Facebook for WooCommerce - Version 1.9.14

Version Description

  • 2019-06-20 =
  • Revisit CSRF security issue
  • Remove rest controller which is not used
Download this release

Release Info

Developer facebook4woocommerce
Plugin Icon Facebook for WooCommerce
Version 1.9.14
Comparing to
See all releases

Code changes from version 1.9.13 to 1.9.14

Files changed (7) hide show
  1. assets/js/facebook-settings.js +40 -33
  2. changelog.txt +4 -0
  3. facebook-commerce.php +12 -12
  4. facebook-for-woocommerce.php +1 -1
  5. includes/fbcustomapi.php +0 -63
  6. includes/fbutils.php +1 -15
  7. readme.txt +6 -2
assets/js/facebook-settings.js CHANGED
@@ -79,37 +79,23 @@ function get_ems_id_box() {
79
  * Ajax helper function.
80
  * Takes optional payload for POST and optional callback.
81
  */
82
- var ajax = (function() {
83
- var wpnonce = null;
84
- jQuery(function() {
85
- var wpnonceElem = document.querySelector('div#fbsetup input#_wpnonce');
86
- if (wpnonceElem) {
87
- wpnonce = wpnonceElem.getAttribute('value');
88
- wpnonceElem.parentNode.removeChild(wpnonceElem);
89
- }
90
- });
91
- return function _ajax(action, payload = null, callback = null, failcallback = null) {
92
- var data = {
93
  'action': action,
94
- '_wpnonce': wpnonce
95
- };
96
- if (payload) {
97
- for (var attrname in payload) { data[attrname] = payload[attrname]; }
98
- }
99
-
100
- // Since Wordpress 2.8 ajaxurl is always defined in admin header and
101
- // points to admin-ajax.php
102
- jQuery.post(ajaxurl, data, function(response) {
103
- if(callback) {
104
- callback(response);
105
- }
106
- }).fail(function(errorResponse){
107
- if(failcallback) {
108
- failcallback(errorResponse);
109
- }
110
- });
111
- };
112
- })();
113
 
114
  var settings = {'facebook_for_woocommerce' : 1};
115
  var pixel_settings = {'facebook_for_woocommerce' : 1};
@@ -208,7 +194,14 @@ function delete_all_settings(callback = null, failcallback = null) {
208
  window.fb_connected = false;
209
 
210
  console.log('Deleting all settings and removing all FBIDs!');
211
- return ajax('ajax_delete_fb_settings', null, callback, failcallback);
 
 
 
 
 
 
 
212
  }
213
 
214
  // save_settings and save_settings_and_sync should only be called once
@@ -876,7 +869,15 @@ function onSetDisableSyncOnDevEnvironment() {
876
  'ajax_update_fb_option',
877
  {
878
  "option": "fb_disable_sync_on_dev_environment",
879
- "option_value": isChecked ? 1 : 0
 
 
 
 
 
 
 
 
880
  }
881
  );
882
  }
@@ -887,7 +888,13 @@ function syncShortDescription() {
887
  'ajax_update_fb_option',
888
  {
889
  "option": "fb_sync_short_description",
890
- "option_value": isChecked ? 1 : 0
 
 
 
 
 
 
891
  }
892
  );
893
  }
79
  * Ajax helper function.
80
  * Takes optional payload for POST and optional callback.
81
  */
82
+ function ajax(action, payload = null, callback = null, failcallback = null) {
83
+ var data = Object.assign( {}, {
 
 
 
 
 
 
 
 
 
84
  'action': action,
85
+ }, payload);
86
+
87
+ // Since Wordpress 2.8 ajaxurl is always defined in admin header and
88
+ // points to admin-ajax.php
89
+ jQuery.post(ajaxurl, data, function(response) {
90
+ if(callback) {
91
+ callback(response);
92
+ }
93
+ }).fail(function(errorResponse){
94
+ if(failcallback) {
95
+ failcallback(errorResponse);
96
+ }
97
+ });
98
+ }
 
 
 
 
 
99
 
100
  var settings = {'facebook_for_woocommerce' : 1};
101
  var pixel_settings = {'facebook_for_woocommerce' : 1};
194
  window.fb_connected = false;
195
 
196
  console.log('Deleting all settings and removing all FBIDs!');
197
+ return ajax(
198
+ 'ajax_delete_fb_settings',
199
+ {
200
+ "_ajax_nonce": wc_facebook_settings_jsx.nonce,
201
+ },
202
+ callback,
203
+ failcallback
204
+ );
205
  }
206
 
207
  // save_settings and save_settings_and_sync should only be called once
869
  'ajax_update_fb_option',
870
  {
871
  "option": "fb_disable_sync_on_dev_environment",
872
+ "option_value": isChecked ? 1 : 0,
873
+ "_ajax_nonce": wc_facebook_settings_jsx.nonce,
874
+ },
875
+ null,
876
+ function onSetDisableSyncOnDevEnvironmentFailCallback(error) {
877
+ document.getElementsByClassName(
878
+ 'onSetDisableSyncOnDevEnvironment'
879
+ )[0].checked = !isChecked;
880
+ console.log('Failed to disable sync on dev environment');
881
  }
882
  );
883
  }
888
  'ajax_update_fb_option',
889
  {
890
  "option": "fb_sync_short_description",
891
+ "option_value": isChecked ? 1 : 0,
892
+ "_ajax_nonce": wc_facebook_settings_jsx.nonce,
893
+ },
894
+ null,
895
+ function syncShortDescriptionFailCallback(error) {
896
+ document.getElementsByClassName('syncShortDescription')[0].checked = ! isChecked;
897
+ console.log('Failed to sync Short Description');
898
  }
899
  );
900
  }
changelog.txt CHANGED
@@ -1,4 +1,8 @@
1
  *** Facebook for WooCommerce Changelog ***
 
 
 
 
2
  2019-06-18 - Version 1.9.13
3
  * Fix security issue
4
  * Add more contributors to the plugin
1
  *** Facebook for WooCommerce Changelog ***
2
+ 2019-06-20 - Version 1.9.14
3
+ * Revisit CSRF security issue
4
+ * Remove rest controller which is not used
5
+
6
  2019-06-18 - Version 1.9.13
7
  * Fix security issue
8
  * Add more contributors to the plugin
facebook-commerce.php CHANGED
@@ -72,11 +72,6 @@ class WC_Facebookcommerce_Integration extends WC_Integration {
72
  * @return void
73
  */
74
  public function __construct() {
75
- if (!class_exists('WC_Facebookcommerce_REST_Controller')) {
76
- include_once( 'includes/fbcustomapi.php' );
77
- $this->customapi = new WC_Facebookcommerce_REST_Controller();
78
- }
79
-
80
  if (!class_exists('WC_Facebookcommerce_EventsTracker')) {
81
  include_once 'facebook-commerce-events-tracker.php';
82
  }
@@ -708,8 +703,16 @@ class WC_Facebookcommerce_Integration extends WC_Integration {
708
  };
709
  </script>
710
  <?php
711
- wp_enqueue_script('wc_facebook_jsx', plugins_url(
 
 
 
712
  '/assets/js/facebook-settings.js?ts=' . time(), __FILE__));
 
 
 
 
 
713
  wp_enqueue_style('wc_facebook_css', plugins_url(
714
  '/assets/css/facebook.css', __FILE__));
715
  }
@@ -1200,6 +1203,7 @@ class WC_Facebookcommerce_Integration extends WC_Integration {
1200
  * Delete all settings via AJAX
1201
  **/
1202
  function ajax_delete_fb_settings() {
 
1203
  if (!WC_Facebookcommerce_Utils::check_woo_ajax_permissions('delete settings', false)) {
1204
  return;
1205
  }
@@ -2109,7 +2113,6 @@ class WC_Facebookcommerce_Integration extends WC_Integration {
2109
  <hr/>
2110
 
2111
  <div id="fbsetup">
2112
- <form><?php wp_nonce_field('wp_ajax_ajax_update_fb_option'); ?></form>
2113
  <div class="wrapper">
2114
  <header>
2115
  <div class="help-center">
@@ -2530,12 +2533,9 @@ class WC_Facebookcommerce_Integration extends WC_Integration {
2530
  }
2531
 
2532
  function ajax_update_fb_option() {
2533
- WC_Facebookcommerce_Utils::check_ajax_referer();
2534
  WC_Facebookcommerce_Utils::check_woo_ajax_permissions('update fb options', true);
2535
- $wpnonce = $_POST['_wpnonce'];
2536
- if (isset($_POST) &&
2537
- stripos($_POST['option'], 'fb_') === 0 &&
2538
- wp_verify_nonce($wpnonce, 'wp_ajax_ajax_update_fb_option')) {
2539
  update_option(sanitize_text_field($_POST['option']), sanitize_text_field($_POST['option_value']));
2540
  }
2541
  wp_die();
72
  * @return void
73
  */
74
  public function __construct() {
 
 
 
 
 
75
  if (!class_exists('WC_Facebookcommerce_EventsTracker')) {
76
  include_once 'facebook-commerce-events-tracker.php';
77
  }
703
  };
704
  </script>
705
  <?php
706
+ $ajax_data = array(
707
+ 'nonce' => wp_create_nonce( 'wc_facebook_settings_jsx' ),
708
+ );
709
+ wp_enqueue_script('wc_facebook_settings_jsx', plugins_url(
710
  '/assets/js/facebook-settings.js?ts=' . time(), __FILE__));
711
+ wp_localize_script(
712
+ 'wc_facebook_settings_jsx',
713
+ 'wc_facebook_settings_jsx',
714
+ $ajax_data
715
+ );
716
  wp_enqueue_style('wc_facebook_css', plugins_url(
717
  '/assets/css/facebook.css', __FILE__));
718
  }
1203
  * Delete all settings via AJAX
1204
  **/
1205
  function ajax_delete_fb_settings() {
1206
+ check_ajax_referer( 'wc_facebook_settings_jsx' );
1207
  if (!WC_Facebookcommerce_Utils::check_woo_ajax_permissions('delete settings', false)) {
1208
  return;
1209
  }
2113
  <hr/>
2114
 
2115
  <div id="fbsetup">
 
2116
  <div class="wrapper">
2117
  <header>
2118
  <div class="help-center">
2533
  }
2534
 
2535
  function ajax_update_fb_option() {
2536
+ check_ajax_referer( 'wc_facebook_settings_jsx' );
2537
  WC_Facebookcommerce_Utils::check_woo_ajax_permissions('update fb options', true);
2538
+ if (isset($_POST) && stripos($_POST['option'], 'fb_') === 0) {
 
 
 
2539
  update_option(sanitize_text_field($_POST['option']), sanitize_text_field($_POST['option_value']));
2540
  }
2541
  wp_die();
facebook-for-woocommerce.php CHANGED
@@ -10,7 +10,7 @@
10
  * Description: Grow your business on Facebook! Use this official plugin to help sell more of your products using Facebook. After completing the setup, you'll be ready to create ads that promote your products and you can also create a shop section on your Page where customers can browse your products on Facebook.
11
  * Author: Facebook
12
  * Author URI: https://www.facebook.com/
13
- * Version: 1.9.13
14
  * Woo: 2127297:0ea4fe4c2d7ca6338f8a322fb3e4e187
15
  * Text Domain: facebook-for-woocommerce
16
  * WC requires at least: 3.0.0
10
  * Description: Grow your business on Facebook! Use this official plugin to help sell more of your products using Facebook. After completing the setup, you'll be ready to create ads that promote your products and you can also create a shop section on your Page where customers can browse your products on Facebook.
11
  * Author: Facebook
12
  * Author URI: https://www.facebook.com/
13
+ * Version: 1.9.14
14
  * Woo: 2127297:0ea4fe4c2d7ca6338f8a322fb3e4e187
15
  * Text Domain: facebook-for-woocommerce
16
  * WC requires at least: 3.0.0
includes/fbcustomapi.php DELETED
@@ -1,63 +0,0 @@
1
- <?php
2
- /**
3
- * Copyright (c) Facebook, Inc. and its affiliates. All Rights Reserved
4
- *
5
- * This source code is licensed under the license found in the
6
- * LICENSE file in the root directory of this source tree.
7
- *
8
- * @package FacebookCommerce
9
- */
10
-
11
- if (! defined('ABSPATH')) {
12
- exit;
13
- }
14
-
15
- if (! class_exists('WC_Facebookcommerce_REST_Controller')) :
16
-
17
- /**
18
- * Custom API REST path class
19
- *
20
- */
21
- class WC_Facebookcommerce_REST_Controller extends WP_REST_Controller {
22
-
23
- /**
24
- * Init and hook in the integration.
25
- */
26
- public function __construct() {
27
- global $woocommerce;
28
- add_action('rest_api_init', array($this, 'register_routes'));
29
-
30
-
31
- // TODO: wp_woocommerce_api_keys
32
- // http://stackoverflow.com/questions/31327994/woocommerce-rest-client-api-
33
- // programmatically-get-consumer-key-and-secret
34
-
35
- }
36
-
37
- /**
38
- * Function to define custom routes
39
- */
40
- public function register_routes() {
41
- register_rest_route('facebook/v1', '/version' ,
42
- array(
43
- 'methods' => WP_REST_Server::READABLE,
44
- 'callback' => array($this, 'fb_test_function'),
45
- ));
46
- }
47
-
48
- public function fb_test_function(WP_REST_Request $request) {
49
- $parameters = $request->get_params();
50
- // Create the response object
51
- $res = new WP_REST_Response(WC_Facebookcommerce_Utils::PLUGIN_VERSION);
52
-
53
- // Add a custom status code
54
- $res->set_status(200);
55
- $res->jsonSerialize();
56
-
57
- return $res;
58
- }
59
-
60
-
61
- }
62
-
63
- endif;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
includes/fbutils.php CHANGED
@@ -21,7 +21,7 @@ if (!class_exists('WC_Facebookcommerce_Utils')) :
21
  class WC_Facebookcommerce_Utils {
22
 
23
  const FB_RETAILER_ID_PREFIX = 'wc_post_id_';
24
- const PLUGIN_VERSION = '1.9.13'; // Change it in `facebook-for-*.php` also
25
 
26
  const FB_VARIANT_IMAGE = 'fb_image';
27
  const FB_VARIANT_SIZE = 'size';
@@ -480,20 +480,6 @@ if (!class_exists('WC_Facebookcommerce_Utils')) :
480
  get_option('fb_info_banner_last_best_tip', ''));
481
  return $cached_best_tip;
482
  }
483
-
484
- public static function check_ajax_referer() {
485
- $http_referer = null;
486
- if (!empty($_SERVER['HTTP_REFERER'])) {
487
- $http_referer = wp_unslash($_SERVER['HTTP_REFERER']);
488
- }
489
- $wp_site = get_site_url();
490
- $http_referer_url = parse_url($http_referer);
491
- $wp_site_url = parse_url($wp_site_url);
492
- if (!empty($http_referer_url) && !empty($wp_site_url) && $http_referer_url['host'] === $wp_site_url['host']) {
493
- return;
494
- }
495
- wp_die('FBE: bad requests!');
496
- }
497
  }
498
 
499
  endif;
21
  class WC_Facebookcommerce_Utils {
22
 
23
  const FB_RETAILER_ID_PREFIX = 'wc_post_id_';
24
+ const PLUGIN_VERSION = '1.9.14'; // Change it in `facebook-for-*.php` also
25
 
26
  const FB_VARIANT_IMAGE = 'fb_image';
27
  const FB_VARIANT_SIZE = 'size';
480
  get_option('fb_info_banner_last_best_tip', ''));
481
  return $cached_best_tip;
482
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
483
  }
484
 
485
  endif;
readme.txt CHANGED
@@ -3,7 +3,7 @@ Contributors: facebook, automattic, woothemes
3
  Tags: facebook, shop, catalog, advertise, pixel, product
4
  Requires at least: 4.4
5
  Tested up to: 4.9.8
6
- Stable tag: 1.9.13
7
  Requires PHP: 5.6
8
  MySQL: 5.6 or greater
9
  License: GPLv2 or later
@@ -38,8 +38,12 @@ When opening a bug on GitHub, please give us as many details as possible.
38
  * Current version of Facebook-for-WooCommerce, WooCommerce, Wordpress, PHP
39
 
40
  == Changelog ==
 
 
 
 
41
  = 1.9.13 - 2019-06-18 =
42
- * Fix security issues
43
  * Add more contributors to the plugin
44
 
45
  = 1.9.12 - 2019-05-2 =
3
  Tags: facebook, shop, catalog, advertise, pixel, product
4
  Requires at least: 4.4
5
  Tested up to: 4.9.8
6
+ Stable tag: 1.9.14
7
  Requires PHP: 5.6
8
  MySQL: 5.6 or greater
9
  License: GPLv2 or later
38
  * Current version of Facebook-for-WooCommerce, WooCommerce, Wordpress, PHP
39
 
40
  == Changelog ==
41
+ = 1.9.14 - 2019-06-20 =
42
+ * Revisit CSRF security issue
43
+ * Remove rest controller which is not used
44
+
45
  = 1.9.13 - 2019-06-18 =
46
+ * Fix security issue
47
  * Add more contributors to the plugin
48
 
49
  = 1.9.12 - 2019-05-2 =