From 9117d37b770849f89a35b14dc13487466ee513cc Mon Sep 17 00:00:00 2001 From: Guillaume Molter Date: Sat, 6 Aug 2016 10:00:52 -0400 Subject: [PATCH 01/10] Adding wp nonce Related to #12 --- page-settings.php | 7 +++++-- postmark.php | 12 ++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/page-settings.php b/page-settings.php index 9725258..1554518 100644 --- a/page-settings.php +++ b/page-settings.php @@ -19,7 +19,8 @@ $.post(ajaxurl, { 'action': 'postmark_save', - 'data': JSON.stringify(data) + 'data': JSON.stringify(data), + '_wpnonce': $('[name=_wpnonce]').val() }, function(response) { $('.pm-notice').html('

' + response + '

'); $('.pm-notice').removeClass('hidden'); @@ -31,7 +32,8 @@ 'action': 'postmark_test', 'email': $('.pm-test-email').val(), 'with_tracking_and_html': $('.pm-test-with-opens').is(':checked') ? 1 : 0, - 'override_from_address' : $('.pm-test-email-sender').val() + 'override_from_address' : $('.pm-test-email-sender').val(), + '_wpnonce': $('[name=_wpnonce]').val() }, function(response) { $('.pm-notice').html('

' + response + '

'); $('.pm-notice').removeClass('hidden'); @@ -71,6 +73,7 @@
+ diff --git a/postmark.php b/postmark.php index 9a9fef8..61c375c 100644 --- a/postmark.php +++ b/postmark.php @@ -61,6 +61,12 @@ function admin_menu() { function send_test_email() { + + // We check the wp_nonce. + if ( ! isset($_POST['_wpnonce']) || ! wp_verify_nonce( $_POST['_wpnonce'], 'postmark_nonce' ) ) { + wp_die(__('Cheatin’ uh?')); + } + $to = $_POST['email']; $with_tracking_and_html = $_POST['with_tracking_and_html']; $subject = 'Postmark Test: ' . get_bloginfo( 'name' ); @@ -91,6 +97,12 @@ function send_test_email() { } function save_settings() { + + // We check the wp_nonce. + if ( ! isset($_POST['_wpnonce']) || ! wp_verify_nonce( $_POST['_wpnonce'], 'postmark_nonce' ) ) { + wp_die(__('Cheatin’ uh?')); + } + $settings = stripslashes( $_POST['data'] ); $json_test = json_decode( $settings, true ); From df1e2d1dbf95666d49bb207d28f689d7cf4cbb4d Mon Sep 17 00:00:00 2001 From: Guillaume Molter Date: Sat, 6 Aug 2016 10:01:31 -0400 Subject: [PATCH 02/10] Checking for user permission Related to #12 --- postmark.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/postmark.php b/postmark.php index 61c375c..47cfe42 100644 --- a/postmark.php +++ b/postmark.php @@ -67,6 +67,11 @@ function send_test_email() { wp_die(__('Cheatin’ uh?')); } + // We check that the current user is allowed to update settings. + if ( ! current_user_can('manage_options') ) { + wp_die(__('Cheatin’ uh?')); + } + $to = $_POST['email']; $with_tracking_and_html = $_POST['with_tracking_and_html']; $subject = 'Postmark Test: ' . get_bloginfo( 'name' ); @@ -102,6 +107,11 @@ function save_settings() { if ( ! isset($_POST['_wpnonce']) || ! wp_verify_nonce( $_POST['_wpnonce'], 'postmark_nonce' ) ) { wp_die(__('Cheatin’ uh?')); } + + // We check that the current user is allowed to update settings. + if ( ! current_user_can('manage_options') ) { + wp_die(__('Cheatin’ uh?')); + } $settings = stripslashes( $_POST['data'] ); $json_test = json_decode( $settings, true ); From aa8e0a2dc6e8ebc662c6fde1025630b35e8931c0 Mon Sep 17 00:00:00 2001 From: Guillaume Molter Date: Sat, 6 Aug 2016 10:53:42 -0400 Subject: [PATCH 03/10] Adding strong data validation to settings Related to #12 --- postmark.php | 63 ++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 54 insertions(+), 9 deletions(-) diff --git a/postmark.php b/postmark.php index 47cfe42..a572de1 100644 --- a/postmark.php +++ b/postmark.php @@ -113,18 +113,63 @@ function save_settings() { wp_die(__('Cheatin’ uh?')); } - $settings = stripslashes( $_POST['data'] ); - $json_test = json_decode( $settings, true ); - - // Check for valid JSON - if ( isset( $json_test['enabled'] ) ) { - update_option( 'postmark_settings', $settings ); - echo 'Settings saved'; + // We check that we have received some data. + if ( ! isset($_POST['data']) ) { + wp_die(__('Cheatin’ uh?')); + } + + $data = json_decode( stripslashes( $_POST['data'] ), true); + + $settings = array(); + + // We check that we were able to decode data. + if ( ! is_array($data) ) { + wp_die(__('Something went wrong!', 'postmark-wordpress')); + } + + // We validate that 'enabled' is a numeric boolean + if ( isset($data['enabled']) && 1 === $data['enabled'] ) { + $settings['enabled'] = 1; } else { - echo 'Error: invalid JSON'; + $settings['enabled'] = 0; + } + + // We validate that 'api_key' contains only allowed caracters [letters, numbers, dash] + if ( isset($data['api_key']) && 1 === preg_match('/^[A-Za-z0-9\-]*$/', $data['api_key']) ) { + $settings['api_key'] = $data['api_key']; + } + else { + $settings['api_key'] = ''; + } + + // We validate that 'sender_address' is a valid email address + if ( isset($data['sender_address']) && is_email($data['sender_address']) ) { + $settings['sender_address'] = sanitize_email($data['sender_address']); } - wp_die(); + else { + $settings['sender_address'] = ''; + } + + // We validate that 'force_html' is a numeric boolean + if ( isset($data['force_html']) && 1 === $data['force_html'] ) { + $settings['force_html'] = 1; + } + else { + $settings['force_html'] = 0; + } + + // We validate that 'track_opens' is a numeric boolean + if ( isset($data['track_opens']) && 1 === $data['track_opens'] ) { + $settings['track_opens'] = 1; + } + else { + $settings['track_opens'] = 0; + } + + update_option( 'postmark_settings', json_encode($settings) ); + + wp_die('Settings saved'); } From 65a4d7eaafc21811e6689e5057116e4e6317a6b5 Mon Sep 17 00:00:00 2001 From: Guillaume Molter Date: Sat, 6 Aug 2016 11:05:30 -0400 Subject: [PATCH 04/10] Adding strong data validation to test email Related to #12 --- postmark.php | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/postmark.php b/postmark.php index a572de1..1a15261 100644 --- a/postmark.php +++ b/postmark.php @@ -72,8 +72,30 @@ function send_test_email() { wp_die(__('Cheatin’ uh?')); } - $to = $_POST['email']; - $with_tracking_and_html = $_POST['with_tracking_and_html']; + // We validate that 'email' is a valid email address + if ( isset($_POST['email']) && is_email($_POST['email']) ) { + $to = sanitize_email($_POST['email']); + } + else { + wp_die(__('You need to specify a valid recipient email address.', 'postmark-wordpress')); + } + + // We validate that 'with_tracking_and_html' is a numeric boolean + if ( isset($_POST['with_tracking_and_html']) && 1 === $_POST['with_tracking_and_html'] ) { + $with_tracking_and_html = true; + } + else { + $with_tracking_and_html = false; + } + + // We validate that 'override_from_address' is a valid email address + if ( isset($_POST['override_from_address']) && is_email($_POST['override_from_address']) ) { + $override_from = sanitize_email($_POST['override_from_address']); + } + else { + $override_from = false; + } + $subject = 'Postmark Test: ' . get_bloginfo( 'name' ); $override_from = $_POST['override_from_address']; $headers = array(); @@ -85,8 +107,7 @@ function send_test_email() { $message = 'This is a test email sent using the Postmark plugin.'; } - - if( isset( $override_from ) && $override_from != '' ) { + if( false !== $override_from ) { array_push($headers, 'From: ' . $override_from); } From 48646a27648f2f623087cebf0f573d5a5bff621f Mon Sep 17 00:00:00 2001 From: Guillaume Molter Date: Sat, 6 Aug 2016 11:06:59 -0400 Subject: [PATCH 05/10] Indentation fix --- postmark.php | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/postmark.php b/postmark.php index 1a15261..8cb8d55 100644 --- a/postmark.php +++ b/postmark.php @@ -103,7 +103,8 @@ function send_test_email() { if( $with_tracking_and_html ){ $message = 'This is an HTML test email sent using the Postmark plugin. It has Open Tracking enabled.'; array_push($headers, 'X-PM-Track-Opens: true'); - }else{ + } + else{ $message = 'This is a test email sent using the Postmark plugin.'; } @@ -112,14 +113,16 @@ function send_test_email() { } $response = wp_mail( $to, $subject, $message, $headers ); + if ( false !== $response ) { - echo 'Test sent'; - } - else{ - $dump = print_r(Postmark_Mail::$LAST_ERROR, true); - echo 'Test failed, the following is the error generated when running the test send:
'.$dump.'
'; - } - wp_die(); + echo 'Test sent'; + } + else{ + $dump = print_r(Postmark_Mail::$LAST_ERROR, true); + echo 'Test failed, the following is the error generated when running the test send:
'.$dump.'
'; + } + + wp_die(); } function save_settings() { From cf10b7fa51c43d723067b47f59b1a76a5bd2e9ea Mon Sep 17 00:00:00 2001 From: Guillaume Molter Date: Sat, 6 Aug 2016 11:30:11 -0400 Subject: [PATCH 06/10] Escaping form data/values Related to #12 --- page-settings.php | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/page-settings.php b/page-settings.php index 1554518..772ad1b 100644 --- a/page-settings.php +++ b/page-settings.php @@ -1,13 +1,6 @@