Merge branch 'develop' into trunk

10up · Jul 18, 2024 · abb4ff8 · abb4ff8
2 parents 5b7632b + bb85397
commit abb4ff8
Show file tree

Hide file tree

Showing 9 changed files with 82 additions and 47 deletions.
diff --git a/.github/workflows/cypress.yml b/.github/workflows/cypress.yml
@@ -15,7 +15,7 @@ jobs:
       matrix:
         core:
           - {name: 'WP latest', version: 'latest'}
-          - {name: 'WP minimum', version: 'WordPress/WordPress#6.3'}
+          - {name: 'WP minimum', version: 'WordPress/WordPress#6.4'}
           - {name: 'WP trunk', version: 'WordPress/WordPress#master'}
     steps:
     - name: Checkout

diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-v20.11.0
+v20
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,7 +4,18 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 ## [Unreleased] - TBD
 
-## [2.7.10] - 2024-05-23
+## [2.7.11] - 2024-07-18
+**Note that this release bumps the minimum required version of WordPress from 6.3 to 6.4.**
+
+### Changed
+- Bumped WordPress "tested up to" version 6.6 and minimum version to 6.4 (props [@sudip-md](https://github.com/sudip-md), [@ankitguptaindia](https://github.com/ankitguptaindia), [@jeffpaul](https://github.com/jeffpaul) via [#289](https://github.com/10up/simple-local-avatars/pull/289), [#290](https://github.com/10up/simple-local-avatars/pull/290)).
+
+### Security
+- Add nonce check when saving the default avatar ID (props [@faisal-alvi](https://github.com/faisal-alvi), [@aaemnnosttv](https://github.com/aaemnnosttv), [@rafiem](https://github.com/rafiem), [@dkotter](https://github.com/dkotter) via [GHSA-46pw-6m35-9m7x](https://github.com/10up/simple-local-avatars/security/advisories/GHSA-46pw-6m35-9m7x)).
+- Bump `braces` from 3.0.2 to 3.0.3, `pac-resolver` from 7.0.0 to 7.0.1, `socks` from 2.7.1 to 2.8.3 and removes `ip` (props [@dependabot](https://github.com/apps/dependabot), [@Sidsector9](https://github.com/Sidsector9) via [#286](https://github.com/10up/simple-local-avatars/pull/286)).
+- Bump `ws` from 7.5.9 to 7.5.10 (props [@dependabot](https://github.com/apps/dependabot), [@faisal-alvi](https://github.com/faisal-alvi) via [#287](https://github.com/10up/simple-local-avatars/pull/287)).
+
+## [2.7.10] - 2024-05-24
 ### Fixed
 - Fix Default Avatar Fallback (props [@amirhossein7](https://profiles.wordpress.org/amirhossein7/), [@faisal-alvi](https://github.com/faisal-alvi), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#281](https://github.com/10up/simple-local-avatars/pull/281)).
 
@@ -325,6 +336,7 @@ All notable changes to this project will be documented in this file, per [the Ke
 - Initial release
 
 [Unreleased]: https://github.com/10up/simple-local-avatars/compare/trunk...develop
+[2.7.11]: https://github.com/10up/simple-local-avatars/compare/2.7.10...2.7.11
 [2.7.10]: https://github.com/10up/simple-local-avatars/compare/2.7.9...2.7.10
 [2.7.9]: https://github.com/10up/simple-local-avatars/compare/2.7.8...2.7.9
 [2.7.8]: https://github.com/10up/simple-local-avatars/compare/2.7.7...2.7.8

diff --git a/CREDITS.md b/CREDITS.md
@@ -10,7 +10,7 @@ The following individuals are responsible for curating the list of issues, respo
 
 Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc.
 
-[Jake Goldman (@jakemgold)](https://github.com/jakemgold), [Steve Grunwell (@stevegrunwell)](https://github.com/stevegrunwell), [Ravi Chandra (@ravichdev)](https://github.com/ravichdev), [Eduard Florea (@eflorea)](https://github.com/eflorea), [Helen Hou-Sandi (@helen)](https://github.com/helen), [@kniebremser](https://github.com/kniebremser), [Robbie Trencheny (@robbiet480)](https://github.com/robbiet480), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Paul de Wouters (@pdewouters)](https://github.com/pdewouters), [Ledwing Hernandez (@Waka867)](https://github.com/Waka867), [Tim Moore (@tmoorewp)](https://github.com/tmoorewp), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Ben Lobaugh (@blobaugh)](https://github.com/blobaugh), [Chris Jones (@heyjones)](https://github.com/heyjones), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Ammon Lockwood (@sumnercreations)](https://github.com/sumnercreations), [David Shanske (@dshanske)](https://github.com/dshanske), [Myles McNamara (@tripflex)](https://github.com/tripflex), [Jackie Kjome (@JackieKjome)](https://github.com/JackieKjome) [David Chabbi (@davidchabbi)](https://profiles.wordpress.org/davidchabbi/), [Jeffrey Carandang (@phpbits)](https://github.com/phpbits), [@Antonio-Laguna](https://github.com/Antonio-Laguna), [(@ituk)](https://github.com/ituk), [Fabio Giannese (@diodoe)](https://github.com/diodoe), [Ankit K Gupta (@ankitguptaindia)](https://github.com/ankitguptaindia), [Ajay Maurya (@ajmaurya99)](https://github.com/ajmaurya99), [Clayton Collie (@claytoncollie)](https://github.com/claytoncollie), [Connor Smyth (@ActuallyConnor)](https://github.com/ActuallyConnor), [Thrijith Thankachan (@thrijith)](https://github.com/thrijith), [Rahul Prajapati (@rahulsprajapati)](https://github.com/rahulsprajapati), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Max Lyuchin (@cadic)](https://github.com/cadic), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [(@holle75)](https://github.com/holle75), [Mehul Kaklotar (@mehulkaklotar)](https://github.com/mehulkaklotar), [Ulrich Pogson (@grappler)](https://github.com/grappler), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Austin Passy (@thefrosty)](https://github.com/thefrosty), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Alireza Salehi (@alireza-salehi)](https://github.com/alireza-salehi), [Vlad Olaru (@vladolaru)](https://github.com/vladolaru), [Alec Kinnear (@foliovision)](https://github.com/foliovision), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [David (@pixelloop)](https://github.com/pixelloop), [Victor Berland (@victorberland)](https://github.com/victorberland), [Konstantin Kovshenin (@kovshenin)](https://github.com/kovshenin), [Timothy Wheelock (@t-lock)](https://github.com/t-lock), [Jayedul Kabir (@jayedul)](https://github.com/jayedul), [Quamruz Zaman (@zamanq)](https://github.com/zamanq), [K. Adam White (@kadamwhite)](https://github.com/kadamwhite), [Shirkit (@Shirkit)](https://github.com/Shirkit), [Georgi Georgiev (@lllopo)](https://github.com/lllopo), [Matt Watson (@mattwatsoncodes)](https://github.com/mattwatsoncodes), [Christoph Rothmeier (@Rottinator)](https://github.com/Rottinator), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Matthew Haines-Young (@mattheu)](https://github.com/mattheu), [Patryk Kujawa (@patrixer)](https://github.com/patrixer), [Sebastian (@sekra24)](https://github.com/sekra24),  [Bhargav Bhandari (@BhargavBhandari90)](https://github.com/BhargavBhandari90), [Konstantinos Galanakis (@kmgalanakis)](https://github.com/kmgalanakis), [Jon Christensen (@Firestorm980)](https://github.com/Firestorm980), [Joseph Richardson (@EHLOVader)](https://github.com/EHLOVader), [Dominik Schilling (@ocean90)](https://github.com/ocean90), [Jake Jackson (@jakejackson1)](https://github.com/jakejackson1), [Leo Germani (@leogermani)](https://github.com/leogermani), [Viktor Szépe (@szepeviktor)](https://github.com/szepeviktor), [horrormovies.gr (@horrormoviesgr)](https://profiles.wordpress.org/horrormoviesgr/), [inpeaks (@inpeaks)](https://profiles.wordpress.org/inpeaks/), [lillylark (@lillylark)](https://profiles.wordpress.org/lillylark/), [Rafał Całka (@rafaucau)](https://github.com/rafaucau), [janrenn (@janrenn)](https://profiles.wordpress.org/janrenn/), [Amir Hossein (amirhossein7)](https://profiles.wordpress.org/amirhossein7/), [Sumit Bagthariya (@qasumitbagthariya)](https://github.com/qasumitbagthariya/).
+[Jake Goldman (@jakemgold)](https://github.com/jakemgold), [Steve Grunwell (@stevegrunwell)](https://github.com/stevegrunwell), [Ravi Chandra (@ravichdev)](https://github.com/ravichdev), [Eduard Florea (@eflorea)](https://github.com/eflorea), [Helen Hou-Sandi (@helen)](https://github.com/helen), [@kniebremser](https://github.com/kniebremser), [Robbie Trencheny (@robbiet480)](https://github.com/robbiet480), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Paul de Wouters (@pdewouters)](https://github.com/pdewouters), [Ledwing Hernandez (@Waka867)](https://github.com/Waka867), [Tim Moore (@tmoorewp)](https://github.com/tmoorewp), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Ben Lobaugh (@blobaugh)](https://github.com/blobaugh), [Chris Jones (@heyjones)](https://github.com/heyjones), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Ammon Lockwood (@sumnercreations)](https://github.com/sumnercreations), [David Shanske (@dshanske)](https://github.com/dshanske), [Myles McNamara (@tripflex)](https://github.com/tripflex), [Jackie Kjome (@JackieKjome)](https://github.com/JackieKjome) [David Chabbi (@davidchabbi)](https://profiles.wordpress.org/davidchabbi/), [Jeffrey Carandang (@phpbits)](https://github.com/phpbits), [@Antonio-Laguna](https://github.com/Antonio-Laguna), [(@ituk)](https://github.com/ituk), [Fabio Giannese (@diodoe)](https://github.com/diodoe), [Ankit K Gupta (@ankitguptaindia)](https://github.com/ankitguptaindia), [Ajay Maurya (@ajmaurya99)](https://github.com/ajmaurya99), [Clayton Collie (@claytoncollie)](https://github.com/claytoncollie), [Connor Smyth (@ActuallyConnor)](https://github.com/ActuallyConnor), [Thrijith Thankachan (@thrijith)](https://github.com/thrijith), [Rahul Prajapati (@rahulsprajapati)](https://github.com/rahulsprajapati), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Max Lyuchin (@cadic)](https://github.com/cadic), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [(@holle75)](https://github.com/holle75), [Mehul Kaklotar (@mehulkaklotar)](https://github.com/mehulkaklotar), [Ulrich Pogson (@grappler)](https://github.com/grappler), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Austin Passy (@thefrosty)](https://github.com/thefrosty), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Alireza Salehi (@alireza-salehi)](https://github.com/alireza-salehi), [Vlad Olaru (@vladolaru)](https://github.com/vladolaru), [Alec Kinnear (@foliovision)](https://github.com/foliovision), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [David (@pixelloop)](https://github.com/pixelloop), [Victor Berland (@victorberland)](https://github.com/victorberland), [Konstantin Kovshenin (@kovshenin)](https://github.com/kovshenin), [Timothy Wheelock (@t-lock)](https://github.com/t-lock), [Jayedul Kabir (@jayedul)](https://github.com/jayedul), [Quamruz Zaman (@zamanq)](https://github.com/zamanq), [K. Adam White (@kadamwhite)](https://github.com/kadamwhite), [Shirkit (@Shirkit)](https://github.com/Shirkit), [Georgi Georgiev (@lllopo)](https://github.com/lllopo), [Matt Watson (@mattwatsoncodes)](https://github.com/mattwatsoncodes), [Christoph Rothmeier (@Rottinator)](https://github.com/Rottinator), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Matthew Haines-Young (@mattheu)](https://github.com/mattheu), [Patryk Kujawa (@patrixer)](https://github.com/patrixer), [Sebastian (@sekra24)](https://github.com/sekra24),  [Bhargav Bhandari (@BhargavBhandari90)](https://github.com/BhargavBhandari90), [Konstantinos Galanakis (@kmgalanakis)](https://github.com/kmgalanakis), [Jon Christensen (@Firestorm980)](https://github.com/Firestorm980), [Joseph Richardson (@EHLOVader)](https://github.com/EHLOVader), [Dominik Schilling (@ocean90)](https://github.com/ocean90), [Jake Jackson (@jakejackson1)](https://github.com/jakejackson1), [Leo Germani (@leogermani)](https://github.com/leogermani), [Viktor Szépe (@szepeviktor)](https://github.com/szepeviktor), [horrormovies.gr (@horrormoviesgr)](https://profiles.wordpress.org/horrormoviesgr/), [inpeaks (@inpeaks)](https://profiles.wordpress.org/inpeaks/), [lillylark (@lillylark)](https://profiles.wordpress.org/lillylark/), [Rafał Całka (@rafaucau)](https://github.com/rafaucau), [janrenn (@janrenn)](https://profiles.wordpress.org/janrenn/), [Amir Hossein (amirhossein7)](https://profiles.wordpress.org/amirhossein7/), [Sumit Bagthariya (@qasumitbagthariya)](https://github.com/qasumitbagthariya), [Sudip Dadhaniya (@sudip-md)](https://github.com/sudip-md), [Evan Mattson (@aaemnnosttv)](https://github.com/aaemnnosttv), [Rafie Muhammad (@rafiem)](https://github.com/rafiem).
 
 ## Libraries
 

diff --git a/includes/class-simple-local-avatars.php b/includes/class-simple-local-avatars.php
@@ -1476,6 +1476,7 @@ public function add_avatar_default_field( $defaults ) {
 		?>
 		<input type="hidden" name="simple-local-avatar-file-id" id="simple-local-avatar-file-id" value="<?php echo ! empty( $default_avatar_file_id ) ? esc_attr( $default_avatar_file_id ) : ''; ?>"/>
 		<input type="hidden" name="simple-local-avatar-file-url" id="simple-local-avatar-file-url" value="<?php echo ! empty( $default_avatar_file_url ) ? esc_url( $default_avatar_file_url ) : ''; ?>"/>
+		<?php wp_nonce_field( 'simple_local_avatar_default', 'simple-local-avatar-file-wpnonce' ); ?>
 		<input type="button" name="simple-local-avatar" id="simple-local-avatar-default" class="button-secondary" value="<?php esc_attr_e( 'Choose Default Avatar', 'simple-local-avatar' ); ?>"/>
 		<p class="description" style="margin-left: 23px;"><?php esc_html_e( 'Note that this avatar needs to be publicly available or a broken image will be shown.', 'simple-local-avatar' ); ?></p>
 		<?php
@@ -1490,6 +1491,11 @@ public function add_avatar_default_field( $defaults ) {
 	private function save_default_avatar_file_id() {
 		global $pagenow;
 
+		// Check if nonce is set.
+		if ( ! isset( $_POST['simple-local-avatar-file-wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['simple-local-avatar-file-wpnonce'] ) ), 'simple_local_avatar_default' ) ) {
+			return;
+		}
+
 		$file_id = filter_input( INPUT_POST, 'simple-local-avatar-file-id', FILTER_SANITIZE_NUMBER_INT );
 
 		// check for uploaded files