Deploying version 1.6.7

Author: ianmjones

README.md

@@ -3,9 +3,9 @@
 **Contributors:** wpengine, deliciousbrains, ianmjones, eriktorsner, kevinwhoffman, mattshaw, bradt, SylvainDeaure \
 **Tags:** amazon ses,smtp,email delivery,gmail smtp,newsletter \
 **Requires at least:** 5.3 \
-**Tested up to:** 6.3 \
+**Tested up to:** 6.4 \
 **Requires PHP:** 7.2 \
-**Stable tag:** 1.6.6
+**Stable tag:** 1.6.7
 
 Fix your email delivery problems by sending your WordPress emails through Amazon SES's powerful email sending infrastructure.
 
@@ -191,6 +191,11 @@ Please double check the credentials match up with the credentials you received w
 
 ## Changelog
 
+### 1.6.7 - 2024-02-08
+
+* Security: Unserializing an object related to plugin settings now passes `'allowed_classes' => false` to avoid instantiating the complete object and potentially running malicious code
+* Security: Processing of the email queue now restricts the type of data allowed to ensure stored queue items meet requirements
+
 ### 1.6.6 - 2023-08-24
 
 * New: WordPress 6.3 compatible

classes/Activity-List-Table.php

@@ -163,7 +163,7 @@ public function column_subject( $email ) {
 	 * @param array $email The array of info about the email.
 	 */
 	public function column_recipient( $email ) {
-		$email['recipient'] = maybe_unserialize( $email['recipient'] );
+		$email['recipient'] = Utils::maybe_unserialize( $email['recipient'] );
 
 		if ( is_array( $email['recipient'] ) ) {
 			return implode( ', ', $email['recipient'] );

classes/Email-Log.php

@@ -8,8 +8,6 @@
 
 namespace DeliciousBrains\WP_Offload_SES;
 
-use DeliciousBrains\WP_Offload_SES\WP_Offload_SES;
-
 /**
  * Class Email_Log
  *
@@ -127,7 +125,7 @@ public function get_email( int $id ) {
 			return false;
 		}
 
-		$row = array_map( 'maybe_unserialize', $row );
+		$row = array_map( '\DeliciousBrains\WP_Offload_SES\Utils::maybe_unserialize', $row );
 
 		if ( ! empty( $row['email_headers'] ) ) {
 			$row['email_headers'] = Utils::sanitize_email_headers( $row['email_headers'] );

classes/Queue/Connection.php

@@ -14,27 +14,13 @@
  */
 class Connection extends DatabaseConnection {
 
-	/**
-	 * Table to store jobs.
-	 *
-	 * @var string
-	 */
-	protected $jobs_table;
-
-	/**
-	 * Table to store failures.
-	 *
-	 * @var string
-	 */
-	protected $failures_table;
-
 	/**
 	 * Construct the Connection class.
 	 *
 	 * @param \wpdb $wpdb WordPress database class.
 	 */
-	public function __construct( $wpdb ) {
-		parent::__construct( $wpdb );
+	public function __construct( $wpdb, array $allowed_job_classes = array() ) {
+		parent::__construct( $wpdb, $allowed_job_classes );
 
 		$this->jobs_table     = $this->database->base_prefix . 'oses_jobs';
 		$this->failures_table = $this->database->base_prefix . 'oses_failures';
@@ -65,7 +51,7 @@ public function get_job( $id ) {
 	 *
 	 * @return bool
 	 */
-	public function release( $job ) {
+	public function release( Job $job ) {
 		/** @var WP_Offload_SES $wp_offload_ses */
 		global $wp_offload_ses;
 
@@ -106,12 +92,12 @@ public function failure( $job, Exception $exception ): bool {
 	/**
 	 * Push a job onto the queue.
 	 *
-	 * @param object $job   The email job.
-	 * @param int    $delay The delay for the job.
+	 * @param Job $job   The email job.
+	 * @param int $delay The delay for the job.
 	 *
 	 * @return bool|int
 	 */
-	public function push( \DeliciousBrains\WP_Offload_SES\WP_Queue\Job $job, $delay = 0 ) {
+	public function push( Job $job, $delay = 0 ) {
 		$args = array(
 			'job'          => serialize( $job ),
 			'available_at' => $this->datetime( $delay ),

classes/Queue/Email-Cron.php

@@ -14,9 +14,9 @@ class Email_Cron extends Cron {
 	/**
 	 * Cron constructor.
 	 *
-	 * @param string $id
-	 * @param Worker $worker
-	 * @param int    $interval
+	 * @param string       $id
+	 * @param Email_Worker $worker
+	 * @param int          $interval
 	 */
 	public function __construct( $id, $worker, $interval ) {
 		parent::__construct( $id, $worker, $interval );

classes/Queue/Email-Queue.php

@@ -12,20 +12,6 @@
  */
 class Email_Queue extends Queue {
 
-	/**
-	 * The database connection.
-	 *
-	 * @var Connection
-	 */
-	protected $connection;
-
-	/**
-	 * The cron class.
-	 *
-	 * @var Email_Cron
-	 */
-	protected $cron;
-
 	/**
 	 * The delay before running a cron.
 	 *
@@ -67,7 +53,7 @@ class Email_Queue extends Queue {
 	public function __construct() {
 		global $wpdb;
 
-		$this->connection = new Connection( $wpdb );
+		$this->connection = new Connection( $wpdb, array( Email_Job::class ) );
 		parent::__construct( $this->connection );
 
 		$this->add_cron();
@@ -149,10 +135,10 @@ public function add_cron() {
 	 *
 	 * @param int $attempts The number of times to attempt the job.
 	 *
-	 * @return Worker
+	 * @return Email_Worker
 	 */
 	public function worker( $attempts ) {
-		return new Worker( $this->connection, $attempts );
+		return new Email_Worker( $this->connection, $attempts );
 	}
 
 	/**
@@ -177,7 +163,7 @@ public function install_tables() {
 				reserved_at datetime DEFAULT NULL,
 				available_at datetime NOT NULL,
 				created_at datetime NOT NULL,
-				PRIMARY KEY  (id)
+				PRIMARY KEY (id)
 				) $charset_collate;";
 		dbDelta( $sql );
 
@@ -186,7 +172,7 @@ public function install_tables() {
 				job longtext NOT NULL,
 				error text DEFAULT NULL,
 				failed_at datetime NOT NULL,
-				PRIMARY KEY  (id)
+				PRIMARY KEY (id)
 				) $charset_collate;";
 		dbDelta( $sql );
 	}

classes/Queue/Worker.php classes/Queue/Email-Worker.phpclasses/Queue/Worker.php renamed to classes/Queue/Email-Worker.php

@@ -5,14 +5,15 @@
 use DeliciousBrains\WP_Offload_SES\Command_Pool;
 use DeliciousBrains\WP_Offload_SES\Error;
 use DeliciousBrains\WP_Offload_SES\WP_Queue\Exceptions\WorkerAttemptsExceededException;
+use DeliciousBrains\WP_Offload_SES\WP_Queue\Worker;
 use Exception;
 
 /**
  * Class Worker
  *
  * @since 1.0.0
  */
-class Worker {
+class Email_Worker extends Worker {
 
 	/**
 	 * The AWS Command Pool wrapper.
@@ -21,30 +22,15 @@ class Worker {
 	 */
 	protected $command_pool;
 
-	/**
-	 * The database connection.
-	 *
-	 * @var Connection
-	 */
-	private $connection;
-
-	/**
-	 * The number of times to attempt a job.
-	 *
-	 * @var int
-	 */
-	private $attempts;
-
 	/**
 	 * Worker constructor.
 	 *
 	 * @param Connection $connection The database connection.
 	 * @param int        $attempts   The number of times to attempt a job.
 	 */
 	public function __construct( Connection $connection, int $attempts = 3 ) {
+		parent::__construct( $connection, $attempts );
 		$this->command_pool = new Command_Pool( $connection, $attempts );
-		$this->connection   = $connection;
-		$this->attempts     = $attempts;
 	}
 
 	/**

classes/Queue/Queue-Status.php

@@ -3,6 +3,7 @@
 namespace DeliciousBrains\WP_Offload_SES\Queue;
 
 use DeliciousBrains\WP_Offload_SES\Email;
+use DeliciousBrains\WP_Offload_SES\Queue\Jobs\Email_Job;
 use DeliciousBrains\WP_Offload_SES\Utils;
 use DeliciousBrains\WP_Offload_SES\Error;
 use DeliciousBrains\WP_Offload_SES\WP_Offload_SES;
@@ -32,7 +33,7 @@ class Queue_Status {
 	public function __construct( WP_Offload_SES $wp_offload_ses ) {
 		global $wpdb;
 
-		$this->connection     = new Connection( $wpdb );
+		$this->connection     = new Connection( $wpdb, array( Email_Job::class ) );
 		$this->wp_offload_ses = $wp_offload_ses;
 
 		// Run the cron health check after everything has loaded.

classes/Settings.php

@@ -116,7 +116,7 @@ public function get_defined_settings( bool $force = false ): array {
 			$unserialized = array();
 
 			if ( defined( $this->settings_constant ) ) {
-				$unserialized = maybe_unserialize( constant( $this->settings_constant ) );
+				$unserialized = Utils::maybe_unserialize( constant( $this->settings_constant ) );
 				$unserialized = is_array( $unserialized ) ? $unserialized : array();
 			}
 

classes/Utils.php

@@ -322,4 +322,19 @@ public static function sanitize_email_headers( $headers ): array {
 
 		return $new_headers;
 	}
+
+	/**
+	 * Maybe unserialize data, but not if an object.
+	 *
+	 * @param mixed $data
+	 *
+	 * @return mixed
+	 */
+	public static function maybe_unserialize( $data ) {
+		if ( is_serialized( $data ) ) {
+			return @unserialize( $data, array( 'allowed_classes' => false ) ); // @phpcs:ignore
+		}
+
+		return $data;
+	}
 }