Version Description
- Fixed: XSS hardening. Thanks @secupress
- Fixed: CSRF patch regarding missing nonces. Thanks @secupress
- Improvement: escape all of the things.
Download this release
Release Info
Developer | webdevmattcrom |
Plugin | WP Rollback |
Version | 1.2.3 |
Comparing to | |
See all releases |
Code changes from version 1.2.2 to 1.2.3
- assets/js/themes-wp-rollback.js +1 -1
- includes/rollback-action.php +3 -3
- includes/rollback-menu.php +6 -5
- readme.txt +6 -1
- wp-rollback.php +13 -2
assets/js/themes-wp-rollback.js
CHANGED
@@ -95,7 +95,7 @@ jQuery.noConflict();
|
|
95 |
var active_theme = $( '.theme-overlay' ).hasClass( 'active' );
|
96 |
|
97 |
|
98 |
-
var rollback_btn_html = '<a href="' + encodeURI( 'index.php?page=wp-rollback&type=theme&theme_file=' + theme + '¤t_version=' + theme_data.version + '&rollback_name=' + theme_data.name + '' ) + '" style="position:absolute;right: ' + (active_theme === true ? '5px' : '80px') + '; bottom: 5px;" class="button wpr-theme-rollback">' + wpr_vars.text_rollback_label + '</a>';
|
99 |
|
100 |
$( '.theme-wrap' ).find( '.theme-actions' ).append( rollback_btn_html );
|
101 |
|
95 |
var active_theme = $( '.theme-overlay' ).hasClass( 'active' );
|
96 |
|
97 |
|
98 |
+
var rollback_btn_html = '<a href="' + encodeURI( 'index.php?page=wp-rollback&type=theme&theme_file=' + theme + '¤t_version=' + theme_data.version + '&rollback_name=' + theme_data.name + '&_wpnonce=' + wpr_vars.nonce ) + '" style="position:absolute;right: ' + (active_theme === true ? '5px' : '80px') + '; bottom: 5px;" class="button wpr-theme-rollback">' + wpr_vars.text_rollback_label + '</a>';
|
99 |
|
100 |
$( '.theme-wrap' ).find( '.theme-actions' ).append( rollback_btn_html );
|
101 |
|
includes/rollback-action.php
CHANGED
@@ -9,12 +9,12 @@ if ( ! defined( 'ABSPATH' ) ) {
|
|
9 |
}
|
10 |
|
11 |
$nonce = 'upgrade-plugin_' . $this->plugin_slug;
|
12 |
-
$url = 'index.php?page=wp-rollback&plugin_file=' . $args['plugin_file'] . 'action=upgrade-plugin';
|
13 |
$plugin = $this->plugin_slug;
|
14 |
$version = $args['plugin_version'];
|
15 |
|
16 |
//Theme rollback
|
17 |
-
if (
|
18 |
|
19 |
//theme specific vars
|
20 |
$nonce = 'upgrade-theme_' . $_GET['theme_file'];
|
@@ -26,7 +26,7 @@ if ( isset( $_GET['theme_file'] ) ) {
|
|
26 |
|
27 |
$upgrader->rollback( $_GET['theme_file'] );
|
28 |
|
29 |
-
} elseif (
|
30 |
//This is a plugin rollback
|
31 |
$upgrader = new WP_Rollback_Plugin_Upgrader( new Plugin_Upgrader_Skin( compact( 'title', 'nonce', 'url', 'plugin', 'version' ) ) );
|
32 |
|
9 |
}
|
10 |
|
11 |
$nonce = 'upgrade-plugin_' . $this->plugin_slug;
|
12 |
+
$url = 'index.php?page=wp-rollback&plugin_file=' . esc_url( $args['plugin_file'] ) . 'action=upgrade-plugin';
|
13 |
$plugin = $this->plugin_slug;
|
14 |
$version = $args['plugin_version'];
|
15 |
|
16 |
//Theme rollback
|
17 |
+
if ( !empty( $_GET['theme_file'] ) && file_exists( WP_CONTENT_DIR . '/themes/' . $_GET['theme_file'] ) ) {
|
18 |
|
19 |
//theme specific vars
|
20 |
$nonce = 'upgrade-theme_' . $_GET['theme_file'];
|
26 |
|
27 |
$upgrader->rollback( $_GET['theme_file'] );
|
28 |
|
29 |
+
} elseif ( !empty( $_GET['plugin_file'] ) && file_exists( WP_PLUGIN_DIR . '/' . $_GET['plugin_file'] ) ) {
|
30 |
//This is a plugin rollback
|
31 |
$upgrader = new WP_Rollback_Plugin_Upgrader( new Plugin_Upgrader_Skin( compact( 'title', 'nonce', 'url', 'plugin', 'version' ) ) );
|
32 |
|
includes/rollback-menu.php
CHANGED
@@ -22,7 +22,7 @@ $plugins = get_plugins();
|
|
22 |
|
23 |
<h2><img src="<?php echo WP_ROLLBACK_PLUGIN_URL; ?>/assets/images/wprb-icon-final.svg" onerror="this.onerror=null; this.src='<?php echo WP_ROLLBACK_PLUGIN_URL; ?>/assets/images/wprb-logo.png'"><?php _e( 'WP Rollback', 'wpr' ); ?></h2>
|
24 |
|
25 |
-
<p><?php echo apply_filters( 'wpr_rollback_description', sprintf( __( 'Please select which %1$s version you would like to rollback to from the releases listed below. You currently have version %2$s installed of %3$s.', 'wpr' ), '<span class="type">' . ( $theme_rollback == true ? 'theme' : 'plugin' ) . '</span>', '<span class="current-version">' . $args['current_version'] . '</span>', '<span class="rollback-name">' . $args['rollback_name'] . '</span>' ) ); ?></p>
|
26 |
|
27 |
</div>
|
28 |
|
@@ -68,12 +68,13 @@ $plugins = get_plugins();
|
|
68 |
<?php
|
69 |
//Important: We need the appropriate file to perform a rollback
|
70 |
if ( $plugin_rollback == true ) { ?>
|
71 |
-
<input type="hidden" name="plugin_file" value="<?php echo $args['plugin_file']; ?>">
|
72 |
<?php } else { ?>
|
73 |
-
<input type="hidden" name="theme_file" value="<?php echo $_GET['theme_file']; ?>">
|
74 |
<?php } ?>
|
75 |
-
<input type="hidden" name="rollback_name" value="<?php echo $args['rollback_name']; ?>">
|
76 |
-
<input type="hidden" name="installed_version" value="<?php echo $args['current_version']; ?>">
|
|
|
77 |
|
78 |
|
79 |
<div id="wpr-modal-confirm" class="white-popup mfp-hide">
|
22 |
|
23 |
<h2><img src="<?php echo WP_ROLLBACK_PLUGIN_URL; ?>/assets/images/wprb-icon-final.svg" onerror="this.onerror=null; this.src='<?php echo WP_ROLLBACK_PLUGIN_URL; ?>/assets/images/wprb-logo.png'"><?php _e( 'WP Rollback', 'wpr' ); ?></h2>
|
24 |
|
25 |
+
<p><?php echo apply_filters( 'wpr_rollback_description', sprintf( __( 'Please select which %1$s version you would like to rollback to from the releases listed below. You currently have version %2$s installed of %3$s.', 'wpr' ), '<span class="type">' . ( $theme_rollback == true ? 'theme' : 'plugin' ) . '</span>', '<span class="current-version">' . esc_html( $args['current_version'] ) . '</span>', '<span class="rollback-name">' . esc_html( $args['rollback_name'] ) . '</span>' ) ); ?></p>
|
26 |
|
27 |
</div>
|
28 |
|
68 |
<?php
|
69 |
//Important: We need the appropriate file to perform a rollback
|
70 |
if ( $plugin_rollback == true ) { ?>
|
71 |
+
<input type="hidden" name="plugin_file" value="<?php echo esc_attr( $args['plugin_file'] ); ?>">
|
72 |
<?php } else { ?>
|
73 |
+
<input type="hidden" name="theme_file" value="<?php echo esc_attr( $_GET['theme_file'] ); ?>">
|
74 |
<?php } ?>
|
75 |
+
<input type="hidden" name="rollback_name" value="<?php echo esc_attr( $args['rollback_name'] ); ?>">
|
76 |
+
<input type="hidden" name="installed_version" value="<?php echo esc_attr( $args['current_version'] ); ?>">
|
77 |
+
<?php wp_nonce_field( 'wpr_rollback_nonce' ); ?>
|
78 |
|
79 |
|
80 |
<div id="wpr-modal-confirm" class="white-popup mfp-hide">
|
readme.txt
CHANGED
@@ -4,7 +4,7 @@ Tags: rollback, revert, downgrade, version, plugins, themes, version, versions,
|
|
4 |
Requires at least: 3.8
|
5 |
Donate Link: https://wordimpress.com
|
6 |
Tested up to: 4.2.2
|
7 |
-
Stable tag: 1.2.
|
8 |
License: GPLv3
|
9 |
License URI: http://www.gnu.org/licenses/gpl-3.0.html
|
10 |
|
@@ -109,6 +109,11 @@ This is the first version of this plugin. It is a tool for your convenience. Rol
|
|
109 |
|
110 |
== Changelog ==
|
111 |
|
|
|
|
|
|
|
|
|
|
|
112 |
= 1.2.2 =
|
113 |
* New: Russian translations from @Flector - thanks!
|
114 |
* Fix: Replaced use of wp_json_encode to support older WordPress versions @see https://wordpress.org/support/topic/wordpress-requirement-issue-with-wp_json_encode
|
4 |
Requires at least: 3.8
|
5 |
Donate Link: https://wordimpress.com
|
6 |
Tested up to: 4.2.2
|
7 |
+
Stable tag: 1.2.3
|
8 |
License: GPLv3
|
9 |
License URI: http://www.gnu.org/licenses/gpl-3.0.html
|
10 |
|
109 |
|
110 |
== Changelog ==
|
111 |
|
112 |
+
= 1.2.3 =
|
113 |
+
* Fixed: XSS hardening. Thanks @secupress
|
114 |
+
* Fixed: CSRF patch regarding missing nonces. Thanks @secupress
|
115 |
+
* Improvement: escape all of the things.
|
116 |
+
|
117 |
= 1.2.2 =
|
118 |
* New: Russian translations from @Flector - thanks!
|
119 |
* Fix: Replaced use of wp_json_encode to support older WordPress versions @see https://wordpress.org/support/topic/wordpress-requirement-issue-with-wp_json_encode
|
wp-rollback.php
CHANGED
@@ -5,7 +5,7 @@
|
|
5 |
* Description: Rollback (or forward) any WordPress.org plugin or theme like a boss.
|
6 |
* Author: WordImpress
|
7 |
* Author URI: http://wordimpress.com
|
8 |
-
* Version: 1.2.
|
9 |
* Text Domain: wpr
|
10 |
* Domain Path: languages
|
11 |
*
|
@@ -203,6 +203,7 @@ if ( ! class_exists( 'WP Rollback' ) ) : /**
|
|
203 |
wp_localize_script( 'wp_rollback_themes_script', 'wpr_vars', array(
|
204 |
'ajaxurl' => admin_url(),
|
205 |
'ajax_loader' => admin_url( 'images/spinner.gif' ),
|
|
|
206 |
'text_rollback_label' => __( 'Rollback', 'wpr' ),
|
207 |
'text_not_rollbackable' => __( 'No Rollback Available: This is a non-WordPress.org theme.', 'wpr' ),
|
208 |
'text_loading_rollback' => __( 'Loading...', 'wpr' ),
|
@@ -290,14 +291,20 @@ if ( ! class_exists( 'WP Rollback' ) ) : /**
|
|
290 |
|
291 |
if ( ! empty( $args['plugin_version'] ) ) {
|
292 |
//Plugin: rolling back
|
|
|
|
|
293 |
include WP_ROLLBACK_PLUGIN_DIR . '/includes/class-rollback-plugin-upgrader.php';
|
294 |
include WP_ROLLBACK_PLUGIN_DIR . '/includes/rollback-action.php';
|
295 |
} elseif ( ! empty( $args['theme_version'] ) ) {
|
296 |
//Theme: rolling back
|
|
|
|
|
297 |
include WP_ROLLBACK_PLUGIN_DIR . '/includes/class-rollback-theme-upgrader.php';
|
298 |
include WP_ROLLBACK_PLUGIN_DIR . '/includes/rollback-action.php';
|
299 |
} else {
|
300 |
//This is the menu
|
|
|
|
|
301 |
include WP_ROLLBACK_PLUGIN_DIR . '/includes/rollback-menu.php';
|
302 |
}
|
303 |
|
@@ -390,7 +397,7 @@ if ( ! class_exists( 'WP Rollback' ) ) : /**
|
|
390 |
//Loop through versions and output in a radio list
|
391 |
foreach ( $this->versions as $version ) {
|
392 |
|
393 |
-
$versions_html .= '<label><input type="radio" value="' . $version . '" name="' . $type . '_version">' . $version;
|
394 |
|
395 |
//Is this the current version?
|
396 |
if ( $version === $this->current_version ) {
|
@@ -425,6 +432,9 @@ if ( ! class_exists( 'WP Rollback' ) ) : /**
|
|
425 |
|
426 |
$plugin_file = WP_PLUGIN_DIR . '/' . $_GET['plugin_file'];
|
427 |
|
|
|
|
|
|
|
428 |
$plugin_data = get_plugin_data( $plugin_file, false, false );
|
429 |
|
430 |
//the plugin slug is the base directory name without the path to the main file
|
@@ -503,6 +513,7 @@ if ( ! class_exists( 'WP Rollback' ) ) : /**
|
|
503 |
$rollback_url = add_query_arg( apply_filters( 'wpr_plugin_query_args', array(
|
504 |
'current_version' => urlencode( $plugin_data['Version'] ),
|
505 |
'rollback_name' => urlencode( $plugin_data['Name'] ),
|
|
|
506 |
) ), $rollback_url );
|
507 |
}
|
508 |
|
5 |
* Description: Rollback (or forward) any WordPress.org plugin or theme like a boss.
|
6 |
* Author: WordImpress
|
7 |
* Author URI: http://wordimpress.com
|
8 |
+
* Version: 1.2.3
|
9 |
* Text Domain: wpr
|
10 |
* Domain Path: languages
|
11 |
*
|
203 |
wp_localize_script( 'wp_rollback_themes_script', 'wpr_vars', array(
|
204 |
'ajaxurl' => admin_url(),
|
205 |
'ajax_loader' => admin_url( 'images/spinner.gif' ),
|
206 |
+
'nonce' => wp_create_nonce( 'wpr_rollback_nonce' ),
|
207 |
'text_rollback_label' => __( 'Rollback', 'wpr' ),
|
208 |
'text_not_rollbackable' => __( 'No Rollback Available: This is a non-WordPress.org theme.', 'wpr' ),
|
209 |
'text_loading_rollback' => __( 'Loading...', 'wpr' ),
|
291 |
|
292 |
if ( ! empty( $args['plugin_version'] ) ) {
|
293 |
//Plugin: rolling back
|
294 |
+
check_admin_referer( 'wpr_rollback_nonce' );
|
295 |
+
|
296 |
include WP_ROLLBACK_PLUGIN_DIR . '/includes/class-rollback-plugin-upgrader.php';
|
297 |
include WP_ROLLBACK_PLUGIN_DIR . '/includes/rollback-action.php';
|
298 |
} elseif ( ! empty( $args['theme_version'] ) ) {
|
299 |
//Theme: rolling back
|
300 |
+
check_admin_referer( 'wpr_rollback_nonce' );
|
301 |
+
|
302 |
include WP_ROLLBACK_PLUGIN_DIR . '/includes/class-rollback-theme-upgrader.php';
|
303 |
include WP_ROLLBACK_PLUGIN_DIR . '/includes/rollback-action.php';
|
304 |
} else {
|
305 |
//This is the menu
|
306 |
+
check_admin_referer( 'wpr_rollback_nonce' );
|
307 |
+
|
308 |
include WP_ROLLBACK_PLUGIN_DIR . '/includes/rollback-menu.php';
|
309 |
}
|
310 |
|
397 |
//Loop through versions and output in a radio list
|
398 |
foreach ( $this->versions as $version ) {
|
399 |
|
400 |
+
$versions_html .= '<label><input type="radio" value="' . esc_attr( $version ) . '" name="' . $type . '_version">' . $version;
|
401 |
|
402 |
//Is this the current version?
|
403 |
if ( $version === $this->current_version ) {
|
432 |
|
433 |
$plugin_file = WP_PLUGIN_DIR . '/' . $_GET['plugin_file'];
|
434 |
|
435 |
+
if( !file_exists( $plugin_file ) )
|
436 |
+
wp_die( 'Plugin you\'re referencing does not exist.' );
|
437 |
+
|
438 |
$plugin_data = get_plugin_data( $plugin_file, false, false );
|
439 |
|
440 |
//the plugin slug is the base directory name without the path to the main file
|
513 |
$rollback_url = add_query_arg( apply_filters( 'wpr_plugin_query_args', array(
|
514 |
'current_version' => urlencode( $plugin_data['Version'] ),
|
515 |
'rollback_name' => urlencode( $plugin_data['Name'] ),
|
516 |
+
'_wpnonce' => wp_create_nonce( 'wpr_rollback_nonce' )
|
517 |
) ), $rollback_url );
|
518 |
}
|
519 |
|