Version Description
- Bug Fix: Add nonce to authentication request
Download this release
Release Info
| Developer | layotte |
| Plugin |  iThemes Sync |
| Version | 2.1.3 |
| Comparing to | |
| See all releases | |
Code changes from version 2.1.2 to 2.1.3
- api.php +1 -0
- functions.php +21 -0
- history.txt +3 -1
- init.php +1 -1
- lang/ithemes-sync.pot +3 -3
- readme.txt +3 -0
- request-handler.php +2 -6
- server.php +7 -2
- verbs/check-nonce.php +26 -0
api.php
CHANGED
|
@@ -30,6 +30,7 @@ class Ithemes_Sync_API {
|
|
| 30 |
private $verbs = array();
|
| 31 |
|
| 32 |
private $default_verbs = array(
|
|
|
|
| 33 |
'db-optimization' => 'Ithemes_Sync_Verb_DB_Optimization',
|
| 34 |
'deauthenticate-user' => 'Ithemes_Sync_Verb_Deauthenticate_User',
|
| 35 |
'do-update' => 'Ithemes_Sync_Verb_Do_Update',
|
| 30 |
private $verbs = array();
|
| 31 |
|
| 32 |
private $default_verbs = array(
|
| 33 |
+
'check-nonce' => 'Ithemes_Sync_Verb_Check_Nonce',
|
| 34 |
'db-optimization' => 'Ithemes_Sync_Verb_DB_Optimization',
|
| 35 |
'deauthenticate-user' => 'Ithemes_Sync_Verb_Deauthenticate_User',
|
| 36 |
'do-update' => 'Ithemes_Sync_Verb_Do_Update',
|
functions.php
CHANGED
|
@@ -1008,4 +1008,25 @@ class Ithemes_Sync_Functions {
|
|
| 1008 |
return $reports_url;
|
| 1009 |
}
|
| 1010 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1011 |
}
|
| 1008 |
return $reports_url;
|
| 1009 |
}
|
| 1010 |
|
| 1011 |
+
public static function generate_sync_nonce( $name ) {
|
| 1012 |
+
|
| 1013 |
+
$nonce = array(
|
| 1014 |
+
'value' => wp_generate_password( 24 ),
|
| 1015 |
+
'expiration' => time() + 3600
|
| 1016 |
+
);
|
| 1017 |
+
|
| 1018 |
+
update_option( 'ithemes-sync-nonce-' . $name, $nonce, false );
|
| 1019 |
+
|
| 1020 |
+
return $nonce;
|
| 1021 |
+
}
|
| 1022 |
+
|
| 1023 |
+
public static function validate_sync_nonce( $name, $supplied_nonce ) {
|
| 1024 |
+
$nonce = get_option( 'ithemes-sync-nonce-' . $name );
|
| 1025 |
+
|
| 1026 |
+
if ( $nonce !== false && $nonce['expiration'] > time() && hash_equals( $supplied_nonce, $nonce['value'] ) ) {
|
| 1027 |
+
return true;
|
| 1028 |
+
}
|
| 1029 |
+
|
| 1030 |
+
return false;
|
| 1031 |
+
}
|
| 1032 |
}
|
history.txt
CHANGED
|
@@ -223,4 +223,6 @@
|
|
| 223 |
2.1.1 - 2020-01-10 - Josh Oakes
|
| 224 |
Bug Fix: Remove use of function that was deprecated in PHP 7.4
|
| 225 |
2.1.2 - 2020-02-10 - Josh Oakes
|
| 226 |
-
Bug Fix: Fix PHP warning when updating plugins & themes on WP 5.3+
|
|
|
|
|
|
| 223 |
2.1.1 - 2020-01-10 - Josh Oakes
|
| 224 |
Bug Fix: Remove use of function that was deprecated in PHP 7.4
|
| 225 |
2.1.2 - 2020-02-10 - Josh Oakes
|
| 226 |
+
Bug Fix: Fix PHP warning when updating plugins & themes on WP 5.3+
|
| 227 |
+
2.1.3 - 2020-02-10 - Josh Oakes
|
| 228 |
+
Bug Fix: Add nonce to authentication request
|
init.php
CHANGED
|
@@ -4,7 +4,7 @@ Plugin Name: iThemes Sync
|
|
| 4 |
Plugin URI: http://ithemes.com/sync
|
| 5 |
Description: Manage updates to your WordPress sites easily in one place.
|
| 6 |
Author: iThemes
|
| 7 |
-
Version: 2.1.
|
| 8 |
Author URI: http://ithemes.com/
|
| 9 |
Domain Path: /lang/
|
| 10 |
iThemes Package: ithemes-sync
|
| 4 |
Plugin URI: http://ithemes.com/sync
|
| 5 |
Description: Manage updates to your WordPress sites easily in one place.
|
| 6 |
Author: iThemes
|
| 7 |
+
Version: 2.1.3
|
| 8 |
Author URI: http://ithemes.com/
|
| 9 |
Domain Path: /lang/
|
| 10 |
iThemes Package: ithemes-sync
|
lang/ithemes-sync.pot
CHANGED
|
@@ -2,9 +2,9 @@
|
|
| 2 |
# This file is distributed under the same license as the iThemes Sync package.
|
| 3 |
msgid ""
|
| 4 |
msgstr ""
|
| 5 |
-
"Project-Id-Version: iThemes Sync 2.1.
|
| 6 |
"Report-Msgid-Bugs-To: http://ithemes.com/support/\n"
|
| 7 |
-
"POT-Creation-Date: 2020-02-
|
| 8 |
"PO-Revision-Date: 2020-MO-DA HO:MI+ZONE\n"
|
| 9 |
"MIME-Version: 1.0\n"
|
| 10 |
"Content-Type: text/plain; charset=UTF-8\n"
|
|
@@ -350,7 +350,7 @@ msgstr ""
|
|
| 350 |
msgid "The Sync server returned an unknown response."
|
| 351 |
msgstr ""
|
| 352 |
|
| 353 |
-
#: server.php:
|
| 354 |
msgid "An unrecognized server response format was received from the iThemes Sync server."
|
| 355 |
msgstr ""
|
| 356 |
|
| 2 |
# This file is distributed under the same license as the iThemes Sync package.
|
| 3 |
msgid ""
|
| 4 |
msgstr ""
|
| 5 |
+
"Project-Id-Version: iThemes Sync 2.1.3\n"
|
| 6 |
"Report-Msgid-Bugs-To: http://ithemes.com/support/\n"
|
| 7 |
+
"POT-Creation-Date: 2020-02-14 17:34:22+00:00\n"
|
| 8 |
"PO-Revision-Date: 2020-MO-DA HO:MI+ZONE\n"
|
| 9 |
"MIME-Version: 1.0\n"
|
| 10 |
"Content-Type: text/plain; charset=UTF-8\n"
|
| 350 |
msgid "The Sync server returned an unknown response."
|
| 351 |
msgstr ""
|
| 352 |
|
| 353 |
+
#: server.php:192
|
| 354 |
msgid "An unrecognized server response format was received from the iThemes Sync server."
|
| 355 |
msgstr ""
|
| 356 |
|
readme.txt
CHANGED
|
@@ -87,6 +87,9 @@ Make steady, reliable income for WordPress maintenance with iThemes Sync Pro’s
|
|
| 87 |
|
| 88 |
== Changelog ==
|
| 89 |
|
|
|
|
|
|
|
|
|
|
| 90 |
= 2.1.2 =
|
| 91 |
* Bug Fix: Fix PHP warning when updating plugins & themes on WP 5.3+
|
| 92 |
|
| 87 |
|
| 88 |
== Changelog ==
|
| 89 |
|
| 90 |
+
= 2.1.3 =
|
| 91 |
+
* Bug Fix: Add nonce to authentication request
|
| 92 |
+
|
| 93 |
= 2.1.2 =
|
| 94 |
* Bug Fix: Fix PHP warning when updating plugins & themes on WP 5.3+
|
| 95 |
|
request-handler.php
CHANGED
|
@@ -229,10 +229,6 @@ class Ithemes_Sync_Request_Handler {
|
|
| 229 |
|
| 230 |
private function parse_request( $request ) {
|
| 231 |
|
| 232 |
-
if ( empty( $this->options['authentications'] ) && ( ! empty( $request['action'] ) && 'manage-site' != $request['action'] ) ) {
|
| 233 |
-
$this->send_response( new WP_Error( 'site-not-authenticated', 'The site does not have any authenticated users.' ) );
|
| 234 |
-
}
|
| 235 |
-
|
| 236 |
$this->request = $request;
|
| 237 |
|
| 238 |
$required_vars = array(
|
|
@@ -250,11 +246,11 @@ class Ithemes_Sync_Request_Handler {
|
|
| 250 |
}
|
| 251 |
|
| 252 |
// If action is manage-site, stop here
|
| 253 |
-
if ( 'manage-site' == $request['action'] ) {
|
| 254 |
return;
|
| 255 |
}
|
| 256 |
|
| 257 |
-
if ( ! isset( $this->options['authentications'][$request['user_id']] ) ) {
|
| 258 |
$this->send_response( new WP_Error( 'user-not-authenticated', 'The requested user is not authenticated.' ) );
|
| 259 |
}
|
| 260 |
|
| 229 |
|
| 230 |
private function parse_request( $request ) {
|
| 231 |
|
|
|
|
|
|
|
|
|
|
|
|
|
| 232 |
$this->request = $request;
|
| 233 |
|
| 234 |
$required_vars = array(
|
| 246 |
}
|
| 247 |
|
| 248 |
// If action is manage-site, stop here
|
| 249 |
+
if ( 'manage-site' == $request['action'] || 'check-nonce' == $request['action'] ) {
|
| 250 |
return;
|
| 251 |
}
|
| 252 |
|
| 253 |
+
if ( empty( $this->options['authentications'] ) || ! isset( $this->options['authentications'][$request['user_id']] ) ) {
|
| 254 |
$this->send_response( new WP_Error( 'user-not-authenticated', 'The requested user is not authenticated.' ) );
|
| 255 |
}
|
| 256 |
|
server.php
CHANGED
|
@@ -29,14 +29,18 @@ class Ithemes_Sync_Server {
|
|
| 29 |
|
| 30 |
|
| 31 |
public static function authenticate( $username, $password ) {
|
|
|
|
|
|
|
| 32 |
$query = array(
|
| 33 |
'user' => $username,
|
| 34 |
);
|
| 35 |
-
|
|
|
|
| 36 |
$data = array(
|
| 37 |
'auth_token' => self::get_password_hash( $username, $password ),
|
|
|
|
| 38 |
);
|
| 39 |
-
|
| 40 |
return self::request( 'authenticate-user', $query, $data );
|
| 41 |
}
|
| 42 |
|
|
@@ -236,4 +240,5 @@ class Ithemes_Sync_Server {
|
|
| 236 |
public static function disable_ssl_ca_patch() {
|
| 237 |
remove_action( 'http_api_curl', array( __CLASS__, 'add_ca_patch_to_curl_opts' ) );
|
| 238 |
}
|
|
|
|
| 239 |
}
|
| 29 |
|
| 30 |
|
| 31 |
public static function authenticate( $username, $password ) {
|
| 32 |
+
require_once( $GLOBALS['ithemes_sync_path'] . '/functions.php' );
|
| 33 |
+
|
| 34 |
$query = array(
|
| 35 |
'user' => $username,
|
| 36 |
);
|
| 37 |
+
|
| 38 |
+
$nonce = Ithemes_Sync_Functions::generate_sync_nonce( 'auth-verification' );
|
| 39 |
$data = array(
|
| 40 |
'auth_token' => self::get_password_hash( $username, $password ),
|
| 41 |
+
'nonce' => $nonce['value']
|
| 42 |
);
|
| 43 |
+
|
| 44 |
return self::request( 'authenticate-user', $query, $data );
|
| 45 |
}
|
| 46 |
|
| 240 |
public static function disable_ssl_ca_patch() {
|
| 241 |
remove_action( 'http_api_curl', array( __CLASS__, 'add_ca_patch_to_curl_opts' ) );
|
| 242 |
}
|
| 243 |
+
|
| 244 |
}
|
verbs/check-nonce.php
ADDED
|
@@ -0,0 +1,26 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
<?php
|
| 2 |
+
|
| 3 |
+
class Ithemes_Sync_Verb_Check_Nonce extends Ithemes_Sync_Verb {
|
| 4 |
+
public static $name = 'check-nonce';
|
| 5 |
+
public static $description = 'Check if supplied nonce matches existing one.';
|
| 6 |
+
public static $status_element_name = 'nonce';
|
| 7 |
+
public static $show_in_status_by_default = false;
|
| 8 |
+
|
| 9 |
+
public function run( $arguments ) {
|
| 10 |
+
|
| 11 |
+
require_once( $GLOBALS['ithemes_sync_path'] . '/functions.php' );
|
| 12 |
+
|
| 13 |
+
if ( ! empty( $arguments['nonce'] ) && ! empty( $arguments['nonce-name'] ) ) {
|
| 14 |
+
|
| 15 |
+
if ( Ithemes_Sync_Functions::validate_sync_nonce( $arguments['nonce-name'], $arguments['nonce'] ) ) {
|
| 16 |
+
|
| 17 |
+
return array( 'matches' => true );
|
| 18 |
+
|
| 19 |
+
}
|
| 20 |
+
|
| 21 |
+
}
|
| 22 |
+
|
| 23 |
+
return array( 'matches' => false );
|
| 24 |
+
}
|
| 25 |
+
|
| 26 |
+
}
|
