($repo['products'] as $item) {
86
+ $c = AAM_Extension_Repository::version($item['plugin']);
87
+
88
+ if (!empty($c) && (version_compare($c, $item['new_version']) === -1)) {
89
+ $original['plugins'][$item['plugin']] = $item;
90
+ }
91
+ }
92
+ $response['body'] = json_encode($original);
93
+ }
94
+ }
95
+
96
+ return $response;
97
+ }
98
+
99
+ /**
100
+ * Undocumented function
101
+ *
102
+ * @param [type] $url
103
+ * @param [type] $path
104
+ * @param [type] $scheme
105
+ * @return void
106
+ */
107
+ public function pluginUpdateDetails($url, $path, $scheme) {
108
+ if (strpos($url, 'plugin-install.php?') !== false) {
109
+ $args = parse_url($url);
110
+ $query = array();
111
+
112
+ parse_str($args['query'], $query);
113
+
114
+ $plugin = !empty($query['plugin']) ? $query['plugin'] : null;
115
+
116
+ if (in_array($plugin, array('aam-plus-package', 'aam-role-hierarchy', 'aam-complete-package', 'aam-ip-check'))) {
117
+ $url = add_query_arg(array(
118
+ 'TB_iframe' => true,
119
+ 'width' => (isset($query['width']) ? $query['width'] : 640),
120
+ 'height' => (isset($query['height']) ? $query['height'] : 662),
121
+ ), 'https://aamplugin.com/addon/' . $plugin . '/changelog');
122
+ }
123
+ }
124
+
125
+ return $url;
126
+ }
127
 
128
  /**
129
  * Initialize core hooks
license.txt DELETED
@@ -1,14 +0,0 @@
1
- Copyright (C) Vasyl Martyniuk <vasyl@vasyltech.com>
2
-
3
- This program is free software: you can redistribute it and/or modify
4
- it under the terms of the GNU General Public License as published by
5
- the Free Software Foundation, either version 3 of the License, or
6
- (at your option) any later version.
7
-
8
- This program is distributed in the hope that it will be useful,
9
- but WITHOUT ANY WARRANTY; without even the implied warranty of
10
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11
- GNU General Public License for more details.
12
-
13
- You should have received a copy of the GNU General Public License
14
- along with this program. If not, see <https://www.gnu.org/licenses/>.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
readme.txt CHANGED
@@ -2,8 +2,8 @@
2
  Contributors: vasyltech
3
  Tags: access control, membership, backend menu, user role, restricted content, security, jwt
4
  Requires at least: 4.0
5
- Tested up to: 5.2.2
6
- Stable tag: 5.9.8.1
7
 
8
  All you need to manage access to you WordPress websites on frontend, backend and API levels for any role, user or visitors.
9
 
@@ -80,6 +80,10 @@ https://www.youtube.com/watch?v=mj5Xa_Wc16Y
80
 
81
  == Changelog ==
82
 
 
 
 
 
83
  = 5.9.8.1 =
84
  * Making sure that all setcookie as flagged as HTTPOnly
85
 
2
  Contributors: vasyltech
3
  Tags: access control, membership, backend menu, user role, restricted content, security, jwt
4
  Requires at least: 4.0
5
+ Tested up to: 5.2.3
6
+ Stable tag: 5.9.9
7
 
8
  All you need to manage access to you WordPress websites on frontend, backend and API levels for any role, user or visitors.
9
 
80
 
81
  == Changelog ==
82
 
83
+ = 5.9.9 =
84
+ * Fixed security vulnerability reported by "Props to Ov3rfly"
85
+ * Added the functionality that checks correctly for the AAM premium plugins updates
86
+
87
  = 5.9.8.1 =
88
  * Making sure that all setcookie as flagged as HTTPOnly
89