ARI Adminer – WordPress Database Manager - Version 1.1.14

Version Description

  • Fix security issue
Download this release

Release Info

Developer arisoft
Plugin Icon 128x128 ARI Adminer – WordPress Database Manager
Version 1.1.14
Comparing to
See all releases

Code changes from version 1.1.13 to 1.1.14

Files changed (16) hide show
  1. ari-adminer.php +1 -1
  2. includes/controllers/adminer-runner/class-ajax-test.php +6 -1
  3. includes/controllers/adminer-runner/class-run.php +4 -1
  4. includes/controllers/connections/class-ajax-save.php +9 -1
  5. includes/controllers/connections/class-ajax-test.php +6 -1
  6. includes/controllers/connections/class-bulk-delete.php +5 -1
  7. includes/controllers/connections/class-delete.php +5 -1
  8. includes/controllers/connections/class-reset-default.php +4 -1
  9. includes/controllers/connections/class-set-default.php +5 -1
  10. includes/defines.php +3 -1
  11. includes/helpers/class-helper.php +5 -0
  12. includes/views/adminer-runner/class-html.php +1 -1
  13. includes/views/adminer-runner/tmpl/default.php +2 -0
  14. includes/views/connections/class-html.php +2 -2
  15. includes/views/connections/tmpl/default.php +1 -0
  16. readme.txt +7 -1
ari-adminer.php CHANGED
@@ -3,7 +3,7 @@
3
  Plugin Name: ARI Adminer
4
  Plugin URI: http://wp-quiz.ari-soft.com/plugins/wordpress-adminer.html
5
  Description: Powerful, compact and easy to use database manager plugin for WordPress.
6
- Version: 1.1.13
7
  Author: ARI Soft
8
  Author URI: http://www.ari-soft.com
9
  Text Domain: ari-adminer
3
  Plugin Name: ARI Adminer
4
  Plugin URI: http://wp-quiz.ari-soft.com/plugins/wordpress-adminer.html
5
  Description: Powerful, compact and easy to use database manager plugin for WordPress.
6
+ Version: 1.1.14
7
  Author: ARI Soft
8
  Author URI: http://www.ari-soft.com
9
  Text Domain: ari-adminer
includes/controllers/adminer-runner/class-ajax-test.php CHANGED
@@ -8,7 +8,12 @@ use Ari\Utils\Request as Request;
8
 
9
  class Ajax_Test extends Ajax_Controller {
10
  protected function process_request() {
11
- if ( $this->options->nopriv || ! Helper::has_access_to_adminer() || ! Request::exists( 'connection' ) )
 
 
 
 
 
12
  return false;
13
 
14
  $connection_data = stripslashes_deep( Request::get_var( 'connection' ) );
8
 
9
  class Ajax_Test extends Ajax_Controller {
10
  protected function process_request() {
11
+ if (
12
+ $this->options->nopriv ||
13
+ ! Helper::is_valid_nonce() ||
14
+ ! Helper::has_access_to_adminer() ||
15
+ ! Request::exists( 'connection' )
16
+ )
17
  return false;
18
 
19
  $connection_data = stripslashes_deep( Request::get_var( 'connection' ) );
includes/controllers/adminer-runner/class-run.php CHANGED
@@ -13,7 +13,10 @@ use Ari_Adminer\Helpers\Bridge as WP_Adminer_Bridge;
13
 
14
  class Run extends Controller {
15
  public function execute() {
16
- if ( ! Helper::has_access_to_adminer() ) {
 
 
 
17
  $this->redirect_to_dashboard( __( 'You do not have permissions to run Adminer', 'ari-adminer' ) );
18
  }
19
 
13
 
14
  class Run extends Controller {
15
  public function execute() {
16
+ if (
17
+ ! Helper::is_valid_nonce() ||
18
+ ! Helper::has_access_to_adminer()
19
+ ) {
20
  $this->redirect_to_dashboard( __( 'You do not have permissions to run Adminer', 'ari-adminer' ) );
21
  }
22
 
includes/controllers/connections/class-ajax-save.php CHANGED
@@ -7,10 +7,18 @@ use Ari\Utils\Request as Request;
7
 
8
  class Ajax_Save extends Ajax_Controller {
9
  protected function process_request() {
10
- if ( $this->options->nopriv || ! Helper::has_access_to_adminer() || ! Request::exists( 'connection' ) )
 
 
 
 
 
11
  return false;
12
 
13
  $connection_data = stripslashes_deep( Request::get_var( 'connection' ) );
 
 
 
14
  $connection_model = $this->model( 'Connection' );
15
 
16
  $entity = $connection_model->save( $connection_data );
7
 
8
  class Ajax_Save extends Ajax_Controller {
9
  protected function process_request() {
10
+ if (
11
+ $this->options->nopriv ||
12
+ ! Helper::is_valid_nonce() ||
13
+ ! Helper::has_access_to_adminer() ||
14
+ ! Request::exists( 'connection' )
15
+ )
16
  return false;
17
 
18
  $connection_data = stripslashes_deep( Request::get_var( 'connection' ) );
19
+ if ( isset( $connection_data['title'] ) ) {
20
+ $connection_data['title'] = wp_strip_all_tags( $connection_data['title'] );
21
+ }
22
  $connection_model = $this->model( 'Connection' );
23
 
24
  $entity = $connection_model->save( $connection_data );
includes/controllers/connections/class-ajax-test.php CHANGED
@@ -8,7 +8,12 @@ use Ari\Utils\Request as Request;
8
 
9
  class Ajax_Test extends Ajax_Controller {
10
  protected function process_request() {
11
- if ( $this->options->nopriv || ! Helper::has_access_to_adminer() || ! Request::exists( 'connection' ) )
 
 
 
 
 
12
  return false;
13
 
14
  $connection_data = stripslashes_deep( Request::get_var( 'connection' ) );
8
 
9
  class Ajax_Test extends Ajax_Controller {
10
  protected function process_request() {
11
+ if (
12
+ $this->options->nopriv ||
13
+ ! Helper::is_valid_nonce() ||
14
+ ! Helper::has_access_to_adminer() ||
15
+ ! Request::exists( 'connection' )
16
+ )
17
  return false;
18
 
19
  $connection_data = stripslashes_deep( Request::get_var( 'connection' ) );
includes/controllers/connections/class-bulk-delete.php CHANGED
@@ -11,7 +11,11 @@ class Bulk_Delete extends Controller {
11
  $result = false;
12
  $model = $this->model();
13
 
14
- if ( Request::exists( 'connection_id' ) && Helper::has_access_to_adminer() ) {
 
 
 
 
15
  $connection_id = Request::get_var( 'connection_id', array() );
16
  if ( $connection_id > 0 ) {
17
  if ( is_array( $connection_id ) && count( $connection_id ) > 0 ) {
11
  $result = false;
12
  $model = $this->model();
13
 
14
+ if (
15
+ Request::exists( 'connection_id' ) &&
16
+ Helper::is_valid_nonce() &&
17
+ Helper::has_access_to_adminer()
18
+ ) {
19
  $connection_id = Request::get_var( 'connection_id', array() );
20
  if ( $connection_id > 0 ) {
21
  if ( is_array( $connection_id ) && count( $connection_id ) > 0 ) {
includes/controllers/connections/class-delete.php CHANGED
@@ -11,7 +11,11 @@ class Delete extends Controller {
11
  $result = false;
12
  $model = $this->model();
13
 
14
- if ( Request::exists( 'action_connection_id' ) && Helper::has_access_to_adminer() ) {
 
 
 
 
15
  $connection_id = (int)Request::get_var( 'action_connection_id', 0, 'num' );
16
  if ( $connection_id > 0 ) {
17
  $result = $model->delete( $connection_id );
11
  $result = false;
12
  $model = $this->model();
13
 
14
+ if (
15
+ Request::exists( 'action_connection_id' ) &&
16
+ Helper::is_valid_nonce() &&
17
+ Helper::has_access_to_adminer()
18
+ ) {
19
  $connection_id = (int)Request::get_var( 'action_connection_id', 0, 'num' );
20
  if ( $connection_id > 0 ) {
21
  $result = $model->delete( $connection_id );
includes/controllers/connections/class-reset-default.php CHANGED
@@ -16,7 +16,10 @@ class Reset_Default extends Controller {
16
  );
17
 
18
  $result = false;
19
- if ( Helper::has_access_to_adminer() ) {
 
 
 
20
  $result = Helper::set_default_connection( 0 );
21
  }
22
 
16
  );
17
 
18
  $result = false;
19
+ if (
20
+ Helper::is_valid_nonce() &&
21
+ Helper::has_access_to_adminer()
22
+ ) {
23
  $result = Helper::set_default_connection( 0 );
24
  }
25
 
includes/controllers/connections/class-set-default.php CHANGED
@@ -11,7 +11,11 @@ class Set_Default extends Controller {
11
  $result = false;
12
  $model = $this->model();
13
 
14
- if ( Request::exists( 'action_connection_id' ) && Helper::has_access_to_adminer() ) {
 
 
 
 
15
  $connection_id = (int) Request::get_var( 'action_connection_id', 0, 'num' );
16
  if ( $connection_id > 0 ) {
17
  $result = Helper::set_default_connection( $connection_id );
11
  $result = false;
12
  $model = $this->model();
13
 
14
+ if (
15
+ Request::exists( 'action_connection_id' ) &&
16
+ Helper::is_valid_nonce() &&
17
+ Helper::has_access_to_adminer()
18
+ ) {
19
  $connection_id = (int) Request::get_var( 'action_connection_id', 0, 'num' );
20
  if ( $connection_id > 0 ) {
21
  $result = Helper::set_default_connection( $connection_id );
includes/defines.php CHANGED
@@ -1,5 +1,5 @@
1
  <?php
2
- define( 'ARIADMINER_VERSION', '1.1.13' );
3
  define( 'ARIADMINER_SLUG', 'ari-adminer' );
4
  define( 'ARIADMINER_ASSETS_URL', ARIADMINER_URL . 'assets/' );
5
  define( 'ARIADMINER_VERSION_OPTION', 'ari_adminer' );
@@ -18,3 +18,5 @@ define( 'ARIADMINER_MESSAGETYPE_SUCCESS', 'success' );
18
  define( 'ARIADMINER_MESSAGETYPE_NOTICE', 'notice' );
19
  define( 'ARIADMINER_MESSAGETYPE_ERROR', 'error' );
20
  define( 'ARIADMINER_MESSAGETYPE_WARNING', 'warning' );
 
 
1
  <?php
2
+ define( 'ARIADMINER_VERSION', '1.1.14' );
3
  define( 'ARIADMINER_SLUG', 'ari-adminer' );
4
  define( 'ARIADMINER_ASSETS_URL', ARIADMINER_URL . 'assets/' );
5
  define( 'ARIADMINER_VERSION_OPTION', 'ari_adminer' );
18
  define( 'ARIADMINER_MESSAGETYPE_NOTICE', 'notice' );
19
  define( 'ARIADMINER_MESSAGETYPE_ERROR', 'error' );
20
  define( 'ARIADMINER_MESSAGETYPE_WARNING', 'warning' );
21
+
22
+ define( 'ARIADMINER_NONCE', 'ariadminer' );
includes/helpers/class-helper.php CHANGED
@@ -3,6 +3,7 @@ namespace Ari_Adminer\Helpers;
3
 
4
  use Ari_Adminer\Utils\Db_Driver as DB_Driver;
5
  use Ari_Adminer\Models\Connections as Connections_Model;
 
6
 
7
  class Helper {
8
  private static $system_args = array(
@@ -187,4 +188,8 @@ class Helper {
187
 
188
  return $connection_id;
189
  }
 
 
 
 
190
  }
3
 
4
  use Ari_Adminer\Utils\Db_Driver as DB_Driver;
5
  use Ari_Adminer\Models\Connections as Connections_Model;
6
+ use Ari\Utils\Request as Request;
7
 
8
  class Helper {
9
  private static $system_args = array(
188
 
189
  return $connection_id;
190
  }
191
+
192
+ public static function is_valid_nonce() {
193
+ return wp_verify_nonce( Request::get_var( '_wpnonce' ), ARIADMINER_NONCE );
194
+ }
195
  }
includes/views/adminer-runner/class-html.php CHANGED
@@ -19,7 +19,7 @@ class Html extends Base {
19
  $app_options = array(
20
  'actionEl' => '#ctrl_action',
21
 
22
- 'ajaxUrl' => admin_url( 'admin-ajax.php?action=ari_adminer' ),
23
 
24
  'messages' => array(
25
  'connectionOk' => __( 'Connection parameters are valid.', 'ari-adminer' ),
19
  $app_options = array(
20
  'actionEl' => '#ctrl_action',
21
 
22
+ 'ajaxUrl' => admin_url( 'admin-ajax.php?action=ari_adminer&_wpnonce=' . wp_create_nonce( ARIADMINER_NONCE ) ),
23
 
24
  'messages' => array(
25
  'connectionOk' => __( 'Connection parameters are valid.', 'ari-adminer' ),
includes/views/adminer-runner/tmpl/default.php CHANGED
@@ -10,6 +10,8 @@ $run_url = Helper::build_url(
10
  'action' => 'run',
11
 
12
  'noheader' => '1',
 
 
13
  )
14
  );
15
  ?>
10
  'action' => 'run',
11
 
12
  'noheader' => '1',
13
+
14
+ '_wpnonce' => wp_create_nonce( ARIADMINER_NONCE ),
15
  )
16
  );
17
  ?>
includes/views/connections/class-html.php CHANGED
@@ -25,7 +25,7 @@ class Html extends Base {
25
  $app_options = array(
26
  'actionEl' => '#ctrl_action',
27
 
28
- 'ajaxUrl' => admin_url( 'admin-ajax.php?action=ari_adminer' ),
29
 
30
  'messages' => array(
31
  'deleteConfirm' => __( 'Do you want to delete the selected item?', 'ari-adminer' ),
@@ -122,7 +122,7 @@ class Html extends Base {
122
 
123
  $html .= sprintf(
124
  '<a class="row-title connection-edit" href="#" data-id="%2$d">%1$s</a>',
125
- $val,
126
  $data->connection_id
127
  );
128
 
25
  $app_options = array(
26
  'actionEl' => '#ctrl_action',
27
 
28
+ 'ajaxUrl' => admin_url( 'admin-ajax.php?action=ari_adminer&_wpnonce=' . wp_create_nonce( ARIADMINER_NONCE ) ),
29
 
30
  'messages' => array(
31
  'deleteConfirm' => __( 'Do you want to delete the selected item?', 'ari-adminer' ),
122
 
123
  $html .= sprintf(
124
  '<a class="row-title connection-edit" href="#" data-id="%2$d">%1$s</a>',
125
+ esc_html( $val ),
126
  $data->connection_id
127
  );
128
 
includes/views/connections/tmpl/default.php CHANGED
@@ -36,6 +36,7 @@ $tmpl_path = dirname( __FILE__ ) . '/';
36
  <input type="hidden" id="ctrl_sub_action" name="sub_action" value="" />
37
  <input type="hidden" id="hidConnectionId" name="action_connection_id" value="" />
38
  <input type="hidden" name="filter" value="<?php echo esc_attr( $data['filter_encoded'] ); ?>" />
 
39
  </div>
40
  </form>
41
  <div id="newConnectionForm" class="connection-form-container mfp-hide">
36
  <input type="hidden" id="ctrl_sub_action" name="sub_action" value="" />
37
  <input type="hidden" id="hidConnectionId" name="action_connection_id" value="" />
38
  <input type="hidden" name="filter" value="<?php echo esc_attr( $data['filter_encoded'] ); ?>" />
39
+ <?php wp_nonce_field( ARIADMINER_NONCE ); ?>
40
  </div>
41
  </form>
42
  <div id="newConnectionForm" class="connection-form-container mfp-hide">
readme.txt CHANGED
@@ -4,7 +4,7 @@ Donate link: http://wp-quiz.ari-soft.com/plugins/wordpress-adminer.html
4
  Tags: adminer, sql, database, mysql, report, sqlite, table, postgresql, dump, backup, import, export, phpmyadmin
5
  Requires at least: 3.4
6
  Tested up to: 5.1.1
7
- Stable tag: 1.1.13
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
@@ -74,6 +74,9 @@ Sure, it is available [here](http://www.ari-soft.com/docs/wordpress/ari-adminer/
74
 
75
  == Changelog ==
76
 
 
 
 
77
  = 1.1.13 =
78
  * Update Adminer to v. .4.7.1
79
 
@@ -148,6 +151,9 @@ Sure, it is available [here](http://www.ari-soft.com/docs/wordpress/ari-adminer/
148
 
149
  == Upgrade Notice ==
150
 
 
 
 
151
  = 1.1.13 =
152
  * Update Adminer to v. .4.7.1
153
 
4
  Tags: adminer, sql, database, mysql, report, sqlite, table, postgresql, dump, backup, import, export, phpmyadmin
5
  Requires at least: 3.4
6
  Tested up to: 5.1.1
7
+ Stable tag: 1.1.14
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
74
 
75
  == Changelog ==
76
 
77
+ = 1.1.14 =
78
+ * Fix security issue
79
+
80
  = 1.1.13 =
81
  * Update Adminer to v. .4.7.1
82
 
151
 
152
  == Upgrade Notice ==
153
 
154
+ = 1.1.14 =
155
+ * Fix security issue
156
+
157
  = 1.1.13 =
158
  * Update Adminer to v. .4.7.1
159