ARI Adminer – WordPress Database Manager - Version 1.1.14

Version Description

  • Fix security issue
Download this release

Release Info

Developer arisoft
Plugin Icon 128x128 ARI Adminer – WordPress Database Manager
Version 1.1.14
Comparing to
See all releases

Code changes from version 1.1.13 to 1.1.14

ari-adminer.php CHANGED
@@ -3,7 +3,7 @@
3
Plugin Name: ARI Adminer
4
Plugin URI: http://wp-quiz.ari-soft.com/plugins/wordpress-adminer.html
5
Description: Powerful, compact and easy to use database manager plugin for WordPress.
6
- Version: 1.1.13
7
Author: ARI Soft
8
Author URI: http://www.ari-soft.com
9
Text Domain: ari-adminer
3
Plugin Name: ARI Adminer
4
Plugin URI: http://wp-quiz.ari-soft.com/plugins/wordpress-adminer.html
5
Description: Powerful, compact and easy to use database manager plugin for WordPress.
6
+ Version: 1.1.14
7
Author: ARI Soft
8
Author URI: http://www.ari-soft.com
9
Text Domain: ari-adminer
includes/controllers/adminer-runner/class-ajax-test.php CHANGED
@@ -8,7 +8,12 @@ use Ari\Utils\Request as Request;
8
9
class Ajax_Test extends Ajax_Controller {
10
protected function process_request() {
11
- if ( $this->options->nopriv || ! Helper::has_access_to_adminer() || ! Request::exists( 'connection' ) )
12
return false;
13
14
$connection_data = stripslashes_deep( Request::get_var( 'connection' ) );
8
9
class Ajax_Test extends Ajax_Controller {
10
protected function process_request() {
11
+ if (
12
+ $this->options->nopriv ||
13
+ ! Helper::is_valid_nonce() ||
14
+ ! Helper::has_access_to_adminer() ||
15
+ ! Request::exists( 'connection' )
16
+ )
17
return false;
18
19
$connection_data = stripslashes_deep( Request::get_var( 'connection' ) );
includes/controllers/adminer-runner/class-run.php CHANGED
@@ -13,7 +13,10 @@ use Ari_Adminer\Helpers\Bridge as WP_Adminer_Bridge;
13
14
class Run extends Controller {
15
public function execute() {
16
- if ( ! Helper::has_access_to_adminer() ) {
17
$this->redirect_to_dashboard( __( 'You do not have permissions to run Adminer', 'ari-adminer' ) );
18
}
19
13
14
class Run extends Controller {
15
public function execute() {
16
+ if (
17
+ ! Helper::is_valid_nonce() ||
18
+ ! Helper::has_access_to_adminer()
19
+ ) {
20
$this->redirect_to_dashboard( __( 'You do not have permissions to run Adminer', 'ari-adminer' ) );
21
}
22
includes/controllers/connections/class-ajax-save.php CHANGED
@@ -7,10 +7,18 @@ use Ari\Utils\Request as Request;
7
8
class Ajax_Save extends Ajax_Controller {
9
protected function process_request() {
10
- if ( $this->options->nopriv || ! Helper::has_access_to_adminer() || ! Request::exists( 'connection' ) )
11
return false;
12
13
$connection_data = stripslashes_deep( Request::get_var( 'connection' ) );
14
$connection_model = $this->model( 'Connection' );
15
16
$entity = $connection_model->save( $connection_data );
7
8
class Ajax_Save extends Ajax_Controller {
9
protected function process_request() {
10
+ if (
11
+ $this->options->nopriv ||
12
+ ! Helper::is_valid_nonce() ||
13
+ ! Helper::has_access_to_adminer() ||
14
+ ! Request::exists( 'connection' )
15
+ )
16
return false;
17
18
$connection_data = stripslashes_deep( Request::get_var( 'connection' ) );
19
+ if ( isset( $connection_data['title'] ) ) {
20
+ $connection_data['title'] = wp_strip_all_tags( $connection_data['title'] );
21
+ }
22
$connection_model = $this->model( 'Connection' );
23
24
$entity = $connection_model->save( $connection_data );
includes/controllers/connections/class-ajax-test.php CHANGED
@@ -8,7 +8,12 @@ use Ari\Utils\Request as Request;
8
9
class Ajax_Test extends Ajax_Controller {
10
protected function process_request() {
11
- if ( $this->options->nopriv || ! Helper::has_access_to_adminer() || ! Request::exists( 'connection' ) )
12
return false;
13
14
$connection_data = stripslashes_deep( Request::get_var( 'connection' ) );
8
9
class Ajax_Test extends Ajax_Controller {
10
protected function process_request() {
11
+ if (
12
+ $this->options->nopriv ||
13
+ ! Helper::is_valid_nonce() ||
14
+ ! Helper::has_access_to_adminer() ||
15
+ ! Request::exists( 'connection' )
16
+ )
17
return false;
18
19
$connection_data = stripslashes_deep( Request::get_var( 'connection' ) );
includes/controllers/connections/class-bulk-delete.php CHANGED
@@ -11,7 +11,11 @@ class Bulk_Delete extends Controller {
11
$result = false;
12
$model = $this->model();
13
14
- if ( Request::exists( 'connection_id' ) && Helper::has_access_to_adminer() ) {
15
$connection_id = Request::get_var( 'connection_id', array() );
16
if ( $connection_id > 0 ) {
17
if ( is_array( $connection_id ) && count( $connection_id ) > 0 ) {
11
$result = false;
12
$model = $this->model();
13
14
+ if (
15
+ Request::exists( 'connection_id' ) &&
16
+ Helper::is_valid_nonce() &&
17
+ Helper::has_access_to_adminer()
18
+ ) {
19
$connection_id = Request::get_var( 'connection_id', array() );
20
if ( $connection_id > 0 ) {
21
if ( is_array( $connection_id ) && count( $connection_id ) > 0 ) {
includes/controllers/connections/class-delete.php CHANGED
@@ -11,7 +11,11 @@ class Delete extends Controller {
11
$result = false;
12
$model = $this->model();
13
14
- if ( Request::exists( 'action_connection_id' ) && Helper::has_access_to_adminer() ) {
15
$connection_id = (int)Request::get_var( 'action_connection_id', 0, 'num' );
16
if ( $connection_id > 0 ) {
17
$result = $model->delete( $connection_id );
11
$result = false;
12
$model = $this->model();
13
14
+ if (
15
+ Request::exists( 'action_connection_id' ) &&
16
+ Helper::is_valid_nonce() &&
17
+ Helper::has_access_to_adminer()
18
+ ) {
19
$connection_id = (int)Request::get_var( 'action_connection_id', 0, 'num' );
20
if ( $connection_id > 0 ) {
21
$result = $model->delete( $connection_id );
includes/controllers/connections/class-reset-default.php CHANGED
@@ -16,7 +16,10 @@ class Reset_Default extends Controller {
16
);
17
18
$result = false;
19
- if ( Helper::has_access_to_adminer() ) {
20
$result = Helper::set_default_connection( 0 );
21
}
22
16
);
17
18
$result = false;
19
+ if (
20
+ Helper::is_valid_nonce() &&
21
+ Helper::has_access_to_adminer()
22
+ ) {
23
$result = Helper::set_default_connection( 0 );
24
}
25
includes/controllers/connections/class-set-default.php CHANGED
@@ -11,7 +11,11 @@ class Set_Default extends Controller {
11
$result = false;
12
$model = $this->model();
13
14
- if ( Request::exists( 'action_connection_id' ) && Helper::has_access_to_adminer() ) {
15
$connection_id = (int) Request::get_var( 'action_connection_id', 0, 'num' );
16
if ( $connection_id > 0 ) {
17
$result = Helper::set_default_connection( $connection_id );
11
$result = false;
12
$model = $this->model();
13
14
+ if (
15
+ Request::exists( 'action_connection_id' ) &&
16
+ Helper::is_valid_nonce() &&
17
+ Helper::has_access_to_adminer()
18
+ ) {
19
$connection_id = (int) Request::get_var( 'action_connection_id', 0, 'num' );
20
if ( $connection_id > 0 ) {
21
$result = Helper::set_default_connection( $connection_id );
includes/defines.php CHANGED
@@ -1,5 +1,5 @@
1
<?php
2
- define( 'ARIADMINER_VERSION', '1.1.13' );
3
define( 'ARIADMINER_SLUG', 'ari-adminer' );
4
define( 'ARIADMINER_ASSETS_URL', ARIADMINER_URL . 'assets/' );
5
define( 'ARIADMINER_VERSION_OPTION', 'ari_adminer' );
@@ -18,3 +18,5 @@ define( 'ARIADMINER_MESSAGETYPE_SUCCESS', 'success' );
18
define( 'ARIADMINER_MESSAGETYPE_NOTICE', 'notice' );
19
define( 'ARIADMINER_MESSAGETYPE_ERROR', 'error' );
20
define( 'ARIADMINER_MESSAGETYPE_WARNING', 'warning' );
1
<?php
2
+ define( 'ARIADMINER_VERSION', '1.1.14' );
3
define( 'ARIADMINER_SLUG', 'ari-adminer' );
4
define( 'ARIADMINER_ASSETS_URL', ARIADMINER_URL . 'assets/' );
5
define( 'ARIADMINER_VERSION_OPTION', 'ari_adminer' );
18
define( 'ARIADMINER_MESSAGETYPE_NOTICE', 'notice' );
19
define( 'ARIADMINER_MESSAGETYPE_ERROR', 'error' );
20
define( 'ARIADMINER_MESSAGETYPE_WARNING', 'warning' );
21
+
22
+ define( 'ARIADMINER_NONCE', 'ariadminer' );
includes/helpers/class-helper.php CHANGED
@@ -3,6 +3,7 @@ namespace Ari_Adminer\Helpers;
3
4
use Ari_Adminer\Utils\Db_Driver as DB_Driver;
5
use Ari_Adminer\Models\Connections as Connections_Model;
6
7
class Helper {
8
private static $system_args = array(
@@ -187,4 +188,8 @@ class Helper {
187
188
return $connection_id;
189
}
190
}
3
4
use Ari_Adminer\Utils\Db_Driver as DB_Driver;
5
use Ari_Adminer\Models\Connections as Connections_Model;
6
+ use Ari\Utils\Request as Request;
7
8
class Helper {
9
private static $system_args = array(
188
189
return $connection_id;
190
}
191
+
192
+ public static function is_valid_nonce() {
193
+ return wp_verify_nonce( Request::get_var( '_wpnonce' ), ARIADMINER_NONCE );
194
+ }
195
}
includes/views/adminer-runner/class-html.php CHANGED
@@ -19,7 +19,7 @@ class Html extends Base {
19
$app_options = array(
20
'actionEl' => '#ctrl_action',
21
22
- 'ajaxUrl' => admin_url( 'admin-ajax.php?action=ari_adminer' ),
23
24
'messages' => array(
25
'connectionOk' => __( 'Connection parameters are valid.', 'ari-adminer' ),
19
$app_options = array(
20
'actionEl' => '#ctrl_action',
21
22
+ 'ajaxUrl' => admin_url( 'admin-ajax.php?action=ari_adminer&_wpnonce=' . wp_create_nonce( ARIADMINER_NONCE ) ),
23
24
'messages' => array(
25
'connectionOk' => __( 'Connection parameters are valid.', 'ari-adminer' ),
includes/views/adminer-runner/tmpl/default.php CHANGED
@@ -10,6 +10,8 @@ $run_url = Helper::build_url(
10
'action' => 'run',
11
12
'noheader' => '1',
13
)
14
);
15
?>
10
'action' => 'run',
11
12
'noheader' => '1',
13
+
14
+ '_wpnonce' => wp_create_nonce( ARIADMINER_NONCE ),
15
)
16
);
17
?>
includes/views/connections/class-html.php CHANGED
@@ -25,7 +25,7 @@ class Html extends Base {
25
$app_options = array(
26
'actionEl' => '#ctrl_action',
27
28
- 'ajaxUrl' => admin_url( 'admin-ajax.php?action=ari_adminer' ),
29
30
'messages' => array(
31
'deleteConfirm' => __( 'Do you want to delete the selected item?', 'ari-adminer' ),
@@ -122,7 +122,7 @@ class Html extends Base {
122
123
$html .= sprintf(
124
'<a class="row-title connection-edit" href="#" data-id="%2$d">%1$s</a>',
125
- $val,
126
$data->connection_id
127
);
128
25
$app_options = array(
26
'actionEl' => '#ctrl_action',
27
28
+ 'ajaxUrl' => admin_url( 'admin-ajax.php?action=ari_adminer&_wpnonce=' . wp_create_nonce( ARIADMINER_NONCE ) ),
29
30
'messages' => array(
31
'deleteConfirm' => __( 'Do you want to delete the selected item?', 'ari-adminer' ),
122
123
$html .= sprintf(
124
'<a class="row-title connection-edit" href="#" data-id="%2$d">%1$s</a>',
125
+ esc_html( $val ),
126
$data->connection_id
127
);
128
includes/views/connections/tmpl/default.php CHANGED
@@ -36,6 +36,7 @@ $tmpl_path = dirname( __FILE__ ) . '/';
36
<input type="hidden" id="ctrl_sub_action" name="sub_action" value="" />
37
<input type="hidden" id="hidConnectionId" name="action_connection_id" value="" />
38
<input type="hidden" name="filter" value="<?php echo esc_attr( $data['filter_encoded'] ); ?>" />
39
</div>
40
</form>
41
<div id="newConnectionForm" class="connection-form-container mfp-hide">
36
<input type="hidden" id="ctrl_sub_action" name="sub_action" value="" />
37
<input type="hidden" id="hidConnectionId" name="action_connection_id" value="" />
38
<input type="hidden" name="filter" value="<?php echo esc_attr( $data['filter_encoded'] ); ?>" />
39
+ <?php wp_nonce_field( ARIADMINER_NONCE ); ?>
40
</div>
41
</form>
42
<div id="newConnectionForm" class="connection-form-container mfp-hide">
readme.txt CHANGED
@@ -4,7 +4,7 @@ Donate link: http://wp-quiz.ari-soft.com/plugins/wordpress-adminer.html
4
Tags: adminer, sql, database, mysql, report, sqlite, table, postgresql, dump, backup, import, export, phpmyadmin
5
Requires at least: 3.4
6
Tested up to: 5.1.1
7
- Stable tag: 1.1.13
8
License: GPLv2 or later
9
License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
@@ -74,6 +74,9 @@ Sure, it is available [here](http://www.ari-soft.com/docs/wordpress/ari-adminer/
74
75
== Changelog ==
76
77
= 1.1.13 =
78
* Update Adminer to v. .4.7.1
79
@@ -148,6 +151,9 @@ Sure, it is available [here](http://www.ari-soft.com/docs/wordpress/ari-adminer/
148
149
== Upgrade Notice ==
150
151
= 1.1.13 =
152
* Update Adminer to v. .4.7.1
153
4
Tags: adminer, sql, database, mysql, report, sqlite, table, postgresql, dump, backup, import, export, phpmyadmin
5
Requires at least: 3.4
6
Tested up to: 5.1.1
7
+ Stable tag: 1.1.14
8
License: GPLv2 or later
9
License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
74
75
== Changelog ==
76
77
+ = 1.1.14 =
78
+ * Fix security issue
79
+
80
= 1.1.13 =
81
* Update Adminer to v. .4.7.1
82
151
152
== Upgrade Notice ==
153
154
+ = 1.1.14 =
155
+ * Fix security issue
156
+
157
= 1.1.13 =
158
* Update Adminer to v. .4.7.1
159