security patch

mlooft · Feb 19, 2024 · 95b3053 · 95b3053
1 parent 1a518d5
commit 95b3053
Show file tree

Hide file tree

Showing 28 changed files with 103 additions and 45 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,12 @@
 # Changelog
 This file hosts the complete changelog of this plugin.
 
+## 1.7.18
+* security patch
+
+## 1.7.17
+* json form sanitization
+
 ## 1.7.16
 * fixed a problem with the recaptcha form
 

diff --git a/gulpfile.js b/gulpfile.js
@@ -11,16 +11,15 @@ var sort = require('gulp-sort');
 var zip = require('gulp-zip');
 var ts = require("gulp-typescript");
 var stripDebug = require('gulp-strip-debug');
-
 var vendorJs = [
   "./node_modules/select2/dist/js/select2.min.js"
 ];
-
 var vendorCss = [
   "./node_modules/font-awesome/css/font-awesome.min.css",
   "./node_modules/select2/dist/css/select2.min.css",
 ];
-
+var fs = require('fs');
+var path = require('path');
 gulp.task('js-frontend', function jsFrontend() {
   return gulp.src(['assets/js/frontend/*.ts'])
     .pipe(ts({outFile: 'msf-frontend.js'}))
@@ -31,7 +30,6 @@ gulp.task('js-frontend', function jsFrontend() {
     .pipe(gulp.dest('dist/scripts'))
     .pipe(livereload());
 });
-
 gulp.task('js-vendor', function jsVendor() {
   return gulp.src(vendorJs)
     .pipe(concat('msf-vendor.js'))
@@ -40,7 +38,6 @@ gulp.task('js-vendor', function jsVendor() {
     }))
     .pipe(gulp.dest('dist/scripts'));
 });
-
 gulp.task('js-backend', function jsBackend() {
   return gulp.src(['assets/js/backend/*.ts'])
     .pipe(ts({outFile: 'msf-backend.js'}))
@@ -51,9 +48,7 @@ gulp.task('js-backend', function jsBackend() {
     .pipe(gulp.dest('dist/scripts'))
     .pipe(livereload());
 });
-
 gulp.task('js', gulp.parallel('js-frontend', 'js-vendor', 'js-backend'));
-
 gulp.task('css-frontend', function cssFrontend() {
   return gulp.src('assets/css/frontend/frontend.less')
     .pipe(less())
@@ -68,7 +63,6 @@ gulp.task('css-frontend', function cssFrontend() {
     .pipe(gulp.dest('dist/styles'))
     .pipe(livereload());
 });
-
 gulp.task('css-vendor', function cssVendor() {
   return gulp.src(['assets/vendor/css/*.css'].concat(vendorCss))
     .pipe(concat('msf-vendor.css'))
@@ -82,7 +76,6 @@ gulp.task('css-vendor', function cssVendor() {
     .pipe(gulp.dest('dist/styles'))
     .pipe(livereload());
 });
-
 gulp.task('css-backend', function cssBackend() {
   return gulp.src(['node_modules/font-awesome/css/font-awesome.css', 'assets/css/backend/*.css', 'assets/css/backend/*.less'])
     .pipe(less())
@@ -97,14 +90,11 @@ gulp.task('css-backend', function cssBackend() {
     .pipe(gulp.dest('dist/styles'))
     .pipe(livereload());
 });
-
 gulp.task('fonts', function fonts() {
     return gulp.src('node_modules/font-awesome/fonts/*')
         .pipe(gulp.dest('dist/fonts'))
 });
-
 gulp.task('css', gulp.parallel('css-frontend', 'css-vendor', 'css-backend', 'fonts'));
-
 gulp.task('pot', function pot() {
     return gulp.src('includes/**/*.php')
         .pipe(sort())
@@ -118,21 +108,54 @@ gulp.task('pot', function pot() {
         }))
         .pipe(gulp.dest('lang'));
 });
-
+// Task to create an index.php file in the ./dist directory
+gulp.task('secure-dist', function(done) {
+  var content = '<?php\n// Silence is golden.\n';
+  var distPath = path.join(__dirname, 'dist');
+  var subfolders = ['styles', 'fonts', 'scripts'];
+  // Ensure the dist directory and subfolders exist
+  if (!fs.existsSync(distPath)){
+      fs.mkdirSync(distPath);
+  }
+  subfolders.forEach(function(subfolder) {
+      var subfolderPath = path.join(distPath, subfolder);
+      if (!fs.existsSync(subfolderPath)) {
+          fs.mkdirSync(subfolderPath);
+      }
+      // Write the content to index.php in each subfolder
+      var filePath = path.join(subfolderPath, 'index.php');
+      fs.writeFile(filePath, content, function(err) {
+          if (err) {
+              console.error(`Error creating index.php in ${subfolderPath}:`, err);
+              done(err); // Signal failure
+              return;
+          }
+          console.log(`Secure index.php file has been created in the ${subfolderPath}.`);
+      });
+  });
+  // Also ensure root dist directory has index.php
+  var rootIndexFilePath = path.join(distPath, 'index.php');
+  fs.writeFile(rootIndexFilePath, content, function(err) {
+      if (err) {
+          console.error('Error creating index.php in dist directory:', err);
+          done(err); // Signal failure
+      } else {
+          console.log('Secure index.php file has been created in the dist directory.');
+          done(); // Signal completion
+      }
+  });
+});
 function watch() {
   gulp.watch('assets/js/frontend/*.ts', gulp.series('js-frontend'));
   gulp.watch('assets/js/backend/*.ts', gulp.series('js-backend'));
   gulp.watch('assets/css/*.css', gulp.series('css'));
   gulp.watch('assets/css/frontend/*.less', gulp.series('css-frontend'));
   gulp.watch('assets/css/backend/*.less', gulp.series('css-backend'));
 }
-
-gulp.task('default', gulp.series(gulp.parallel('js', 'css', 'fonts', 'pot'), watch));
-
+gulp.task('default', gulp.series(gulp.parallel('js', 'css', 'fonts', 'pot', 'secure-dist' ), watch));
 gulp.task('clean:production', gulp.series(function cleanProd() {
   return del('dist/**/*');
 }));
-
 gulp.task('css-frontend:production', gulp.series(function cssFrontendProd() {
   return gulp.src('assets/css/frontend/frontend.less')
     .pipe(less())
@@ -143,7 +166,6 @@ gulp.task('css-frontend:production', gulp.series(function cssFrontendProd() {
     }))
     .pipe(gulp.dest('dist/styles'));
 }));
-
 gulp.task('css-vendor:production', gulp.series(function cssVendorProd() {
   return gulp.src(['assets/vendor/css/*.css'].concat(vendorCss))
     .pipe(concat('msf-vendor.min.css'))
@@ -153,7 +175,6 @@ gulp.task('css-vendor:production', gulp.series(function cssVendorProd() {
     }))
     .pipe(gulp.dest('dist/styles'));
 }));
-
 gulp.task('css-backend:production', gulp.series(function cssBackendProd() {
   return gulp.src(['node_modules/font-awesome/css/font-awesome.css', 'assets/css/backend/*.css', 'assets/css/backend/*.less'])
     .pipe(less())
@@ -164,41 +185,33 @@ gulp.task('css-backend:production', gulp.series(function cssBackendProd() {
     }))
     .pipe(gulp.dest('dist/styles'));
 }));
-
 gulp.task('js-frontend:production', gulp.series(function jsFrontendProd() {
   return gulp.src(['assets/js/frontend/*.ts'])
     .pipe(ts({outFile: 'msf-frontend.min.js'}))
     .pipe(stripDebug())
     .pipe(uglify())
     .pipe(gulp.dest('dist/scripts'));
 }));
-
 gulp.task('js-vendor:production', gulp.series(function jsVendorProd() {
   return gulp.src(vendorJs)
     .pipe(concat('msf-vendor.min.js'))
     .pipe(stripDebug())
     .pipe(uglify())
     .pipe(gulp.dest('dist/scripts'));
 }));
-
 gulp.task('js-backend:production', gulp.series(function jsBackendProd() {
   return gulp.src(['assets/js/backend/*.ts'])
     .pipe(ts({outFile: 'msf-backend.min.js'}))
     .pipe(stripDebug())
     .pipe(uglify())
     .pipe(gulp.dest('dist/scripts'));
 }));
-
 gulp.task('styles:production', gulp.parallel('css-frontend:production', 'css-vendor:production', 'css-backend:production'));
-
 gulp.task('scripts:production', gulp.parallel('js-frontend:production', 'js-vendor:production', 'js-backend:production'));
-
-gulp.task('build:production', gulp.series('clean:production', gulp.parallel('scripts:production', 'styles:production', 'fonts', 'pot')));
-
+gulp.task('build:production', gulp.series('clean:production', gulp.parallel('scripts:production', 'styles:production', 'fonts', 'pot','secure-dist') ));
 gulp.task('clean:zip', function cleanZip() {
   return del(['pkg/**/*']);
 });
-
 gulp.task('copy:zip', gulp.series('clean:zip', 'build:production', function copyZip() {
   return gulp.src(
       [
@@ -215,14 +228,12 @@ gulp.task('copy:zip', gulp.series('clean:zip', 'build:production', function copy
       ], {base: '.'})
     .pipe(gulp.dest('pkg/multi-step-form'));
 }));
-
 gulp.task('copy:lang', gulp.series('copy:zip', function copyLang() {
   return gulp.src(
     'pkg/multi-step-form/lang/multi-step-form.pot')
     .pipe(rename('mondula-form-wizard.pot'))
     .pipe(gulp.dest('pkg/multi-step-form/lang/'));
 }));
-
 gulp.task('zip', gulp.series('copy:lang', function zipPackage() {
   return gulp.src('pkg/multi-step-form/**')
     .pipe(zip('multi-step-form.zip'))

diff --git a/includes/admin/assets/images/index.php b/includes/admin/assets/images/index.php
diff --git a/includes/admin/blocks/index.php b/includes/admin/blocks/index.php
diff --git a/includes/admin/index.php b/includes/admin/index.php
@@ -0,0 +1,3 @@
+<?php
+
+// Silence is golden
diff --git a/includes/admin/msf-admin.class.php b/includes/admin/msf-admin.class.php
@@ -193,6 +193,11 @@ public function troubleshooting() {
 		$email_result = false;
 		if (isset($_POST['testmail-submit']) && isset($_POST['testmail-receiver']))
 		{
+			if (!wp_verify_nonce($_POST['testmail_nonce'], 'testmail_action')) {
+				// Handle nonce verification failure
+				wp_die(__('Nonce verification failed.', 'multi-step-form'));
+			}
+
 			$this->_troubleshoot_mail_error = "";
 			$testmail = true;
 			$dest_email = sanitize_email($_POST['testmail-receiver']);
@@ -351,6 +356,11 @@ private function import_json($json) {
 
 	private function handle_json_upload() {
 		if (isset($_FILES['json-import'])) {
+
+			if (!isset($_POST['json_upload_nonce']) || !wp_verify_nonce($_POST['json_upload_nonce'], 'json_upload_action')) {
+				wp_die('Security check failed');
+			}
+
 			$overrides = array(
 				'test_form' => false,
 				'test_type' => false // WordPress is too restricted to easily allow json upload
@@ -453,6 +463,13 @@ private function sanitize_form_data(&$data) {
 	 * Saves a Form after editing in the admin form builder.
 	 */
 	public function save() {
+
+		// First, check if the user has the 'edit_posts' capability.
+		if (!current_user_can('edit_posts')) {
+			wp_send_json_error(array('msg' => 'Unauthorized action.'));
+			return;
+		}
+
 		$_POST = stripslashes_deep($_POST);
 		$id = isset($_POST['id']) ? intval($_POST['id']) : '';
 		$nonce = isset($_POST['nonce']) ? $_POST['nonce'] : '';

diff --git a/includes/admin/partials/index.php b/includes/admin/partials/index.php
@@ -0,0 +1,3 @@
+<?php
+
+// Silence is golden
diff --git a/includes/admin/partials/msf-table.php b/includes/admin/partials/msf-table.php
@@ -15,6 +15,7 @@
     <h2><?php echo __('Import a Form', 'multi-step-form'); ?></h2>
     <form id="msf-import" method="post" enctype="multipart/form-data">
         <input type='file' id='json-import' name='json-import' accept='application/json,.json'>
+        <?php wp_nonce_field('json_upload_action', 'json_upload_nonce'); ?>
         <input name="submit" id="submit" class="button button-primary" value="<?php echo __('Upload & Import', 'multi-step-form'); ?>" type="submit">
     </form>
 </div>
diff --git a/includes/admin/partials/msf-troubleshooting.php b/includes/admin/partials/msf-troubleshooting.php
@@ -11,6 +11,7 @@
     <form id="msf-testmail" method="post">
         <label for="testmail-receiver">Send to: </label>
         <input type="email" name="testmail-receiver" id="testmail-receiver" required>
+        <?php wp_nonce_field('testmail_action', 'testmail_nonce'); ?>
         <input name="testmail-submit" class="button button-primary" value="<?php echo __('Send Testmail', 'multi-step-form'); ?>" type="submit">
     </form>
 

diff --git a/includes/index.php b/includes/index.php
@@ -0,0 +1,3 @@
+<?php
+
+// Silence is golden
diff --git a/includes/lib/index.php b/includes/lib/index.php
@@ -0,0 +1,3 @@
+<?php
+
+// Silence is golden
diff --git a/includes/lib/msf-blocks/date/index.php b/includes/lib/msf-blocks/date/index.php
diff --git a/includes/lib/msf-blocks/email/index.php b/includes/lib/msf-blocks/email/index.php
diff --git a/includes/lib/msf-blocks/file/index.php b/includes/lib/msf-blocks/file/index.php
diff --git a/includes/lib/msf-blocks/getvariable/index.php b/includes/lib/msf-blocks/getvariable/index.php
diff --git a/includes/lib/msf-blocks/index.php b/includes/lib/msf-blocks/index.php
@@ -0,0 +1,3 @@
+<?php
+
+// Silence is golden
diff --git a/includes/lib/msf-blocks/media/index.php b/includes/lib/msf-blocks/media/index.php
diff --git a/includes/lib/msf-blocks/numeric/index.php b/includes/lib/msf-blocks/numeric/index.php
diff --git a/includes/lib/msf-blocks/paragraph/index.php b/includes/lib/msf-blocks/paragraph/index.php
diff --git a/includes/lib/msf-blocks/radio/index.php b/includes/lib/msf-blocks/radio/index.php
diff --git a/includes/lib/msf-blocks/select/index.php b/includes/lib/msf-blocks/select/index.php
diff --git a/includes/lib/msf-blocks/text/index.php b/includes/lib/msf-blocks/text/index.php
diff --git a/includes/lib/msf-blocks/textarea/index.php b/includes/lib/msf-blocks/textarea/index.php
diff --git a/includes/lib/partials/index.php b/includes/lib/partials/index.php
diff --git a/lang/index.php b/lang/index.php
diff --git a/lang/multi-step-form.pot b/lang/multi-step-form.pot
@@ -297,15 +297,19 @@ msgstr ""
 msgid "Not installed/active"
 msgstr ""
 
-#: includes/admin/msf-admin.class.php:287
+#: includes/admin/msf-admin.class.php:198
+msgid "Nonce verification failed."
+msgstr ""
+
+#: includes/admin/msf-admin.class.php:339
 msgid "Invalid JSON-File. Check your syntax."
 msgstr ""
 
-#: includes/admin/msf-admin.class.php:315
+#: includes/admin/msf-admin.class.php:376
 msgid "Forms must be imported as JSON files"
 msgstr ""
 
-#: includes/admin/msf-admin.class.php:420, includes/admin/partials/msf-editor.php:8
+#: includes/admin/msf-admin.class.php:488, includes/admin/partials/msf-editor.php:8
 msgid "Success. Form saved."
 msgstr ""
 
@@ -517,47 +521,47 @@ msgstr ""
 msgid "Import a Form"
 msgstr ""
 
-#: includes/admin/partials/msf-table.php:18
+#: includes/admin/partials/msf-table.php:19
 msgid "Upload & Import"
 msgstr ""
 
 #: includes/admin/partials/msf-troubleshooting.php:6
 msgid "Multi Step Form Troubleshooting"
 msgstr ""
 
-#: includes/admin/partials/msf-troubleshooting.php:8, includes/admin/partials/msf-troubleshooting.php:14
+#: includes/admin/partials/msf-troubleshooting.php:8, includes/admin/partials/msf-troubleshooting.php:15
 msgid "Send Testmail"
 msgstr ""
 
 #: includes/admin/partials/msf-troubleshooting.php:9
 msgid "Use the following form to check if the wp_mail function works.. This function is used by MSF and it is crucial for sending emails."
 msgstr ""
 
-#: includes/admin/partials/msf-troubleshooting.php:26
+#: includes/admin/partials/msf-troubleshooting.php:27
 msgid "Tried to send an email to <b>%s</b> and the wp_mail function signaled success.<br/>.Please check if you received an email at <b>%s</b> from this plugin. If you did not receive one,.there might be something wrong with your Wordpress Mail Configuration. The other reason might be, that the E-Mail.provider of <b>%s</b> automaticaly detected it as spam."
 msgstr ""
 
-#: includes/admin/partials/msf-troubleshooting.php:42
+#: includes/admin/partials/msf-troubleshooting.php:43
 msgid "Tried to send an email to <b>%s</b> but the. wp_mail function failed.<br/> Please check you Wordpress/PHP Mail Configuration .as it seems to be broken.<br/>Error Message: %s"
 msgstr ""
 
-#: includes/admin/partials/msf-troubleshooting.php:55
+#: includes/admin/partials/msf-troubleshooting.php:56
 msgid "Upload Problems"
 msgstr ""
 
-#: includes/admin/partials/msf-troubleshooting.php:57
+#: includes/admin/partials/msf-troubleshooting.php:58
 msgid "If you have problems with the upload of files, please check .the \"Important System Information\" on this page first. Check if all limits and maximum sizes are .high enough to upload the files you want."
 msgstr ""
 
-#: includes/admin/partials/msf-troubleshooting.php:62
+#: includes/admin/partials/msf-troubleshooting.php:63
 msgid "If you changed these limits, make sure this change is shown in this page. .Sometimes it is not possible to change these limits in .htaccess files or with .ini_set() functions, as some webhosting providers block those changes. .In that case contact your provider and ask for support or a higher upload limit."
 msgstr ""
 
-#: includes/admin/partials/msf-troubleshooting.php:68
+#: includes/admin/partials/msf-troubleshooting.php:69
 msgid "Important System Information"
 msgstr ""
 
-#: includes/admin/partials/msf-troubleshooting.php:69
+#: includes/admin/partials/msf-troubleshooting.php:70
 msgid "Please send us a screenshot of the following information, if you write us because of a technical problem."
 msgstr ""
 

diff --git a/mondula-form-wizard.php b/mondula-form-wizard.php
@@ -1,7 +1,7 @@
 <?php
 /*
  * Plugin Name: Multi Step Form
- * Version: 1.7.17
+ * Version: 1.7.18
  * Plugin URI: http://www.mondula.com/
  * Description: Create and embed Multi Step Form.
  * Author: Mondula GmbH
@@ -82,7 +82,7 @@ function msf_drop_tables($tables = array(), $blog_id = null) {
  * @return object Mondula_Form_Wizard
  */
 function Mondula_Form_Wizard() {
-	$instance = Mondula_Form_Wizard::instance(__FILE__, '1.7.17');
+	$instance = Mondula_Form_Wizard::instance(__FILE__, '1.7.18');
 
 	if (is_null($instance->settings)) {
 		$instance->settings = Mondula_Form_Wizard_Settings::instance($instance);