Google Doc Embedder - Version 2.6.2

Version Description

Additional checks to protect against XSS/CSRF vulnerability reported by Tristan Madani.

Removed settings and profile import/export feature to reduce support and development requirements of this plugin.

Download this release

Release Info

Developer danlester
Plugin Icon wp plugin Google Doc Embedder
Version 2.6.2
Comparing to
See all releases

Code changes from version 2.6.1 to 2.6.2

Files changed (5) hide show
  1. functions-admin.php +0 -135
  2. gviewer.php +2 -2
  3. libs/tab-advanced.php +0 -41
  4. options.php +9 -27
  5. readme.txt +6 -0
functions-admin.php CHANGED
@@ -256,141 +256,6 @@ function gde_overwrite_profile( $sourceid ) {
256
  }
257
  }
258
 
259
- /**
260
- * Process profile/settings import file
261
- *
262
- * @since 2.5.0.3
263
- * @return void
264
- */
265
- function gde_import( $data ) {
266
- $label = __('Import', 'google-document-embedder');
267
- $status = array();
268
-
269
- echo '
270
- <div class="wrap">
271
- <div class="icon32" id="icon-plugins"></div>
272
- <h2>Google Doc Embedder ' . $label . '</h2>
273
- ';
274
-
275
- if ( isset( $data['profiles'] ) || isset( $data['profiles'] ) ) {
276
- // full import
277
- echo "<p>" . __('Performing full import...', 'google-document-embedder') . "</p>\n";
278
-
279
- // profiles import
280
- if ( isset( $data['profiles'] ) ) {
281
- echo "<p>" . __('Importing profiles', 'google-document-embedder');
282
-
283
- $success = gde_import_profiles( $data['profiles'] );
284
- $total = count( $data['profiles'] );
285
- echo " ($success/$total)... ";
286
- if ( $success == $total ) {
287
- echo __('done', 'google-document-embedder') . ".</p>\n";
288
- } else {
289
- $status[] = "fail";
290
- echo "<strong>" . __('failed', 'google-document-embedder') . ".</strong></p>\n";
291
- }
292
- }
293
-
294
- // settings import
295
- if ( isset( $data['settings'] ) ) {
296
- echo "<p>" . __('Importing settings', 'google-document-embedder') . "... ";
297
- if ( ! gde_import_settings( $data['settings'] ) ) {
298
- $status[] = "fail";
299
- echo "<strong>" . __('failed', 'google-document-embedder') . ".</strong></p>\n";
300
- } else {
301
- echo __('done', 'google-document-embedder') . ".</p>\n";
302
- }
303
- }
304
- } elseif ( isset( $data[0]['profile_id'] ) ) {
305
- // profile import
306
- echo "<p>" . __('Importing profiles', 'google-document-embedder');
307
-
308
- $success = gde_import_profiles( $data );
309
- $total = count( $data );
310
- echo " ($success/$total)... ";
311
- if ( $success == $total ) {
312
- echo __('done', 'google-document-embedder') . ".</p>\n";
313
- } else {
314
- $status[] = "fail";
315
- echo "<strong>" . __('failed', 'google-document-embedder') . ".</strong></p>\n";
316
- }
317
- } elseif ( isset( $data['ed_disable'] ) ) {
318
- // settings import
319
- echo "<p>" . __('Importing settings... ', 'google-document-embedder');
320
-
321
- if ( ! gde_import_settings( $data ) ) {
322
- $status[] = "fail";
323
- echo "<strong>" . __('failed', 'google-document-embedder') . ".</strong></p>\n";
324
- } else {
325
- echo __('done', 'google-document-embedder') . ".</p>\n";
326
- }
327
- } else {
328
- echo "<p>" . __('Please select a valid export file to import.', 'google-document-embedder') . "</p>\n";
329
- }
330
-
331
- if ( in_array( 'fail', $status ) ) {
332
- echo "<p>" . __('All or part of the import failed. See above for information.', 'google-document-embedder') . "</p>\n";
333
- } else {
334
- echo "<p>" . __('Import completed successfully.', 'google-document-embedder') . "</p>\n";
335
- }
336
-
337
- echo "<p><a href=''>" . __('Return to GDE Settings', 'google-document-embedder') . "</a></p>\n";
338
- echo "</div>\n";
339
- }
340
-
341
- /**
342
- * Process settings import data
343
- *
344
- * @since 2.5.0.3
345
- * @return bool Whether or not settings import succeeded
346
- */
347
- function gde_import_settings( $data ) {
348
- global $gdeoptions;
349
-
350
- $current = $gdeoptions;
351
-
352
- if ( $current == $data ) {
353
- // nothing to do
354
- return true;
355
- } else {
356
- foreach ( $data as $k => $v ) {
357
- $gdeoptions[$k] = $v;
358
- }
359
-
360
- if ( update_option( 'gde_options', $gdeoptions ) ) {
361
- return true;
362
- } else {
363
- return false;
364
- }
365
- }
366
- }
367
-
368
- function gde_import_profiles( $data ) {
369
- $success = 0;
370
-
371
- foreach ( $data as $v ) {
372
- $pid = gde_profile_name_exists( $v['profile_name'] );
373
- if ( $pid !== -1 ) {
374
- // overwrite existing profile
375
- $prodata = array( '', $v['profile_desc'], $v['profile_data'] );
376
- if ( gde_write_profile( $prodata, $pid, true ) > 0 ) {
377
- $success++;
378
- } else {
379
- gde_dx_log("failure importing to overwrite profile $pid");
380
- }
381
- } else {
382
- // write as new profile
383
- $prodata = array( $v['profile_name'], $v['profile_desc'], $v['profile_data'] );
384
- if ( gde_write_profile( $prodata ) > 0 ) {
385
- $success++;
386
- } else {
387
- gde_dx_log("failure importing to new profile");
388
- }
389
- }
390
- }
391
-
392
- return $success;
393
- }
394
 
395
  /* SETTINGS ****/
396
 
256
  }
257
  }
258
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
259
 
260
  /* SETTINGS ****/
261
 
gviewer.php CHANGED
@@ -8,7 +8,7 @@ Author: Kevin Davis, Dan Lester
8
  Author URI: https://wordpress.org/plugins/google-document-embedder/
9
  Text Domain: google-document-embedder
10
  Domain Path: /languages/
11
- Version: 2.6.1
12
  License: GPLv2
13
  */
14
 
@@ -38,7 +38,7 @@ License: GPLv2
38
  */
39
 
40
  // boring init junk
41
- $gde_ver = "2.6.1";
42
  $gde_db_ver = "1.2"; // update also in gde_activate()
43
 
44
  require_once( plugin_dir_path( __FILE__ ) . 'functions.php' );
8
  Author URI: https://wordpress.org/plugins/google-document-embedder/
9
  Text Domain: google-document-embedder
10
  Domain Path: /languages/
11
+ Version: 2.6.2
12
  License: GPLv2
13
  */
14
 
38
  */
39
 
40
  // boring init junk
41
+ $gde_ver = "2.6.2";
42
  $gde_db_ver = "1.2"; // update also in gde_activate()
43
 
44
  require_once( plugin_dir_path( __FILE__ ) . 'functions.php' );
libs/tab-advanced.php CHANGED
@@ -120,44 +120,3 @@
120
  </form>
121
 
122
  <br/>
123
- <form action="" method="post" id="gde-backup">
124
-
125
- <h3><?php _e('Backup and Import', 'google-document-embedder'); ?></h3>
126
-
127
- <?php
128
- if ( ! $healthy ) {
129
- echo "<p>" . gde_show_error( __('Unable to load profile settings. Please re-activate GDE and if the problem persists, request help using the "Support" tab.', 'google-document-embedder') ) . "</p>\n";
130
- } else {
131
- ?>
132
-
133
- <p><?php _e('Download a file to your computer containing your profiles, settings, or both, for backup or migration purposes.', 'google-document-embedder'); ?></p>
134
-
135
- <p>
136
- <input type="radio" value="all" name="type" id="backup-all" checked="checked"><label for="backup-all"> <?php _e('All Profiles and Settings', 'google-document-embedder'); ?></label> &nbsp;&nbsp;
137
- <input type="radio" value="profiles" name="type" id="backup-pro"><label for="backup-pro"> <?php _e('Profiles', 'google-document-embedder'); ?></label> &nbsp;&nbsp;
138
- <input type="radio" value="settings" name="type" id="backup-set"><label for="backup-set"> <?php _e('Settings', 'google-document-embedder'); ?></label>
139
- </p>
140
-
141
- <p class="submit" style="padding-top: 0 !important;">
142
- <input type="submit" value="<?php _e('Download Export File', 'google-document-embedder'); ?>" class="button-secondary" id="export-submit" name="submit">
143
- </p>
144
- </form>
145
-
146
- <form enctype="multipart/form-data" action="" method="post" id="gde-import">
147
- <?php wp_nonce_field('import-opts', '_advanced_import'); ?>
148
-
149
- <p>
150
- <label for="upload"><?php _e('To import, choose a file from your computer:', 'google-document-embedder'); ?></label>
151
- <input type="hidden" name="MAX_FILE_SIZE" value="<?php echo wp_max_upload_size(); ?>" />
152
- <input type="file" id="upload" name="import" size="25" />
153
- </p>
154
-
155
- <p class="submit" style="padding-top: 0 !important;">
156
- <input type="submit" name="submit" id="import-submit" class="button" value="<?php _e('Upload File and Import', 'google-document-embedder'); ?>" />
157
- </p>
158
-
159
- <?php
160
- }
161
- ?>
162
-
163
- </form>
120
  </form>
121
 
122
  <br/>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
options.php CHANGED
@@ -5,6 +5,8 @@ $import = false;
5
 
6
  // which form are we submitting (uses nonce for security and identification)
7
  if ( isset( $_POST['_general_default'] ) ) {
 
 
8
  // updating default profile
9
  $tabid = "gentab";
10
 
@@ -15,6 +17,9 @@ if ( isset( $_POST['_general_default'] ) ) {
15
  gde_show_msg( __('Unable to update profile.', 'google-document-embedder'), true );
16
  }
17
  } elseif ( isset( $_POST['_profiles_new'] ) ) {
 
 
 
18
  // new profile creation
19
  global $wpdb;
20
  $tabid = "protab";
@@ -72,6 +77,9 @@ if ( isset( $_POST['_general_default'] ) ) {
72
  $noload = "gentab";
73
  }
74
  } elseif ( isset( $_POST['_advanced'] ) ) {
 
 
 
75
  // updated advanced options (global)
76
  $tabid = "advtab";
77
 
@@ -119,32 +127,6 @@ if ( isset( $_POST['_general_default'] ) ) {
119
  gde_show_msg( __('Settings <strong>updated</strong>.', 'google-document-embedder') ); // not true, but avoids confusion in case where no changes were made
120
  gde_dx_log('Settings update failed - maybe no changes');
121
  }
122
- } elseif ( isset( $_POST['_advanced_import'] ) ) {
123
- $valid = false;
124
-
125
- // check import file validity
126
- if ( isset( $_FILES['import'] ) && ! empty( $_FILES['import'] ) ) {
127
- if ( $_FILES['import']['size'] > 0 && is_uploaded_file( $_FILES['import']['tmp_name'] ) && preg_match( '/json$/i', $_FILES['import']['name'] ) ) {
128
- // file OK, check for json content
129
- $json = json_decode( file_get_contents( $_FILES['import']['tmp_name'] ), true );
130
- if ( $json !== null && is_array( $json ) ) {
131
- // check for supported content
132
- if ( isset( $json['profiles'] ) || isset( $json['settings'] ) || isset( $json[0]['profile_id'] ) || isset( $json['ed_disable'] ) ) {
133
- $valid = true;
134
- }
135
- }
136
- }
137
- }
138
-
139
- if ( ! $valid ) {
140
- $tabid = "advtab";
141
- gde_show_msg( __('Please select a valid export file to import.', 'google-document-embedder'), true );
142
- } else {
143
- // process and import
144
- $import = true;
145
- $noload = "gentab";
146
- gde_import( $json );
147
- }
148
  }
149
 
150
  // maintain tab on form submission
@@ -390,4 +372,4 @@ function gde_row_actions( $pid ) {
390
  return $acts;
391
  }
392
 
393
- ?>
5
 
6
  // which form are we submitting (uses nonce for security and identification)
7
  if ( isset( $_POST['_general_default'] ) ) {
8
+ check_admin_referer('update-default-opts', '_general_default');
9
+
10
  // updating default profile
11
  $tabid = "gentab";
12
 
17
  gde_show_msg( __('Unable to update profile.', 'google-document-embedder'), true );
18
  }
19
  } elseif ( isset( $_POST['_profiles_new'] ) ) {
20
+
21
+ check_admin_referer('update-profile-opts', '_profile_edit');
22
+
23
  // new profile creation
24
  global $wpdb;
25
  $tabid = "protab";
77
  $noload = "gentab";
78
  }
79
  } elseif ( isset( $_POST['_advanced'] ) ) {
80
+
81
+ check_admin_referer('update-adv-opts', '_advanced');
82
+
83
  // updated advanced options (global)
84
  $tabid = "advtab";
85
 
127
  gde_show_msg( __('Settings <strong>updated</strong>.', 'google-document-embedder') ); // not true, but avoids confusion in case where no changes were made
128
  gde_dx_log('Settings update failed - maybe no changes');
129
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
130
  }
131
 
132
  // maintain tab on form submission
372
  return $acts;
373
  }
374
 
375
+ ?>
readme.txt CHANGED
@@ -143,6 +143,12 @@ specific features at this time, but it will function normally in this environmen
143
 
144
  == Changelog ==
145
 
 
 
 
 
 
 
146
  = 2.6.1 =
147
 
148
  Works with WP4.6.
143
 
144
  == Changelog ==
145
 
146
+ = 2.6.2 =
147
+
148
+ Additional checks to protect against XSS/CSRF vulnerability reported by Tristan Madani.
149
+
150
+ Removed settings and profile import/export feature to reduce support and development requirements of this plugin.
151
+
152
  = 2.6.1 =
153
 
154
  Works with WP4.6.