Version Description
- Fixed: CSV Injection Vulnerability affecting exports (thanks FortiGuard Labs)
Download this release
Release Info
| Developer | visser |
| Plugin |  WooCommerce – Store Exporter |
| Version | 2.4 |
| Comparing to | |
| See all releases | |
Code changes from version 2.3.1 to 2.4
- exporter.php +1 -1
- includes/formatting.php +18 -2
- readme.txt +10 -2
exporter.php
CHANGED
|
@@ -3,7 +3,7 @@
|
|
| 3 |
* Plugin Name: WooCommerce - Store Exporter
|
| 4 |
* Plugin URI: http://www.visser.com.au/woocommerce/plugins/exporter/
|
| 5 |
* Description: Export store details out of WooCommerce into simple formatted files (e.g. CSV, TSV, Excel formats including XLS and XLSX, XML, etc.)
|
| 6 |
-
* Version: 2.
|
| 7 |
* Author: Visser Labs
|
| 8 |
* Author URI: http://www.visser.com.au/solutions/
|
| 9 |
* License: GPL2
|
| 3 |
* Plugin Name: WooCommerce - Store Exporter
|
| 4 |
* Plugin URI: http://www.visser.com.au/woocommerce/plugins/exporter/
|
| 5 |
* Description: Export store details out of WooCommerce into simple formatted files (e.g. CSV, TSV, Excel formats including XLS and XLSX, XML, etc.)
|
| 6 |
+
* Version: 2.4
|
| 7 |
* Author: Visser Labs
|
| 8 |
* Author URI: http://www.visser.com.au/solutions/
|
| 9 |
* License: GPL2
|
includes/formatting.php
CHANGED
|
@@ -57,6 +57,18 @@ function woo_ce_escape_csv_value( $string = '', $delimiter = ',', $format = 'all
|
|
| 57 |
$string = str_replace( '"', '""', $string );
|
| 58 |
$string = wp_specialchars_decode( $string );
|
| 59 |
$string = str_replace( PHP_EOL, "\r\n", $string );
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 60 |
switch( $format ) {
|
| 61 |
|
| 62 |
case 'all':
|
|
@@ -76,8 +88,12 @@ function woo_ce_escape_csv_value( $string = '', $delimiter = ',', $format = 'all
|
|
| 76 |
|
| 77 |
function woo_ce_filter_attribute_escape( $safe_text = '', $text = '' ) {
|
| 78 |
|
| 79 |
-
if(
|
| 80 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
| 81 |
}
|
| 82 |
|
| 83 |
return $safe_text;
|
| 57 |
$string = str_replace( '"', '""', $string );
|
| 58 |
$string = wp_specialchars_decode( $string );
|
| 59 |
$string = str_replace( PHP_EOL, "\r\n", $string );
|
| 60 |
+
|
| 61 |
+
// Check for Formula Injection
|
| 62 |
+
if( !apply_filters( 'woo_ce_allow_export_formulas', false ) ) {
|
| 63 |
+
if(
|
| 64 |
+
substr( trim( $string ), 0, 1 ) == '=' ||
|
| 65 |
+
substr( trim( $string ), 0, 1 ) == '+' ||
|
| 66 |
+
substr( trim( $string ), 0, 1 ) == '@'
|
| 67 |
+
) {
|
| 68 |
+
$string = ltrim( $string, '=+@' );
|
| 69 |
+
}
|
| 70 |
+
}
|
| 71 |
+
|
| 72 |
switch( $format ) {
|
| 73 |
|
| 74 |
case 'all':
|
| 88 |
|
| 89 |
function woo_ce_filter_attribute_escape( $safe_text = '', $text = '' ) {
|
| 90 |
|
| 91 |
+
if(
|
| 92 |
+
substr( trim( $safe_text ), 0, 1 ) == '=' ||
|
| 93 |
+
substr( trim( $safe_text ), 0, 1 ) == '+' ||
|
| 94 |
+
substr( trim( $safe_text ), 0, 1 ) == '@'
|
| 95 |
+
) {
|
| 96 |
+
$safe_text = ltrim( $safe_text, '=+@' );
|
| 97 |
}
|
| 98 |
|
| 99 |
return $safe_text;
|
readme.txt
CHANGED
|
@@ -4,8 +4,8 @@ Contributors: visser, visser.labs
|
|
| 4 |
Donate link: https://www.visser.com.au/donations/
|
| 5 |
Tags: woocommerce, export, products, sales, orders, coupons, users, subscriptions, csv
|
| 6 |
Requires at least: 2.9.2
|
| 7 |
-
Tested up to: 5.2
|
| 8 |
-
Stable tag: 2.
|
| 9 |
License: GPLv2 or later
|
| 10 |
|
| 11 |
Export store details out of WooCommerce into simple formatted files (e.g. CSV, XML, Excel 2007, XLS, etc.).
|
|
@@ -154,6 +154,9 @@ If you have any problems, questions or suggestions please create a topic here on
|
|
| 154 |
|
| 155 |
== Changelog ==
|
| 156 |
|
|
|
|
|
|
|
|
|
|
| 157 |
= 2.3.1 =
|
| 158 |
* Fixed: Private Products being included in default Product exports (thanks @golfball-uhu)
|
| 159 |
|
|
@@ -727,6 +730,11 @@ If you have any problems, questions or suggestions please create a topic here on
|
|
| 727 |
= 1.0 =
|
| 728 |
* Added: First working release of the Plugin
|
| 729 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 730 |
== Disclaimer ==
|
| 731 |
|
| 732 |
It is not responsible for any harm or wrong doing this Plugin may cause. Users are fully responsible for their own use. This Plugin is to be used WITHOUT warranty.
|
| 4 |
Donate link: https://www.visser.com.au/donations/
|
| 5 |
Tags: woocommerce, export, products, sales, orders, coupons, users, subscriptions, csv
|
| 6 |
Requires at least: 2.9.2
|
| 7 |
+
Tested up to: 5.3.2
|
| 8 |
+
Stable tag: 2.4
|
| 9 |
License: GPLv2 or later
|
| 10 |
|
| 11 |
Export store details out of WooCommerce into simple formatted files (e.g. CSV, XML, Excel 2007, XLS, etc.).
|
| 154 |
|
| 155 |
== Changelog ==
|
| 156 |
|
| 157 |
+
= 2.4 =
|
| 158 |
+
* Fixed: CSV Injection Vulnerability affecting exports (thanks FortiGuard Labs)
|
| 159 |
+
|
| 160 |
= 2.3.1 =
|
| 161 |
* Fixed: Private Products being included in default Product exports (thanks @golfball-uhu)
|
| 162 |
|
| 730 |
= 1.0 =
|
| 731 |
* Added: First working release of the Plugin
|
| 732 |
|
| 733 |
+
== Upgrade Notice ==
|
| 734 |
+
|
| 735 |
+
= 2.4 =
|
| 736 |
+
2.4 is an urgent Plugin release to patch a CSV Injection Vulnerability affecting exports reported by Vishnupriya Ilango of Fortinet's FortiGuard Labs.
|
| 737 |
+
|
| 738 |
== Disclaimer ==
|
| 739 |
|
| 740 |
It is not responsible for any harm or wrong doing this Plugin may cause. Users are fully responsible for their own use. This Plugin is to be used WITHOUT warranty.
|
