Facebook for WooCommerce - Version 1.9.14

Version Description

  • 2019-06-20 =
  • Revisit CSRF security issue
  • Remove rest controller which is not used
Download this release

Release Info

Developer facebook4woocommerce
Plugin Icon Facebook for WooCommerce
Version 1.9.14
Comparing to
See all releases

Code changes from version 1.9.13 to 1.9.14

assets/js/facebook-settings.js CHANGED
@@ -79,37 +79,23 @@ function get_ems_id_box() {
79
* Ajax helper function.
80
* Takes optional payload for POST and optional callback.
81
*/
82
- var ajax = (function() {
83
- var wpnonce = null;
84
- jQuery(function() {
85
- var wpnonceElem = document.querySelector('div#fbsetup input#_wpnonce');
86
- if (wpnonceElem) {
87
- wpnonce = wpnonceElem.getAttribute('value');
88
- wpnonceElem.parentNode.removeChild(wpnonceElem);
89
- }
90
- });
91
- return function _ajax(action, payload = null, callback = null, failcallback = null) {
92
- var data = {
93
'action': action,
94
- '_wpnonce': wpnonce
95
- };
96
- if (payload) {
97
- for (var attrname in payload) { data[attrname] = payload[attrname]; }
98
- }
99
-
100
- // Since Wordpress 2.8 ajaxurl is always defined in admin header and
101
- // points to admin-ajax.php
102
- jQuery.post(ajaxurl, data, function(response) {
103
- if(callback) {
104
- callback(response);
105
- }
106
- }).fail(function(errorResponse){
107
- if(failcallback) {
108
- failcallback(errorResponse);
109
- }
110
- });
111
- };
112
- })();
113
114
var settings = {'facebook_for_woocommerce' : 1};
115
var pixel_settings = {'facebook_for_woocommerce' : 1};
@@ -208,7 +194,14 @@ function delete_all_settings(callback = null, failcallback = null) {
208
window.fb_connected = false;
209
210
console.log('Deleting all settings and removing all FBIDs!');
211
- return ajax('ajax_delete_fb_settings', null, callback, failcallback);
212
}
213
214
// save_settings and save_settings_and_sync should only be called once
@@ -876,7 +869,15 @@ function onSetDisableSyncOnDevEnvironment() {
876
'ajax_update_fb_option',
877
{
878
"option": "fb_disable_sync_on_dev_environment",
879
- "option_value": isChecked ? 1 : 0
880
}
881
);
882
}
@@ -887,7 +888,13 @@ function syncShortDescription() {
887
'ajax_update_fb_option',
888
{
889
"option": "fb_sync_short_description",
890
- "option_value": isChecked ? 1 : 0
891
}
892
);
893
}
79
* Ajax helper function.
80
* Takes optional payload for POST and optional callback.
81
*/
82
+ function ajax(action, payload = null, callback = null, failcallback = null) {
83
+ var data = Object.assign( {}, {
84
'action': action,
85
+ }, payload);
86
+
87
+ // Since Wordpress 2.8 ajaxurl is always defined in admin header and
88
+ // points to admin-ajax.php
89
+ jQuery.post(ajaxurl, data, function(response) {
90
+ if(callback) {
91
+ callback(response);
92
+ }
93
+ }).fail(function(errorResponse){
94
+ if(failcallback) {
95
+ failcallback(errorResponse);
96
+ }
97
+ });
98
+ }
99
100
var settings = {'facebook_for_woocommerce' : 1};
101
var pixel_settings = {'facebook_for_woocommerce' : 1};
194
window.fb_connected = false;
195
196
console.log('Deleting all settings and removing all FBIDs!');
197
+ return ajax(
198
+ 'ajax_delete_fb_settings',
199
+ {
200
+ "_ajax_nonce": wc_facebook_settings_jsx.nonce,
201
+ },
202
+ callback,
203
+ failcallback
204
+ );
205
}
206
207
// save_settings and save_settings_and_sync should only be called once
869
'ajax_update_fb_option',
870
{
871
"option": "fb_disable_sync_on_dev_environment",
872
+ "option_value": isChecked ? 1 : 0,
873
+ "_ajax_nonce": wc_facebook_settings_jsx.nonce,
874
+ },
875
+ null,
876
+ function onSetDisableSyncOnDevEnvironmentFailCallback(error) {
877
+ document.getElementsByClassName(
878
+ 'onSetDisableSyncOnDevEnvironment'
879
+ )[0].checked = !isChecked;
880
+ console.log('Failed to disable sync on dev environment');
881
}
882
);
883
}
888
'ajax_update_fb_option',
889
{
890
"option": "fb_sync_short_description",
891
+ "option_value": isChecked ? 1 : 0,
892
+ "_ajax_nonce": wc_facebook_settings_jsx.nonce,
893
+ },
894
+ null,
895
+ function syncShortDescriptionFailCallback(error) {
896
+ document.getElementsByClassName('syncShortDescription')[0].checked = ! isChecked;
897
+ console.log('Failed to sync Short Description');
898
}
899
);
900
}
changelog.txt CHANGED
@@ -1,4 +1,8 @@
1
*** Facebook for WooCommerce Changelog ***
2
2019-06-18 - Version 1.9.13
3
* Fix security issue
4
* Add more contributors to the plugin
1
*** Facebook for WooCommerce Changelog ***
2
+ 2019-06-20 - Version 1.9.14
3
+ * Revisit CSRF security issue
4
+ * Remove rest controller which is not used
5
+
6
2019-06-18 - Version 1.9.13
7
* Fix security issue
8
* Add more contributors to the plugin
facebook-commerce.php CHANGED
@@ -72,11 +72,6 @@ class WC_Facebookcommerce_Integration extends WC_Integration {
72
* @return void
73
*/
74
public function __construct() {
75
- if (!class_exists('WC_Facebookcommerce_REST_Controller')) {
76
- include_once( 'includes/fbcustomapi.php' );
77
- $this->customapi = new WC_Facebookcommerce_REST_Controller();
78
- }
79
-
80
if (!class_exists('WC_Facebookcommerce_EventsTracker')) {
81
include_once 'facebook-commerce-events-tracker.php';
82
}
@@ -708,8 +703,16 @@ class WC_Facebookcommerce_Integration extends WC_Integration {
708
};
709
</script>
710
<?php
711
- wp_enqueue_script('wc_facebook_jsx', plugins_url(
712
'/assets/js/facebook-settings.js?ts=' . time(), __FILE__));
713
wp_enqueue_style('wc_facebook_css', plugins_url(
714
'/assets/css/facebook.css', __FILE__));
715
}
@@ -1200,6 +1203,7 @@ class WC_Facebookcommerce_Integration extends WC_Integration {
1200
* Delete all settings via AJAX
1201
**/
1202
function ajax_delete_fb_settings() {
1203
if (!WC_Facebookcommerce_Utils::check_woo_ajax_permissions('delete settings', false)) {
1204
return;
1205
}
@@ -2109,7 +2113,6 @@ class WC_Facebookcommerce_Integration extends WC_Integration {
2109
<hr/>
2110
2111
<div id="fbsetup">
2112
- <form><?php wp_nonce_field('wp_ajax_ajax_update_fb_option'); ?></form>
2113
<div class="wrapper">
2114
<header>
2115
<div class="help-center">
@@ -2530,12 +2533,9 @@ class WC_Facebookcommerce_Integration extends WC_Integration {
2530
}
2531
2532
function ajax_update_fb_option() {
2533
- WC_Facebookcommerce_Utils::check_ajax_referer();
2534
WC_Facebookcommerce_Utils::check_woo_ajax_permissions('update fb options', true);
2535
- $wpnonce = $_POST['_wpnonce'];
2536
- if (isset($_POST) &&
2537
- stripos($_POST['option'], 'fb_') === 0 &&
2538
- wp_verify_nonce($wpnonce, 'wp_ajax_ajax_update_fb_option')) {
2539
update_option(sanitize_text_field($_POST['option']), sanitize_text_field($_POST['option_value']));
2540
}
2541
wp_die();
72
* @return void
73
*/
74
public function __construct() {
75
if (!class_exists('WC_Facebookcommerce_EventsTracker')) {
76
include_once 'facebook-commerce-events-tracker.php';
77
}
703
};
704
</script>
705
<?php
706
+ $ajax_data = array(
707
+ 'nonce' => wp_create_nonce( 'wc_facebook_settings_jsx' ),
708
+ );
709
+ wp_enqueue_script('wc_facebook_settings_jsx', plugins_url(
710
'/assets/js/facebook-settings.js?ts=' . time(), __FILE__));
711
+ wp_localize_script(
712
+ 'wc_facebook_settings_jsx',
713
+ 'wc_facebook_settings_jsx',
714
+ $ajax_data
715
+ );
716
wp_enqueue_style('wc_facebook_css', plugins_url(
717
'/assets/css/facebook.css', __FILE__));
718
}
1203
* Delete all settings via AJAX
1204
**/
1205
function ajax_delete_fb_settings() {
1206
+ check_ajax_referer( 'wc_facebook_settings_jsx' );
1207
if (!WC_Facebookcommerce_Utils::check_woo_ajax_permissions('delete settings', false)) {
1208
return;
1209
}
2113
<hr/>
2114
2115
<div id="fbsetup">
2116
<div class="wrapper">
2117
<header>
2118
<div class="help-center">
2533
}
2534
2535
function ajax_update_fb_option() {
2536
+ check_ajax_referer( 'wc_facebook_settings_jsx' );
2537
WC_Facebookcommerce_Utils::check_woo_ajax_permissions('update fb options', true);
2538
+ if (isset($_POST) && stripos($_POST['option'], 'fb_') === 0) {
2539
update_option(sanitize_text_field($_POST['option']), sanitize_text_field($_POST['option_value']));
2540
}
2541
wp_die();
facebook-for-woocommerce.php CHANGED
@@ -10,7 +10,7 @@
10
* Description: Grow your business on Facebook! Use this official plugin to help sell more of your products using Facebook. After completing the setup, you'll be ready to create ads that promote your products and you can also create a shop section on your Page where customers can browse your products on Facebook.
11
* Author: Facebook
12
* Author URI: https://www.facebook.com/
13
- * Version: 1.9.13
14
* Woo: 2127297:0ea4fe4c2d7ca6338f8a322fb3e4e187
15
* Text Domain: facebook-for-woocommerce
16
* WC requires at least: 3.0.0
10
* Description: Grow your business on Facebook! Use this official plugin to help sell more of your products using Facebook. After completing the setup, you'll be ready to create ads that promote your products and you can also create a shop section on your Page where customers can browse your products on Facebook.
11
* Author: Facebook
12
* Author URI: https://www.facebook.com/
13
+ * Version: 1.9.14
14
* Woo: 2127297:0ea4fe4c2d7ca6338f8a322fb3e4e187
15
* Text Domain: facebook-for-woocommerce
16
* WC requires at least: 3.0.0
includes/fbcustomapi.php DELETED
@@ -1,63 +0,0 @@
1
- <?php
2
- /**
3
- * Copyright (c) Facebook, Inc. and its affiliates. All Rights Reserved
4
- *
5
- * This source code is licensed under the license found in the
6
- * LICENSE file in the root directory of this source tree.
7
- *
8
- * @package FacebookCommerce
9
- */
10
-
11
- if (! defined('ABSPATH')) {
12
- exit;
13
- }
14
-
15
- if (! class_exists('WC_Facebookcommerce_REST_Controller')) :
16
-
17
- /**
18
- * Custom API REST path class
19
- *
20
- */
21
- class WC_Facebookcommerce_REST_Controller extends WP_REST_Controller {
22
-
23
- /**
24
- * Init and hook in the integration.
25
- */
26
- public function __construct() {
27
- global $woocommerce;
28
- add_action('rest_api_init', array($this, 'register_routes'));
29
-
30
-
31
- // TODO: wp_woocommerce_api_keys
32
- // http://stackoverflow.com/questions/31327994/woocommerce-rest-client-api-
33
- // programmatically-get-consumer-key-and-secret
34
-
35
- }
36
-
37
- /**
38
- * Function to define custom routes
39
- */
40
- public function register_routes() {
41
- register_rest_route('facebook/v1', '/version' ,
42
- array(
43
- 'methods' => WP_REST_Server::READABLE,
44
- 'callback' => array($this, 'fb_test_function'),
45
- ));
46
- }
47
-
48
- public function fb_test_function(WP_REST_Request $request) {
49
- $parameters = $request->get_params();
50
- // Create the response object
51
- $res = new WP_REST_Response(WC_Facebookcommerce_Utils::PLUGIN_VERSION);
52
-
53
- // Add a custom status code
54
- $res->set_status(200);
55
- $res->jsonSerialize();
56
-
57
- return $res;
58
- }
59
-
60
-
61
- }
62
-
63
- endif;
includes/fbutils.php CHANGED
@@ -21,7 +21,7 @@ if (!class_exists('WC_Facebookcommerce_Utils')) :
21
class WC_Facebookcommerce_Utils {
22
23
const FB_RETAILER_ID_PREFIX = 'wc_post_id_';
24
- const PLUGIN_VERSION = '1.9.13'; // Change it in `facebook-for-*.php` also
25
26
const FB_VARIANT_IMAGE = 'fb_image';
27
const FB_VARIANT_SIZE = 'size';
@@ -480,20 +480,6 @@ if (!class_exists('WC_Facebookcommerce_Utils')) :
480
get_option('fb_info_banner_last_best_tip', ''));
481
return $cached_best_tip;
482
}
483
-
484
- public static function check_ajax_referer() {
485
- $http_referer = null;
486
- if (!empty($_SERVER['HTTP_REFERER'])) {
487
- $http_referer = wp_unslash($_SERVER['HTTP_REFERER']);
488
- }
489
- $wp_site = get_site_url();
490
- $http_referer_url = parse_url($http_referer);
491
- $wp_site_url = parse_url($wp_site_url);
492
- if (!empty($http_referer_url) && !empty($wp_site_url) && $http_referer_url['host'] === $wp_site_url['host']) {
493
- return;
494
- }
495
- wp_die('FBE: bad requests!');
496
- }
497
}
498
499
endif;
21
class WC_Facebookcommerce_Utils {
22
23
const FB_RETAILER_ID_PREFIX = 'wc_post_id_';
24
+ const PLUGIN_VERSION = '1.9.14'; // Change it in `facebook-for-*.php` also
25
26
const FB_VARIANT_IMAGE = 'fb_image';
27
const FB_VARIANT_SIZE = 'size';
480
get_option('fb_info_banner_last_best_tip', ''));
481
return $cached_best_tip;
482
}
483
}
484
485
endif;
readme.txt CHANGED
@@ -3,7 +3,7 @@ Contributors: facebook, automattic, woothemes
3
Tags: facebook, shop, catalog, advertise, pixel, product
4
Requires at least: 4.4
5
Tested up to: 4.9.8
6
- Stable tag: 1.9.13
7
Requires PHP: 5.6
8
MySQL: 5.6 or greater
9
License: GPLv2 or later
@@ -38,8 +38,12 @@ When opening a bug on GitHub, please give us as many details as possible.
38
* Current version of Facebook-for-WooCommerce, WooCommerce, Wordpress, PHP
39
40
== Changelog ==
41
= 1.9.13 - 2019-06-18 =
42
- * Fix security issues
43
* Add more contributors to the plugin
44
45
= 1.9.12 - 2019-05-2 =
3
Tags: facebook, shop, catalog, advertise, pixel, product
4
Requires at least: 4.4
5
Tested up to: 4.9.8
6
+ Stable tag: 1.9.14
7
Requires PHP: 5.6
8
MySQL: 5.6 or greater
9
License: GPLv2 or later
38
* Current version of Facebook-for-WooCommerce, WooCommerce, Wordpress, PHP
39
40
== Changelog ==
41
+ = 1.9.14 - 2019-06-20 =
42
+ * Revisit CSRF security issue
43
+ * Remove rest controller which is not used
44
+
45
= 1.9.13 - 2019-06-18 =
46
+ * Fix security issue
47
* Add more contributors to the plugin
48
49
= 1.9.12 - 2019-05-2 =