FeedWordPress - Version 2015.0514

Version Description

IMPORTANT SECURITY UPDATE: This version includes two important fixes for potential security vulnerabilities reported to me through support channels.

The first is a common problem across several plugins due to an ambiguity in the WordPress documentation and a change in the behavior of WordPress's built-in add_query_arg() and remove_query_arg() functions which could, under certain low-probability conditions, allow for potential XSS attack vectors. This fixes issue # 39 reported at https://github.com/radgeek/feedwordpress/issues/39 Thanks to github.com/quassy

The second is a security vulnerability fixes a security vulnerability that was reported to me privately (thanks to Adrin M. F.) which, under other low-probability conditions, could allow for SQL insertion attacks by a malicious user with access to login credentials, which would compromise data security.

It is IMPORTANT and worth your while to upgrade FeedWordPress as soon as possible in order to eliminate these vulnerabilities. If you have any questions or if there is something blocking you from making the upgrade which you need my help with, don't hesitate to get in touch.
ADMIN UI BUGFIX: "Update Now" button in feeds setting pages should now work once again instead of causing a PHP fatal error. See https://github.com/radgeek/feedwordpress/issues/46
SEVERAL OTHER SMALL BUG FIXES. See https://github.com/radgeek/feedwordpress/issues/32 https://github.com/radgeek/feedwordpress/issues/30 https://github.com/radgeek/feedwordpress/issues/29 etc.

Release Info

Developer	radgeek
Plugin	FeedWordPress
Version	2015.0514
Comparing to
See all releases

Code changes from version 2015.0426 to 2015.0514

Files changed (6) hide show

admin-ui.php +3 -1
feedwordpress.php +4 -4
feedwordpresssyndicationpage.class.php +60 -10
readme.txt +35 -3
syndicatedlink.class.php +12 -3
syndicatedpost.class.php +13 -1

admin-ui.php CHANGED Viewed

	@@ -59,11 +59,13 @@ class FeedWordPressAdminPage {
59	add_action('feedwordpress_check_feed', 'update_feeds_mention');
60	add_action('feedwordpress_check_feed_complete', 'update_feeds_finish', 10, 3);
61


62	print '<div class="updated">';
63	print "<ul>";
64	$uri = $this->link->uri();
65	$displayUrl = $uri;
66	-
67	// check for effects of an effective-url filter
68	$effectiveUrl = $link->uri(array('fetch' => true));
69	if ($uri != $effectiveUrl) : $displayUrl .= ' \| ' . $effectiveUrl; endif;


59	add_action('feedwordpress_check_feed', 'update_feeds_mention');
60	add_action('feedwordpress_check_feed_complete', 'update_feeds_finish', 10, 3);
61
62	+ $link = $this->link;
63	+
64	print '<div class="updated">';
65	print "<ul>";
66	$uri = $this->link->uri();
67	$displayUrl = $uri;
68	+
69	// check for effects of an effective-url filter
70	$effectiveUrl = $link->uri(array('fetch' => true));
71	if ($uri != $effectiveUrl) : $displayUrl .= ' \| ' . $effectiveUrl; endif;

feedwordpress.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	Plugin Name: FeedWordPress
4	Plugin URI: http://feedwordpress.radgeek.com/
5	Description: simple and flexible Atom/RSS syndication for WordPress
6	- Version: 2015.~~0426~~
7	Author: Charles Johnson
8	Author URI: http://radgeek.com/
9	License: GPL
	@@ -11,7 +11,7 @@ License: GPL
11
12	/**
13	* @package FeedWordPress
14	- * @version 2015.~~0426~~
15	*/
16
17	# This uses code derived from:
	@@ -32,7 +32,7 @@ License: GPL
32
33	# -- Don't change these unless you know what you're doing...
34
35	- define ('FEEDWORDPRESS_VERSION', '2015.~~0426~~');
36	define ('FEEDWORDPRESS_AUTHOR_CONTACT', 'http://radgeek.com/contact');
37
38	if (!defined('FEEDWORDPRESS_BLEG')) :
	@@ -1642,7 +1642,7 @@ class FeedWordPress {
1642	} /* FeedWordPress::redirect_retired () */
1643
1644	public function row_actions ($actions, $post) {
1645	- if (is_syndicated($post->ID)) :
1646	$link = get_delete_post_link($post->ID, '', true);
1647	$eraseLink = MyPHP::url($link, array("fwp_post_delete" => "nuke"));
1648


3	Plugin Name: FeedWordPress
4	Plugin URI: http://feedwordpress.radgeek.com/
5	Description: simple and flexible Atom/RSS syndication for WordPress
6	+ Version: 2015.0514
7	Author: Charles Johnson
8	Author URI: http://radgeek.com/
9	License: GPL

11
12	/**
13	* @package FeedWordPress
14	+ * @version 2015.0514
15	*/
16
17	# This uses code derived from:

32
33	# -- Don't change these unless you know what you're doing...
34
35	+ define ('FEEDWORDPRESS_VERSION', '2015.0514');
36	define ('FEEDWORDPRESS_AUTHOR_CONTACT', 'http://radgeek.com/contact');
37
38	if (!defined('FEEDWORDPRESS_BLEG')) :

1642	} /* FeedWordPress::redirect_retired () */
1643
1644	public function row_actions ($actions, $post) {
1645	+ if (is_syndicated($post->ID) && current_user_can('edit_post', $post->ID)) :
1646	$link = get_delete_post_link($post->ID, '', true);
1647	$eraseLink = MyPHP::url($link, array("fwp_post_delete" => "nuke"));
1648

feedwordpresssyndicationpage.class.php CHANGED Viewed

	@@ -70,6 +70,47 @@ class FeedWordPressSyndicationPage extends FeedWordPressAdminPage {
70	return ($this->visibility_toggle() == 'N');
71	}
72









































73	function updates_requested () {
74	global $wpdb;
75
	@@ -84,9 +125,14 @@ class FeedWordPressSyndicationPage extends FeedWordPressAdminPage {
84	if ($fwp_update_invoke != 'get') :
85	if (is_array(MyPHP::post('link_ids'))
86	and (MyPHP::post('action')==FWP_UPDATE_CHECKED)) :





87	$targets = $wpdb->get_results("
88	SELECT * FROM $wpdb->links
89	- WHERE link_id IN ~~(".implode(",",$_POST['link_ids']).")~~
90	");
91	if (is_array($targets)) :
92	foreach ($targets as $target) :
	@@ -738,10 +784,11 @@ regular donation</a>) using an existing PayPal account or any major credit card.
738	if (MyPHP::post('submit')==FWP_CANCEL_BUTTON) :
739	return true; // Continue without further ado.
740	endif;
741	-
742	- ~~$link_ids~~ = ~~(isset($_REQUEST['link_ids'])~~ ? ~~$_REQUEST['link_ids']~~ : ~~array());~~
743	- if ~~(isset($_REQUEST['link_id']))~~ : ~~array_push($link_ids,~~ ~~$_REQUEST['link_id']);~~ ~~endif;~~
744	-

745	if (MyPHP::post('confirm')=='Delete'):
746	if ( is_array(MyPHP::post('link_action')) ) :
747	$actions = MyPHP::post('link_action');
	@@ -835,9 +882,10 @@ regular donation</a>) using an existing PayPal account or any major credit card.
835
836	return true; // Continue on to Syndicated Sites listing
837	else :

838	$targets = $wpdb->get_results("
839	SELECT * FROM $wpdb->links
840	- WHERE link_id IN ~~(".implode(",",$link_ids).")~~
841	");
842	?>
843	<form action="<?php print $this->form_action(); ?>" method="post">
	@@ -907,9 +955,10 @@ regular donation</a>) using an existing PayPal account or any major credit card.
907	// If this is a POST, validate source and user credentials
908	FeedWordPressCompatibility::validate_http_request(/action=/ 'feedwordpress_feeds', /capability=/ 'manage_links');
909
910	- ~~$link_ids~~ = ~~(isset($_REQUEST['link_ids'])~~ ? ~~$_REQUEST['link_ids']~~ : ~~array());~~
911	- if ~~(isset($_REQUEST['link_id']))~~ : ~~array_push($link_ids,~~ ~~$_REQUEST['link_id']);~~ ~~endif;~~
912	-

913	if (MyPHP::post('confirm')=='Undelete'):
914	if ( is_array(MyPHP::post('link_action')) ) :
915	$actions = MyPHP::post('link_action');
	@@ -956,9 +1005,10 @@ regular donation</a>) using an existing PayPal account or any major credit card.
956
957	return true; // Continue on to Syndicated Sites listing
958	else :

959	$targets = $wpdb->get_results("
960	SELECT * FROM $wpdb->links
961	- WHERE link_id IN ~~(".implode(",",$link_ids).")~~
962	");
963	?>
964	<form action="<?php print $this->form_action(); ?>" method="post">


70	return ($this->visibility_toggle() == 'N');
71	}
72
73	+ /**
74	+ * sanitize_ids: Protect id numbers from untrusted sources (POST array etc.)
75	+ * from possibility of SQLi attacks. Runs everything through an intval filter
76	+ * and then for good measure through esc_sql()
77	+ *
78	+ * @param array $link_ids An array of one or more putative link IDs
79	+ * @return array
80	+ */
81	+ public function sanitize_ids_sql ($link_ids) {
82	+ $link_ids = array_map(
83	+ 'esc_sql',
84	+ array_map(
85	+ 'intval',
86	+ $link_ids
87	+ )
88	+ );
89	+ return $link_ids;
90	+ } /* FeedWordPressSyndicationPage::sanitize_ids_sql () */
91	+
92	+ /**
93	+ * requested_link_ids_sql ()
94	+ *
95	+ * @return string An SQL list literal containing the link IDs, sanitized
96	+ * and escaped for direct use in MySQL queries.
97	+ *
98	+ * @uses sanitize_ids_sql()
99	+ */
100	+ public function requested_link_ids_sql () {
101	+ // Multiple link IDs passed in link_ids[]=... . . .
102	+ $link_ids = (isset($_REQUEST['link_ids']) ? $_REQUEST['link_ids'] : array());
103	+
104	+ // Or single in link_id=...
105	+ if (isset($_REQUEST['link_id'])) : array_push($link_ids, $_REQUEST['link_id']); endif;
106	+
107	+ // Filter for safe use in MySQL queries.
108	+ $link_ids = $this->sanitize_ids_sql($link_ids);
109	+
110	+ // Convert to MySQL list literal.
111	+ return "('".implode("', '", $link_ids)."')";
112	+ } /* FeedWordPressSyndicationPage::requested_link_ids_sql () */
113	+
114	function updates_requested () {
115	global $wpdb;
116

125	if ($fwp_update_invoke != 'get') :
126	if (is_array(MyPHP::post('link_ids'))
127	and (MyPHP::post('action')==FWP_UPDATE_CHECKED)) :
128	+ // Get single link ID or multiple link IDs from REQUEST parameters
129	+ // if available. Sanitize values for MySQL.
130	+ $link_list = $this->requested_link_ids_sql();
131	+
132	+ // $link_list has previously been sanitized for html by self::requested_link_ids_sql
133	$targets = $wpdb->get_results("
134	SELECT * FROM $wpdb->links
135	+ WHERE link_id IN ${link_list}
136	");
137	if (is_array($targets)) :
138	foreach ($targets as $target) :

784	if (MyPHP::post('submit')==FWP_CANCEL_BUTTON) :
785	return true; // Continue without further ado.
786	endif;
787	+
788	+ // Get single link ID or multiple link IDs from REQUEST parameters
789	+ // if available. Sanitize values for MySQL.
790	+ $link_list = $this->requested_link_ids_sql();
791	+
792	if (MyPHP::post('confirm')=='Delete'):
793	if ( is_array(MyPHP::post('link_action')) ) :
794	$actions = MyPHP::post('link_action');

882
883	return true; // Continue on to Syndicated Sites listing
884	else :
885	+ // $link_list has previously been sanitized for html by self::requested_link_ids_sql
886	$targets = $wpdb->get_results("
887	SELECT * FROM $wpdb->links
888	+ WHERE link_id IN ${link_list}
889	");
890	?>
891	<form action="<?php print $this->form_action(); ?>" method="post">

955	// If this is a POST, validate source and user credentials
956	FeedWordPressCompatibility::validate_http_request(/action=/ 'feedwordpress_feeds', /capability=/ 'manage_links');
957
958	+ // Get single link ID or multiple link IDs from REQUEST parameters
959	+ // if available. Sanitize values for MySQL.
960	+ $link_list = $this->requested_link_ids_sql();
961	+
962	if (MyPHP::post('confirm')=='Undelete'):
963	if ( is_array(MyPHP::post('link_action')) ) :
964	$actions = MyPHP::post('link_action');

1005
1006	return true; // Continue on to Syndicated Sites listing
1007	else :
1008	+ // $link_list has previously been sanitized for html by self::requested_link_ids_sql
1009	$targets = $wpdb->get_results("
1010	SELECT * FROM $wpdb->links
1011	+ WHERE link_id IN ${link_list}
1012	");
1013	?>
1014	<form action="<?php print $this->form_action(); ?>" method="post">

readme.txt CHANGED Viewed

@@ -3,8 +3,8 @@ Contributors: Charles Johnson
             Donate link: http://feedwordpress.radgeek.com/
             Tags: syndication, aggregation, feed, atom, rss
             Requires at least: 3.0
-            -
            Tested up to: 4.2
-            -
            Stable tag: 2015.0426
             FeedWordPress syndicates content from feeds you choose into your WordPress weblog.
@@ -94,8 +94,40 @@ outs, see the documentation at the [FeedWordPress project homepage][].
             == Changelog ==
-            -
            = 2014.0805 =
             *	FILTERS AND ADD-ONS: A number of new hooks for filters and add-ons to
             	further customize the behavior of FWP have been added.


3	Donate link: http://feedwordpress.radgeek.com/
4	Tags: syndication, aggregation, feed, atom, rss
5	Requires at least: 3.0
6	+ Tested up to: 4.2.2
7	+ Stable tag: 2015.0514
8
9	FeedWordPress syndicates content from feeds you choose into your WordPress weblog.
10

94
95	== Changelog ==
96
97	+ = 2015.0514 =
98	+
99	+ * IMPORTANT SECURITY UPDATE: This version includes two important fixes for
100	+ potential security vulnerabilities reported to me through support channels.
101	+
102	+ The first is a common problem across several plugins due to an ambiguity in
103	+ the WordPress documentation and a change in the behavior of WordPress's
104	+ built-in add_query_arg() and remove_query_arg() functions
105	+ which could, under certain low-probability conditions, allow for potential
106	+ XSS attack vectors. This fixes issue # 39
107	+ reported at <https://github.com/radgeek/feedwordpress/issues/39>
108	+ Thanks to github.com/quassy
109	+
110	+ The second is a security vulnerability fixes a security vulnerability that
111	+ was reported to me privately (thanks to Adrián M. F.) which, under other
112	+ low-probability conditions, could allow for SQL insertion attacks by
113	+ a malicious user with access to login credentials, which would compromise
114	+ data security.
115	+
116	+ It is IMPORTANT and worth your while to upgrade FeedWordPress as soon as
117	+ possible in order to eliminate these vulnerabilities. If you have any
118	+ questions or if there is something blocking you from making the upgrade
119	+ which you need my help with, don't hesitate to get in touch.
120	+
121	+ * ADMIN UI BUGFIX: "Update Now" button in feeds setting pages should now work
122	+ once again instead of causing a PHP fatal error. See
123	+ <https://github.com/radgeek/feedwordpress/issues/46>
124	+
125	+ * SEVERAL OTHER SMALL BUG FIXES. See <https://github.com/radgeek/feedwordpress/issues/32>
126	+ <https://github.com/radgeek/feedwordpress/issues/30>
127	+ <https://github.com/radgeek/feedwordpress/issues/29>
128	+ etc.
129
130	+ = 2014.0805 =
131
132	* FILTERS AND ADD-ONS: A number of new hooks for filters and add-ons to
133	further customize the behavior of FWP have been added.

syndicatedlink.class.php CHANGED Viewed

	@@ -130,9 +130,9 @@ class SyndicatedLink {
130
131	$url = $this->uri(array('add_params' => true, 'fetch' => true));
132	FeedWordPress::diagnostic('updated_feeds', 'Polling feed ['.$url.']');
133	-
134	$this->fetch();
135	-
136	$new_count = NULL;
137
138	$resume = ('yes'==$this->setting('update/unfinished'));
	@@ -178,6 +178,7 @@ class SyndicatedLink {
178	$this->save_settings(/reload=/ true);
179
180	elseif (is_object($this->simplepie)) :

181	// Success; clear out error setting, if any.
182	$this->update_setting('update/error', NULL);
183
	@@ -285,7 +286,9 @@ class SyndicatedLink {
285	break;
286	endif;
287	endif;

288	unset($post);

289	endforeach;
290	endif;
291
	@@ -720,8 +723,13 @@ class SyndicatedLink {
720	'fetch' => false,
721	));
722



723	$link_rss = (is_object($this->link) ? $this->link->link_rss : NULL);
724	-


725	$uri = $link_rss;
726	if (!is_null($uri) and strlen($uri) > 0 and $params['add_params']) :
727	$qp = maybe_unserialize($this->setting('query parameters', array()));
	@@ -729,6 +737,7 @@ class SyndicatedLink {
729	// For high-tech HTTP feed request kung fu
730	$qp = apply_filters('syndicated_feed_parameters', $qp, $uri, $this);
731

732	$q = array();
733	if (is_array($qp) and count($qp) > 0) :
734	foreach ($qp as $pair) :


130
131	$url = $this->uri(array('add_params' => true, 'fetch' => true));
132	FeedWordPress::diagnostic('updated_feeds', 'Polling feed ['.$url.']');
133	+
134	$this->fetch();
135	+
136	$new_count = NULL;
137
138	$resume = ('yes'==$this->setting('update/unfinished'));

178	$this->save_settings(/reload=/ true);
179
180	elseif (is_object($this->simplepie)) :
181	+
182	// Success; clear out error setting, if any.
183	$this->update_setting('update/error', NULL);
184

286	break;
287	endif;
288	endif;
289	+
290	unset($post);
291	+
292	endforeach;
293	endif;
294

723	'fetch' => false,
724	));
725
726	+ // Initialize $qp (= array for added query parameters, if any)
727	+ $qp = array();
728	+
729	$link_rss = (is_object($this->link) ? $this->link->link_rss : NULL);
730	+
731	+ // $link_rss stores the URI for the subscription as stored in the feed's record.
732	+ // $uri stores the effective URI of the request including any/all added query parameters
733	$uri = $link_rss;
734	if (!is_null($uri) and strlen($uri) > 0 and $params['add_params']) :
735	$qp = maybe_unserialize($this->setting('query parameters', array()));

737	// For high-tech HTTP feed request kung fu
738	$qp = apply_filters('syndicated_feed_parameters', $qp, $uri, $this);
739
740	+ // $qp is an array of key-value pairs stored as arrays of format [$key, $value]
741	$q = array();
742	if (is_array($qp) and count($qp) > 0) :
743	foreach ($qp as $pair) :

syndicatedpost.class.php CHANGED Viewed

	@@ -117,6 +117,7 @@ class SyndicatedPost {
117	if (is_null($this->item)) :
118	$this->post = NULL;
119	else :

120	# Note that nothing is run through esc_sql() here.
121	# That's deliberate. The escaping is done at the point
122	# of insertion, not here, to avoid double-escaping and
	@@ -127,6 +128,7 @@ class SyndicatedPost {
127	$this->entry->get_title(), $this
128	);
129

130	$this->named['author'] = apply_filters(
131	'syndicated_item_author',
132	$this->author(), $this
	@@ -134,7 +136,7 @@ class SyndicatedPost {
134	// This just gives us an alphanumeric name for the author.
135	// We look up (or create) the numeric ID for the author
136	// in SyndicatedPost::add().
137	-
138	$this->post['post_content'] = apply_filters(
139	'syndicated_item_content',
140	$this->content(), $this
	@@ -348,6 +350,7 @@ class SyndicatedPost {
348
349	$this->post['post_type'] = apply_filters('syndicated_post_type', $this->link->setting('syndicated post type', 'syndicated_post_type', 'post'), $this);
350	endif;

351	} /* SyndicatedPost::SyndicatedPost() */
352
353	#####################################
	@@ -589,6 +592,7 @@ class SyndicatedPost {
589	} /* SyndicatedPost::title () */
590
591	function content ($params = array()) {

592	$params = wp_parse_args($params, array(
593	"full only" => false,
594	));
	@@ -635,6 +639,7 @@ class SyndicatedPost {
635	endif;
636
637	endif;

638	return $content;
639	} /* SyndicatedPost::content() */
640
	@@ -1213,6 +1218,7 @@ class SyndicatedPost {
1213	function resolve_single_relative_uri ($refs) {
1214	$tag = FeedWordPressHTML::attributeMatch($refs);
1215	$url = SimplePie_Misc::absolutize_url($tag['value'], $this->_base);

1216	return $tag['prefix'] . $url . $tag['suffix'];
1217	} /* function SyndicatedPost::resolve_single_relative_uri() */
1218
	@@ -1233,11 +1239,17 @@ class SyndicatedPost {
1233	foreach ($obj->uri_attrs as $pair) :
1234	list($tag, $attr) = $pair;
1235	$pattern = FeedWordPressHTML::attributeRegex($tag, $attr);





1236	$content = preg_replace_callback (
1237	$pattern,
1238	array($obj, 'resolve_single_relative_uri'),
1239	$content
1240	);

1241	endforeach;
1242	endif;
1243


117	if (is_null($this->item)) :
118	$this->post = NULL;
119	else :
120	+
121	# Note that nothing is run through esc_sql() here.
122	# That's deliberate. The escaping is done at the point
123	# of insertion, not here, to avoid double-escaping and

128	$this->entry->get_title(), $this
129	);
130
131	+
132	$this->named['author'] = apply_filters(
133	'syndicated_item_author',
134	$this->author(), $this

136	// This just gives us an alphanumeric name for the author.
137	// We look up (or create) the numeric ID for the author
138	// in SyndicatedPost::add().
139	+
140	$this->post['post_content'] = apply_filters(
141	'syndicated_item_content',
142	$this->content(), $this

350
351	$this->post['post_type'] = apply_filters('syndicated_post_type', $this->link->setting('syndicated post type', 'syndicated_post_type', 'post'), $this);
352	endif;
353	+
354	} /* SyndicatedPost::SyndicatedPost() */
355
356	#####################################

592	} /* SyndicatedPost::title () */
593
594	function content ($params = array()) {
595	+
596	$params = wp_parse_args($params, array(
597	"full only" => false,
598	));

639	endif;
640
641	endif;
642	+
643	return $content;
644	} /* SyndicatedPost::content() */
645

1218	function resolve_single_relative_uri ($refs) {
1219	$tag = FeedWordPressHTML::attributeMatch($refs);
1220	$url = SimplePie_Misc::absolutize_url($tag['value'], $this->_base);
1221	+
1222	return $tag['prefix'] . $url . $tag['suffix'];
1223	} /* function SyndicatedPost::resolve_single_relative_uri() */
1224

1239	foreach ($obj->uri_attrs as $pair) :
1240	list($tag, $attr) = $pair;
1241	$pattern = FeedWordPressHTML::attributeRegex($tag, $attr);
1242	+
1243	+ // FIXME: Encountered issue while testing an extremely long (= 88827 characters) item
1244	+ // Relying on preg_replace_callback() here can cause a PHP seg fault on my development
1245	+ // server. preg_match_all() causes a similar problem. Apparently this is a PCRE issue
1246	+ // Cf. discussion of similar issue <https://bugs.php.net/bug.php?id=65009>
1247	$content = preg_replace_callback (
1248	$pattern,
1249	array($obj, 'resolve_single_relative_uri'),
1250	$content
1251	);
1252	+
1253	endforeach;
1254	endif;
1255