Merge pull request #225 from brainstormforce/fix/nonce-verification

fix: strengthen nonce verification across plugin

Author: sushmak02

README.md

@@ -97,6 +97,9 @@ No, the plugin provides an easy-to-use interface where you can add schema markup
 4. Test the post or page URL in Google Rich Snippets Testing
 
 ## Changelog ##
+### 1.7.7 ###
+- Improvement: Added Security fixes.
+
 ### 1.7.6 ###
 - Improvement: Updated readme.txt.
 

admin/index.php

@@ -1170,41 +1170,52 @@ function display_status( $status ) {
 	if ( 'reset' == sanitize_text_field( wp_unslash( $_GET['action'] ) ) && isset( $_GET['nonce'] ) && current_user_can( 'manage_options' ) ) {
 		$option_to_reset = sanitize_text_field( wp_unslash( $_GET['options'] ) );
 		$nonce_value     = sanitize_text_field( wp_unslash( $_GET['nonce'] ) );
+		$nonce_verified  = false;
+
 		if ( 'review' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_item_nonce' ) ) {
 			delete_option( 'bsf_review' );
+			$nonce_verified = true;
 		}
 		if ( 'event' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_event_nonce' ) ) {
 			delete_option( 'bsf_event' );
+			$nonce_verified = true;
 		}
 		if ( 'person' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_person_nonce' ) ) {
 			delete_option( 'bsf_person' );
+			$nonce_verified = true;
 		}
-
 		if ( 'product' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_product_nonce' ) ) {
 			delete_option( 'bsf_product' );
+			$nonce_verified = true;
 		}
 		if ( 'recipe' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_recipe_nonce' ) ) {
 			delete_option( 'bsf_recipe' );
+			$nonce_verified = true;
 		}
 		if ( 'software' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_software_nonce' ) ) {
 			delete_option( 'bsf_software' );
+			$nonce_verified = true;
 		}
 		if ( 'video' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_video_nonce' ) ) {
 			delete_option( 'bsf_video' );
+			$nonce_verified = true;
 		}
-
 		if ( 'article' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_article_nonce' ) ) {
 			delete_option( 'bsf_article' );
+			$nonce_verified = true;
 		}
 		if ( 'service' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_service_nonce' ) ) {
 			delete_option( 'bsf_service' );
+			$nonce_verified = true;
 		}
-
 		if ( 'color' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_color_nonce' ) ) {
 			delete_option( 'bsf_custom' );
+			$nonce_verified = true;
 		}
 
-		bsf_reset_options( $option_to_reset );
+		if ( $nonce_verified ) {
+			bsf_reset_options( $option_to_reset );
+		}
 	}
 }
 /**

init.php

@@ -179,7 +179,7 @@ public function add_for_page_template( $display, $meta_box ) {
 	public function show() {
 		global $post;
 		// Use nonce for verification.
-		echo '<input type="hidden" name="wp_meta_box_nonce" value="', esc_attr( wp_create_nonce( basename( __FILE__ ) ) ), '" />';
+		echo '<input type="hidden" name="wp_meta_box_nonce" value="', esc_attr( wp_create_nonce( 'bsf_meta_box_nonce_action' ) ), '" />';
 		echo '<table class="form-table bsf_metabox">';
 		foreach ( $this->_meta_box['fields'] as $field ) {
 			// Set up blank or default values for empty ones.
@@ -452,7 +452,7 @@ public function show() {
 	 */
 	public function save( $post_id ) {
 		// verify nonce.
-		if ( ! isset( $_POST['wp_meta_box_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['wp_meta_box_nonce'] ) ), basename( __FILE__ ) ) ) {
+		if ( ! isset( $_POST['wp_meta_box_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['wp_meta_box_nonce'] ) ), 'bsf_meta_box_nonce_action' ) ) {
 			return $post_id;
 		}
 		// check autosave.
@@ -555,8 +555,8 @@ function bsf_scripts( $hook ) {
 			'bsf-scripts',
 			'bsf_ajax_data',
 			array(
-				'ajax_nonce' => wp_create_nonce( 'ajax_nonce' ),
-				'post_id'    => get_the_ID(),
+				'bsf_meta_box_ajax_nonce' => wp_create_nonce( 'bsf_meta_box_ajax_nonce' ),
+				'post_id'                 => get_the_ID(),
 			)
 		);
 		wp_enqueue_script( 'bsf-timepicker' );
@@ -571,7 +571,7 @@ function bsf_scripts( $hook ) {
  */
 function bsf_editor_footer_scripts() { ?>
 	<?php
-	if ( isset( $_GET['bsf_force_send'] ) && isset( $_GET['bsf_file_upload_nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['bsf_file_upload_nonce'] ) ), 'ajax_nonce' ) && 'true' == sanitize_text_field( wp_unslash( $_GET['bsf_force_send'] ) ) ) {
+	if ( isset( $_GET['bsf_force_send'] ) && isset( $_GET['bsf_file_upload_nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['bsf_file_upload_nonce'] ) ), 'bsf_meta_box_ajax_nonce' ) && 'true' == sanitize_text_field( wp_unslash( $_GET['bsf_force_send'] ) ) ) {
 		$label = sanitize_text_field( wp_unslash( $_GET['bsf_send_label'] ) );
 		if ( empty( $label ) ) {
 			$label = 'Select File';
@@ -595,7 +595,7 @@ function bsf_editor_footer_scripts() { ?>
  */
 function bsf_force_send( $args ) {
 
-	if ( ! isset( $_GET['bsf_file_upload_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['bsf_file_upload_nonce'] ) ), 'ajax_nonce' ) ) {
+	if ( ! isset( $_GET['bsf_file_upload_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['bsf_file_upload_nonce'] ) ), 'bsf_meta_box_ajax_nonce' ) ) {
 		return $args;
 	}
 	// if the Gallery tab is opened from a custom meta box field, add Insert Into Post button.
@@ -644,15 +644,15 @@ function cmbGetParameterByNameInline(name) {
  */
 function bsf_oembed_ajax_results() {
 	// verify our nonce.
-	if ( ! ( isset( $_REQUEST['bsf_ajax_nonce'], $_REQUEST['oembed_url'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['bsf_ajax_nonce'] ) ), 'ajax_nonce' ) ) ) {
-		die();
+	if ( ! ( isset( $_REQUEST['bsf_ajax_nonce'], $_REQUEST['oembed_url'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['bsf_ajax_nonce'] ) ), 'bsf_meta_box_ajax_nonce' ) ) ) {
+		wp_send_json_error( __( 'Security check failed.', 'rich-snippets' ), 403 );
 	}
 	// verify capability.
 	if ( ! current_user_can( 'edit_posts' ) ) {
-		die();
+		wp_send_json_error( __( 'Unauthorized access.', 'rich-snippets' ), 403 );
 	}
 	// sanitize our search string.
-	$oembed_string = sanitize_text_field( $_REQUEST['oembed_url'] );
+	$oembed_string = sanitize_text_field( wp_unslash( $_REQUEST['oembed_url'] ) );
 	if ( empty( $oembed_string ) ) {
 		$return = '<p class="ui-state-error-text">' . __( 'Please Try Again', 'rich-snippets' ) . '</p>';
 		$found  = 'not found';
@@ -669,7 +669,8 @@ function bsf_oembed_ajax_results() {
 		$fallback = $wp_embed->maybe_make_link( $oembed_url );
 		if ( $check_embed && $check_embed != $fallback ) {
 			// Embed data.
-			$return = '<div class="embed_status">' . $check_embed . '<a href="#" class="bsf_remove_file_button" rel="' . esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['field_id'] ) ) ) . '">' . __( 'Remove Embed', 'rich-snippets' ) . '</a></div>';
+			$field_id = isset( $_REQUEST['field_id'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['field_id'] ) ) : '';
+			$return   = '<div class="embed_status">' . $check_embed . '<a href="#" class="bsf_remove_file_button" rel="' . esc_attr( $field_id ) . '">' . __( 'Remove Embed', 'rich-snippets' ) . '</a></div>';
 			// set our response id.
 			$found = 'found';
 		} else {
@@ -687,7 +688,7 @@ function bsf_oembed_ajax_results() {
 			'id'     => $found,
 		)
 	);
-	die();
+	wp_die();
 }
 // End. That's it, folks! //.
 ?>

readme.txt

@@ -97,6 +97,9 @@ No, the plugin provides an easy-to-use interface where you can add schema markup
 4. Test the post or page URL in Google Rich Snippets Testing
 
 == Changelog ==
+### 1.7.7 ###
+- Improvement: Added Security fixes.
+
 ### 1.7.6 ###
 - Improvement: Updated readme.txt.