Kadence WooCommerce Email Designer - Version 1.5.7

Version Description

  • Fix: Possible issue with admin+ PHP objection injection in settings importer.
Download this release

Release Info

Developer britner
Plugin Icon 128x128 Kadence WooCommerce Email Designer
Version 1.5.7
Comparing to
See all releases

Code changes from version 1.5.6 to 1.5.7

Files changed (3) hide show
  1. includes/class-kadence-woomail-import-export.php +31 -41
  2. kadence-woocommerce-email-designer.php +2 -2
  3. readme.txt +4 -1
includes/class-kadence-woomail-import-export.php CHANGED
@@ -88,14 +88,14 @@ To reset your password, visit the following address:";s:31:"kt_woomail[email_loa
88
  return self::$instance;
89
  }
90
  /**
91
- * Class constructor
92
- *
93
- * @access public
94
- * @return void
95
- */
96
  public function __construct() {
97
 
98
- // Only proceed if this is own request
99
  if ( ! Kadence_Woomail_Designer::is_own_customizer_request() && ! Kadence_Woomail_Designer::is_own_preview_request() ) {
100
  return;
101
  }
@@ -111,11 +111,10 @@ To reset your password, visit the following address:";s:31:"kt_woomail[email_loa
111
  * @return void
112
  */
113
  static public function import_export_requests( $wp_customize ) {
114
- // Check if user is allowed to change values
115
- if ( ! Kadence_Woomail_Designer::is_admin()) {
116
  exit;
117
  }
118
-
119
  if ( isset( $_REQUEST['kt-woomail-export'] ) ) {
120
  self::export_woomail( $wp_customize );
121
  }
@@ -126,8 +125,6 @@ To reset your password, visit the following address:";s:31:"kt_woomail[email_loa
126
  if ( isset( $_REQUEST['kt-woomail-import-template'] ) ) {
127
  self::import_woomail_template( $wp_customize );
128
  }
129
-
130
-
131
  }
132
 
133
  /**
@@ -141,13 +138,12 @@ To reset your password, visit the following address:";s:31:"kt_woomail[email_loa
141
  if ( ! wp_verify_nonce( $_REQUEST['kt-woomail-export'], 'kt-woomail-exporting' ) ) {
142
  return;
143
  }
144
-
145
  $template = 'kadence-woomail-designer';
146
  $charset = get_option( 'blog_charset' );
147
  $data = array(
148
- 'template' => $template,
149
- 'options' => array()
150
- );
151
 
152
  // Get options from the Customizer API.
153
  $settings = $wp_customize->settings();
@@ -155,19 +151,19 @@ To reset your password, visit the following address:";s:31:"kt_woomail[email_loa
155
  foreach ( $settings as $key => $setting ) {
156
  if ( stristr( $key, 'kt_woomail' ) || in_array( $key, self::$woo_core_options ) ) {
157
  // to prevent issues we don't want to export the order id.
158
- if( $key != 'kt_woomail[preview_order_id]' ) {
159
  $data['options'][ $key ] = $setting->value();
160
  }
161
  }
162
  }
163
 
164
-
165
  // Set the download headers.
166
- header( 'Content-disposition: attachment; filename=kadence-woomail-designer-export.dat' );
167
- header( 'Content-Type: application/octet-stream; charset=' . $charset );
168
 
169
  // Serialize the export data.
170
- echo base64_encode( serialize( $data ) );
 
171
 
172
  // Start the download.
173
  die();
@@ -188,19 +184,17 @@ To reset your password, visit the following address:";s:31:"kt_woomail[email_loa
188
  if ( ! function_exists( 'wp_handle_upload' ) ) {
189
  require_once( ABSPATH . 'wp-admin/includes/file.php' );
190
  }
191
-
192
  // Load the export/import option class.
193
  require_once KT_WOOMAIL_PATH . 'includes/class-kadence-woomail-import-option.php';
194
-
195
  // Setup global vars.
196
  global $wp_customize;
197
  global $kt_woomail_import_error;
198
 
199
  // Setup internal vars.
200
- $kt_woomail_import_error = false;
201
- $template = 'kadence-woomail-designer';
202
- $overrides = array( 'test_form' => false, 'test_type' => false, 'mimes' => array('dat' => 'text/plain') );
203
- $file = wp_handle_upload( $_FILES['kadence-woomail-import-file'], $overrides );
204
 
205
  // Make sure we have an uploaded file.
206
  if ( isset( $file['error'] ) ) {
@@ -211,25 +205,26 @@ To reset your password, visit the following address:";s:31:"kt_woomail[email_loa
211
  $kt_woomail_import_error = __( 'Error importing settings! Please try again.', 'kadence-woocommerce-email-designer' );
212
  return;
213
  }
214
-
215
  // Get the upload data.
216
  $raw = file_get_contents( $file['file'] );
217
- //$data = @unserialize( $raw );
218
- // $data = self::mb_unserialize( $raw );
219
- $data = unserialize( base64_decode( $raw ) );
220
- if ( 'array' != gettype( $data ) || ! isset( $data['template'] ) ) {
221
- $data = self::mb_unserialize( $raw );
 
 
222
  }
223
  // Remove the uploaded file.
224
  unlink( $file['file'] );
225
 
226
  // Data checks.
227
  if ( 'array' != gettype( $data ) ) {
228
- $kt_woomail_import_error = __( 'Error importing settings! Please check that you uploaded an email customizer export file.', 'kadence-woocommerce-email-designer' );
229
  return;
230
  }
231
  if ( ! isset( $data['template'] ) ) {
232
- $kt_woomail_import_error = __( 'Error importing settings! Please check that you uploaded an email customizer export file.', 'kadence-woocommerce-email-designer' );
233
  return;
234
  }
235
  if ( $data['template'] != $template ) {
@@ -239,20 +234,15 @@ To reset your password, visit the following address:";s:31:"kt_woomail[email_loa
239
 
240
  // Import custom options.
241
  if ( isset( $data['options'] ) ) {
242
-
243
  foreach ( $data['options'] as $option_key => $option_value ) {
244
-
245
  $option = new Kadence_Woomail_Import_Option( $wp_customize, $option_key, array(
246
  'default' => '',
247
  'type' => 'option',
248
  'capability' => Kadence_Woomail_Designer::get_admin_capability(),
249
  ) );
250
-
251
  $option->import( $option_value );
252
  }
253
  }
254
-
255
-
256
  // Call the customize_save action.
257
  do_action( 'customize_save', $wp_customize );
258
 
@@ -282,7 +272,7 @@ To reset your password, visit the following address:";s:31:"kt_woomail[email_loa
282
 
283
  },
284
  $string );
285
- return @unserialize( $string2 );
286
  }
287
 
288
  /**
@@ -310,7 +300,7 @@ To reset your password, visit the following address:";s:31:"kt_woomail[email_loa
310
  $prebuilt = $_REQUEST['kt-woomail-prebuilt-template'];
311
  $raw_data = self::prebuilt( $prebuilt );
312
 
313
- $data = @unserialize( $raw_data );
314
 
315
 
316
  // Data checks.
88
  return self::$instance;
89
  }
90
  /**
91
+ * Class constructor
92
+ *
93
+ * @access public
94
+ * @return void
95
+ */
96
  public function __construct() {
97
 
98
+ // Only proceed if this is own request.
99
  if ( ! Kadence_Woomail_Designer::is_own_customizer_request() && ! Kadence_Woomail_Designer::is_own_preview_request() ) {
100
  return;
101
  }
111
  * @return void
112
  */
113
  static public function import_export_requests( $wp_customize ) {
114
+ // Check if user is allowed to change values.
115
+ if ( ! Kadence_Woomail_Designer::is_admin() ) {
116
  exit;
117
  }
 
118
  if ( isset( $_REQUEST['kt-woomail-export'] ) ) {
119
  self::export_woomail( $wp_customize );
120
  }
125
  if ( isset( $_REQUEST['kt-woomail-import-template'] ) ) {
126
  self::import_woomail_template( $wp_customize );
127
  }
 
 
128
  }
129
 
130
  /**
138
  if ( ! wp_verify_nonce( $_REQUEST['kt-woomail-export'], 'kt-woomail-exporting' ) ) {
139
  return;
140
  }
 
141
  $template = 'kadence-woomail-designer';
142
  $charset = get_option( 'blog_charset' );
143
  $data = array(
144
+ 'template' => $template,
145
+ 'options' => array()
146
+ );
147
 
148
  // Get options from the Customizer API.
149
  $settings = $wp_customize->settings();
151
  foreach ( $settings as $key => $setting ) {
152
  if ( stristr( $key, 'kt_woomail' ) || in_array( $key, self::$woo_core_options ) ) {
153
  // to prevent issues we don't want to export the order id.
154
+ if ( $key != 'kt_woomail[preview_order_id]' ) {
155
  $data['options'][ $key ] = $setting->value();
156
  }
157
  }
158
  }
159
 
 
160
  // Set the download headers.
161
+ header( 'Content-disposition: attachment; filename=kadence-woomail-designer-export.json' );
162
+ header( 'Content-Type: application/json; charset=' . $charset );
163
 
164
  // Serialize the export data.
165
+ echo wp_json_encode( $data );
166
+ // echo base64_encode( serialize( $data ) );
167
 
168
  // Start the download.
169
  die();
184
  if ( ! function_exists( 'wp_handle_upload' ) ) {
185
  require_once( ABSPATH . 'wp-admin/includes/file.php' );
186
  }
 
187
  // Load the export/import option class.
188
  require_once KT_WOOMAIL_PATH . 'includes/class-kadence-woomail-import-option.php';
 
189
  // Setup global vars.
190
  global $wp_customize;
191
  global $kt_woomail_import_error;
192
 
193
  // Setup internal vars.
194
+ $kt_woomail_import_error = false;
195
+ $template = 'kadence-woomail-designer';
196
+ $overrides = array( 'test_form' => false, 'test_type' => false, 'mimes' => array( 'dat' => 'text/plain', 'json' => 'text/plain' ) );
197
+ $file = wp_handle_upload( $_FILES['kadence-woomail-import-file'], $overrides );
198
 
199
  // Make sure we have an uploaded file.
200
  if ( isset( $file['error'] ) ) {
205
  $kt_woomail_import_error = __( 'Error importing settings! Please try again.', 'kadence-woocommerce-email-designer' );
206
  return;
207
  }
 
208
  // Get the upload data.
209
  $raw = file_get_contents( $file['file'] );
210
+ $data = json_decode( $raw, true );
211
+ // Check for support of older export files. Will remove later.
212
+ if ( ( 'array' != gettype( $data ) || ! isset( $data['template'] ) ) && version_compare( phpversion(), '7.0.0' ) >= 0 ) {
213
+ $data = @unserialize( base64_decode( $raw ), array( 'allowed_classes' => false ) );
214
+ if ( 'array' != gettype( $data ) || ! isset( $data['template'] ) ) {
215
+ $data = self::mb_unserialize( $raw );
216
+ }
217
  }
218
  // Remove the uploaded file.
219
  unlink( $file['file'] );
220
 
221
  // Data checks.
222
  if ( 'array' != gettype( $data ) ) {
223
+ $kt_woomail_import_error = __( 'Error importing settings! Please check that you uploaded the correct export file.', 'kadence-woocommerce-email-designer' );
224
  return;
225
  }
226
  if ( ! isset( $data['template'] ) ) {
227
+ $kt_woomail_import_error = __( 'Error importing settings! Please check that you uploaded the correct export file.', 'kadence-woocommerce-email-designer' );
228
  return;
229
  }
230
  if ( $data['template'] != $template ) {
234
 
235
  // Import custom options.
236
  if ( isset( $data['options'] ) ) {
 
237
  foreach ( $data['options'] as $option_key => $option_value ) {
 
238
  $option = new Kadence_Woomail_Import_Option( $wp_customize, $option_key, array(
239
  'default' => '',
240
  'type' => 'option',
241
  'capability' => Kadence_Woomail_Designer::get_admin_capability(),
242
  ) );
 
243
  $option->import( $option_value );
244
  }
245
  }
 
 
246
  // Call the customize_save action.
247
  do_action( 'customize_save', $wp_customize );
248
 
272
 
273
  },
274
  $string );
275
+ return @unserialize( $string2, array( 'allowed_classes' => false ) );
276
  }
277
 
278
  /**
300
  $prebuilt = $_REQUEST['kt-woomail-prebuilt-template'];
301
  $raw_data = self::prebuilt( $prebuilt );
302
 
303
+ $data = @unserialize( $raw_data, array( 'allowed_classes' => false ));
304
 
305
 
306
  // Data checks.
kadence-woocommerce-email-designer.php CHANGED
@@ -3,7 +3,7 @@
3
  * Plugin Name: Kadence WooCommerce Email Designer
4
  * Plugin URI: http://kadencewp.com/products/woocommerce-email-designer/
5
  * Description: Customize the default woocommerce email templates design and text through the native WordPress customizer. Preview emails and send test emails.
6
- * Version: 1.5.6
7
  * Author: Kadence WP
8
  * Author URI: http://kadencewp.com/
9
  * License: GPLv2 or later
@@ -59,7 +59,7 @@ class Kadence_Woomail_Designer {
59
 
60
  define( 'KT_WOOMAIL_PATH', realpath( plugin_dir_path( __FILE__ ) ) . DIRECTORY_SEPARATOR );
61
  define( 'KT_WOOMAIL_URL', plugin_dir_url( __FILE__ ) );
62
- define( 'KT_WOOMAIL_VERSION', '1.5.6' );
63
 
64
  if ( ! kadence_woomail_is_woo_active() ) {
65
  add_action( 'admin_notices', array( $this, 'admin_notice_need_woocommerce' ) );
3
  * Plugin Name: Kadence WooCommerce Email Designer
4
  * Plugin URI: http://kadencewp.com/products/woocommerce-email-designer/
5
  * Description: Customize the default woocommerce email templates design and text through the native WordPress customizer. Preview emails and send test emails.
6
+ * Version: 1.5.7
7
  * Author: Kadence WP
8
  * Author URI: http://kadencewp.com/
9
  * License: GPLv2 or later
59
 
60
  define( 'KT_WOOMAIL_PATH', realpath( plugin_dir_path( __FILE__ ) ) . DIRECTORY_SEPARATOR );
61
  define( 'KT_WOOMAIL_URL', plugin_dir_url( __FILE__ ) );
62
+ define( 'KT_WOOMAIL_VERSION', '1.5.7' );
63
 
64
  if ( ! kadence_woomail_is_woo_active() ) {
65
  add_action( 'admin_notices', array( $this, 'admin_notice_need_woocommerce' ) );
readme.txt CHANGED
@@ -5,7 +5,7 @@ Donate link: https://www.kadencewp.com/about-us/
5
  Requires PHP: 5.2.4
6
  Requires at least: 5.3
7
  Tested up to: 6.0
8
- Stable tag: 1.5.6
9
  License: GPLv2 or later
10
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
11
 
@@ -81,6 +81,9 @@ After you create your translations make sure to clear your server cache from any
81
 
82
  == Changelog ==
83
 
 
 
 
84
  = 1.5.6 =
85
  * Fix: Prevent email mockup url from direct access.
86
 
5
  Requires PHP: 5.2.4
6
  Requires at least: 5.3
7
  Tested up to: 6.0
8
+ Stable tag: 1.5.7
9
  License: GPLv2 or later
10
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
11
 
81
 
82
  == Changelog ==
83
 
84
+ = 1.5.7 =
85
+ * Fix: Possible issue with admin+ PHP objection injection in settings importer.
86
+
87
  = 1.5.6 =
88
  * Fix: Prevent email mockup url from direct access.
89