VaultPress - Version 1.7.7

Version Description

15 Sep 2015 =
Security: Add a new security hotfix.

Release Info

Developer	ryelle
Plugin	VaultPress
Version	1.7.7
Comparing to
See all releases

Code changes from version 1.7.6 to 1.7.7

Files changed (3) hide show

class.vaultpress-hotfixes.php +39 -24
readme.txt +4 -1
vaultpress.php +2 -2

class.vaultpress-hotfixes.php CHANGED Viewed

	@@ -9,8 +9,8 @@ class VaultPress_Hotfixes {
9	if ( version_compare( $wp_version, '3.0.2', '<' ) )
10	add_filter( 'query', array( $this, 'r16625' ) );
11
12	- if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST && version_compare( $wp_version, '3.~~0.3~~', '<' ) )
13	- add_action( 'xmlrpc_call', array( $this, '~~r16803~~' ) );
14
15	if ( version_compare( $wp_version, '3.3.2', '<' ) ) {
16	add_filter( 'pre_kses', array( $this, 'r17172_wp_kses' ), 1, 3 );
	@@ -102,6 +102,17 @@ class VaultPress_Hotfixes {
102
103	// Protect WooCommerce from object injection via PayPal IPN notifications. Affects 2.0.20 -> 2.3.10
104	add_action( 'init', array( $this , 'protect_woocommerce_paypal_object_injection' ), 1 );











105	}
106
107	function filter_long_comment_xss( $commentdata ) {
	@@ -333,7 +344,7 @@ class VaultPress_Hotfixes {
333	return $wpdb->prepare( "UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, %s, '')) WHERE ID = %d", $tb_ping, $post_id );
334	}
335
336	- function ~~r16803~~( $xmlrpc_method ) {
337	// Hotfixes: http://core.trac.wordpress.org/changeset/16803
338	global $wp_xmlrpc_server;
339	// Pretend that we are an xmlrpc method, freshly called
	@@ -372,31 +383,17 @@ class VaultPress_Hotfixes {
372	case 'metaWeblog.editPost':
373	$post_ID = (int) $args[0];
374	$content_struct = $args[3];
375	- $publish = $args[4];
376	$cap = ( $publish ) ? 'publish_posts' : 'edit_posts';
377	$error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
378	if ( !empty( $content_struct['post_type'] ) ) {
379	- if ( $content_struct['post_type'] == 'page' ) {
380	- if ( ~~$publish~~ \|\| 'publish' == ~~$content_struct[~~'~~page_status']~~ )
381	- $~~cap =~~ '~~publish_pages~~';
382	- else
383	- $cap = 'edit_pages';
384	- $error_message = __( 'Sorry, you are not allowed to publish pages on this site.' );
385	- } elseif ( $content_struct['post_type'] == 'post' ) {
386	- if ( $publish \|\| 'publish' == $content_struct['post_status'] )
387	- $cap = 'publish_posts';
388	- else
389	- $cap = 'edit_posts';
390	- $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
391	- } else {
392	- $error_message = __( 'Invalid post type.' );
393	- }
394	- } else {
395	- if ( $publish \|\| 'publish' == $content_struct['post_status'] )
396	- $cap = 'publish_posts';
397	- else
398	- $cap = 'edit_posts';
399	$error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );



400	}
401	if ( current_user_can( $cap ) )
402	return true;
	@@ -691,6 +688,24 @@ EOD;
691	}
692	}
693	}


















694	}
695
696	global $wp_version;


9	if ( version_compare( $wp_version, '3.0.2', '<' ) )
10	add_filter( 'query', array( $this, 'r16625' ) );
11
12	+ if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST && version_compare( $wp_version, '4.3.1', '<' ) )
13	+ add_action( 'xmlrpc_call', array( $this, 'filter_xmlrpc_methods' ) );
14
15	if ( version_compare( $wp_version, '3.3.2', '<' ) ) {
16	add_filter( 'pre_kses', array( $this, 'r17172_wp_kses' ), 1, 3 );

102
103	// Protect WooCommerce from object injection via PayPal IPN notifications. Affects 2.0.20 -> 2.3.10
104	add_action( 'init', array( $this , 'protect_woocommerce_paypal_object_injection' ), 1 );
105	+
106	+ if ( version_compare( $wp_version, '3.1', '>=') && version_compare( $wp_version, '4.3', '<=' ) ) {
107	+ if ( is_admin() ) {
108	+ add_filter( 'user_email', array( $this, 'patch_user_email' ), 10 , 3 );
109	+ }
110	+
111	+ remove_shortcode( 'wp_caption' );
112	+ remove_shortcode( 'caption' );
113	+ add_shortcode( 'wp_caption', array( $this, 'filtered_caption_shortcode' ) );
114	+ add_shortcode( 'caption', array( $this, 'filtered_caption_shortcode' ) );
115	+ }
116	}
117
118	function filter_long_comment_xss( $commentdata ) {

344	return $wpdb->prepare( "UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, %s, '')) WHERE ID = %d", $tb_ping, $post_id );
345	}
346
347	+ function filter_xmlrpc_methods( $xmlrpc_method ) {
348	// Hotfixes: http://core.trac.wordpress.org/changeset/16803
349	global $wp_xmlrpc_server;
350	// Pretend that we are an xmlrpc method, freshly called

383	case 'metaWeblog.editPost':
384	$post_ID = (int) $args[0];
385	$content_struct = $args[3];
386	+ $publish = $args[4] \|\| ( isset( $content_struct['post_status'] ) && in_array( $content_struct['post_status'], array( 'publish', 'private' ) ) );
387	$cap = ( $publish ) ? 'publish_posts' : 'edit_posts';
388	$error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
389	if ( !empty( $content_struct['post_type'] ) ) {
390	+ if ( $content_struct['post_type'] == 'page' ) {
391	+ $error_message = __( 'Sorry, you are not allowed to publish pages on this site.' );
392	+ } elseif ( $content_struct['post_type'] == 'post' ) {

















393	$error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
394	+ } else {
395	+ $error_message = __( 'Invalid post type.' );
396	+ }
397	}
398	if ( current_user_can( $cap ) )
399	return true;

688	}
689	}
690	}
691	+
692	+ // Protect WordPress 3.1.0 -> WordPress 4.3.0 from code injection via user email
693	+ function patch_user_email( $value, $user_id, $context ) {
694	+ if ( 'display' === $context && class_exists( 'WP_Users_List_Table' ) ) {
695	+ return esc_attr( $value );
696	+ }
697	+
698	+ return $value;
699	+ }
700	+
701	+ // Protect WordPress < 4.3.1 from evil tags inside caption shortcodes
702	+ function filtered_caption_shortcode( $attr, $content = null ) {
703	+ if ( isset( $attr['caption'] ) && strpos( $attr['caption'], '<' ) !== false ) {
704	+ $attr['caption'] = wp_kses( $attr['caption'], 'post' );
705	+ }
706	+
707	+ return img_caption_shortcode( $attr, $content );
708	+ }
709	}
710
711	global $wp_version;

readme.txt CHANGED Viewed

	@@ -3,7 +3,7 @@ Contributors: automattic, apokalyptik, briancolinger, josephscott, shaunandrews,
3	Tags: security, malware, virus, archive, back up, back ups, backup, backups, scanning, restore, wordpress backup, site backup, website backup
4	Requires at least: 2.9.2
5	Tested up to: 4.3
6	- Stable tag: 1.7.6
7	License: GPLv2
8
9	VaultPress is a subscription service offering realtime backup, automated security scanning, and support from WordPress experts.
	@@ -51,6 +51,9 @@ A VaultPress subscription is for a single WordPress site. You can purchase addit
51	Yes, VaultPress supports Multisite installs. Each site will require its own subscription.
52
53	== Changelog ==



54	= 1.7.6 - 14 Aug 2015 =
55	* Improved support for multisite installs with custom domains
56	* Improved live-backup support for WooCommerce


3	Tags: security, malware, virus, archive, back up, back ups, backup, backups, scanning, restore, wordpress backup, site backup, website backup
4	Requires at least: 2.9.2
5	Tested up to: 4.3
6	+ Stable tag: 1.7.7
7	License: GPLv2
8
9	VaultPress is a subscription service offering realtime backup, automated security scanning, and support from WordPress experts.

51	Yes, VaultPress supports Multisite installs. Each site will require its own subscription.
52
53	== Changelog ==
54	+ = 1.7.7 - 15 Sep 2015 =
55	+ * Security: Add a new security hotfix.
56	+
57	= 1.7.6 - 14 Aug 2015 =
58	* Improved support for multisite installs with custom domains
59	* Improved live-backup support for WooCommerce

vaultpress.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	* Plugin Name: VaultPress
4	* Plugin URI: http://vaultpress.com/?utm_source=plugin-uri&utm_medium=plugin-description&utm_campaign=1.0
5	* Description: Protect your content, themes, plugins, and settings with <strong>realtime backup</strong> and <strong>automated security scanning</strong> from <a href="http://vaultpress.com/?utm_source=wp-admin&utm_medium=plugin-description&utm_campaign=1.0" rel="nofollow">VaultPress</a>. Activate, enter your registration key, and never worry again. <a href="http://vaultpress.com/help/?utm_source=wp-admin&utm_medium=plugin-description&utm_campaign=1.0" rel="nofollow">Need some help?</a>
6	- * Version: 1.7.6
7	* Author: Automattic
8	* Author URI: http://vaultpress.com/?utm_source=author-uri&utm_medium=plugin-description&utm_campaign=1.0
9	* License: GPL2+
	@@ -17,7 +17,7 @@ defined( 'ABSPATH' ) or die();
17	class VaultPress {
18	var $option_name = 'vaultpress';
19	var $db_version = 4;
20	- var $plugin_version = '1.7.6';
21
22	function __construct() {
23	register_activation_hook( __FILE__, array( $this, 'activate' ) );


3	* Plugin Name: VaultPress
4	* Plugin URI: http://vaultpress.com/?utm_source=plugin-uri&utm_medium=plugin-description&utm_campaign=1.0
5	* Description: Protect your content, themes, plugins, and settings with <strong>realtime backup</strong> and <strong>automated security scanning</strong> from <a href="http://vaultpress.com/?utm_source=wp-admin&utm_medium=plugin-description&utm_campaign=1.0" rel="nofollow">VaultPress</a>. Activate, enter your registration key, and never worry again. <a href="http://vaultpress.com/help/?utm_source=wp-admin&utm_medium=plugin-description&utm_campaign=1.0" rel="nofollow">Need some help?</a>
6	+ * Version: 1.7.7
7	* Author: Automattic
8	* Author URI: http://vaultpress.com/?utm_source=author-uri&utm_medium=plugin-description&utm_campaign=1.0
9	* License: GPL2+

17	class VaultPress {
18	var $option_name = 'vaultpress';
19	var $db_version = 4;
20	+ var $plugin_version = '1.7.7';
21
22	function __construct() {
23	register_activation_hook( __FILE__, array( $this, 'activate' ) );