Merge pull request #193 from JWardee/v2.1.7

v2.1.7
JWardee · Jan 21, 2024 · 5623d05 · 5623d05
2 parents 2b8d3dc + 409d39a
commit 5623d05
Show file tree

Hide file tree

Showing 8 changed files with 158 additions and 208 deletions.
diff --git a/WpMailCatcher.php b/WpMailCatcher.php
@@ -6,7 +6,7 @@
 Domain Path: /languages
 Description: Logging your mail will stop you from ever losing your emails again! This fast, lightweight plugin (under 140kb in size!) is also useful for debugging or backing up your messages.
 Author: James Ward
-Version: 2.1.6
+Version: 2.1.7
 Author URI: https://jamesward.io
 Donate link: https://paypal.me/jamesmward
 */

diff --git a/build/grunt/package.json b/build/grunt/package.json
@@ -1,6 +1,6 @@
 {
   "name": "WpMailCatcher",
-  "version": "2.1.6",
+  "version": "2.1.7",
   "lang_po_directory": "../../languages",
   "build_directory": "./..",
   "dist_directory": "../../assets",

diff --git a/composer.json b/composer.json
@@ -13,7 +13,7 @@
   },
   "require-dev": {
     "phpunit/phpunit": "^8.0",
-    "yoast/phpunit-polyfills": "^1.0",
+    "yoast/phpunit-polyfills": "^1.1",
     "phpstan/phpstan": "^1.8",
     "szepeviktor/phpstan-wordpress": "^1.1",
     "phpstan/extension-installer": "^1.1",

diff --git a/composer.lock b/composer.lock
diff --git a/readme.txt b/readme.txt
@@ -4,7 +4,7 @@ Tags: mail logging, email log, email logger, logging, email logging, mail, crm
 Requires at least: 4.7
 Tested up to: 6.4
 Requires PHP: 7.4
-Stable tag: 2.1.6
+Stable tag: 2.1.7
 License: GNU General Public License v3.0
 License URI: https://raw.githubusercontent.com/JWardee/wp-mail-catcher/master/LICENSE
 Donate link: https://paypal.me/jamesmward
@@ -94,6 +94,10 @@ Great! Please leave a note in our (GitHub tracker)
 
 == Changelog ==
 
+= 2.1.7 =
+
+- Security: Added additional nonce checks to setting actions
+
 = 2.1.6 =
 
 - Fix: Logs not appearing in WP versions under 6.2

diff --git a/src/Bootstrap.php b/src/Bootstrap.php
@@ -133,6 +133,10 @@ public function route()
         if (current_user_can(Settings::get('default_view_role'))) {
             /** Perform database upgrade */
             if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'upgrade-database') {
+                if (!wp_verify_nonce($_REQUEST['_wpnonce'], 'upgrade-database')) {
+                    wp_die(GeneralHelper::$failedNonceMessage);
+                }
+
                 DatabaseUpgradeManager::getInstance()->doUpgrade();
                 GeneralHelper::redirectToThisHomeScreen();
             }
@@ -231,6 +235,10 @@ public function route()
 
         if (current_user_can(Settings::get('default_settings_role'))) {
             if (isset($_REQUEST['action']) && $_REQUEST['action'] === 'rerun-migrations') {
+                if (!wp_verify_nonce($_REQUEST['_wpnonce'], 'rerun_migrations')) {
+                    wp_die(GeneralHelper::$failedNonceMessage);
+                }
+
                 DatabaseUpgradeManager::getInstance()->doUpgrade(true);
                 GeneralHelper::redirectToThisHomeScreen([
                     'trigger-rerun-migration-success' => true,
@@ -239,6 +247,10 @@ public function route()
             }
 
             if (isset($_REQUEST['action']) && $_REQUEST['action'] === 'trigger-auto-delete') {
+                if (!wp_verify_nonce($_REQUEST['_wpnonce'], 'trigger_auto_delete')) {
+                    wp_die(GeneralHelper::$failedNonceMessage);
+                }
+
                 ExpiredLogManager::removeExpiredLogs();
                 GeneralHelper::redirectToThisHomeScreen([
                     'trigger-auto-delete-success' => true,

diff --git a/src/Views/Log.php b/src/Views/Log.php
@@ -31,7 +31,10 @@
                              to perform the upgrade.</strong>',
                             'WpMailCatcher'
                         ),
-                        '?page=' . GeneralHelper::$adminPageSlug . '&action=upgrade-database'
+                        wp_nonce_url(
+                            '?page=' . GeneralHelper::$adminPageSlug . '&action=upgrade-database',
+                            'upgrade-database'
+                        )
                     );
                     ?>
                 </p>

diff --git a/src/Views/Settings.php b/src/Views/Settings.php
@@ -132,7 +132,10 @@
                                     </span>
                                 </label>
                                 <?php if (isset($cronJobs[0])) :
-                                    $href = '?page=' . GeneralHelper::$adminPageSlug . '&action=trigger-auto-delete';
+                                    $href = wp_nonce_url(
+                                        '?page=' . GeneralHelper::$adminPageSlug . '&action=trigger-auto-delete',
+                                        'trigger_auto_delete'
+                                    );
                                     ?>
                                     <p class="description">
                                         <?php
@@ -158,7 +161,10 @@
                         <td>
                             <p class="description">
                                 <?php
-                                $href = '?page=' . GeneralHelper::$adminPageSlug . '&action=rerun-migrations';
+                                $href = wp_nonce_url(
+                                    '?page=' . GeneralHelper::$adminPageSlug . '&action=rerun-migrations',
+                                    'rerun_migrations'
+                                );
                                 printf(
                                     __(
                                         '%s. <a href="' . $href . '">Rerun migrations</a>',