Minor security improvement for dismissing the review notice (CSRF).

clikitsupport · Oct 25, 2023 · d2d9c6e · d2d9c6e
1 parent 86f6833
commit d2d9c6e
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 6 deletions.
diff --git a/classes/class-review-notice.php b/classes/class-review-notice.php
@@ -257,12 +257,12 @@ public function render() {
 				<a href="https://wordpress.org/support/plugin/<?php echo esc_html( $this->slug ); ?>/reviews/#new-post" target="_blank">
 					<?php esc_html_e( 'You deserve it!', $this->domain ); ?>
 				</a>
-				<a class="bfu-btn-later" href="<?php echo esc_url( add_query_arg( $this->key( 'action' ), 'later' ) ); ?>">
+				<a class="bfu-btn-later" href="<?php echo esc_url( wp_nonce_url( add_query_arg( $this->key( 'action' ), 'later' ), 'bfu_rate' ) ); ?>">
 					<?php esc_html_e( 'Maybe later', $this->domain ); ?>
 				</a>
 			</p>
 				<p>
-					<a class="bfu-btn-dismiss" href="<?php echo esc_url( add_query_arg( $this->key( 'action' ), 'dismiss' ) ); ?>">
+					<a class="bfu-btn-dismiss" href="<?php echo esc_url( wp_nonce_url( add_query_arg( $this->key( 'action' ), 'dismiss' ), 'bfu_rate' ) ); ?>">
 						<?php esc_html_e( 'Leave me alone', $this->domain ); ?>
 					</a>
 				</p>
@@ -436,6 +436,11 @@ protected function actions() {
 			return;
 		}
 
+		//check nonce
+		if ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( $_GET['_wpnonce'], 'bfu_rate' ) ) {
+			return;
+		}
+
 		// Get the current review action.
 		$action = filter_input( INPUT_GET, $this->key( 'action' ), FILTER_SANITIZE_STRING );
 		do_action( 'qm/debug', $action );

diff --git a/readme.txt b/readme.txt
@@ -2,8 +2,8 @@
 Contributors: uglyrobot, jdailey, andtrev
 Tags: increase file size limit, increase upload limit, max upload file size, post max size, upload limit, file upload, files uploader, ftp, video uploader, AJAX
 Requires at least: 5.3
-Tested up to: 6.3
-Stable tag: 2.1.1
+Tested up to: 6.4
+Stable tag: 2.1.2
 Requires PHP: 5.6
 License: GPLv2
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -106,6 +106,10 @@ No. [Infinite Uploads](https://wordpress.org/plugins/infinite-uploads/) is an op
 
 == Changelog ==
 
+2.1.2 - 2023-10-25
+----------------------------------------------------------------------
+- Minor security improvement for dismissing the review notice (CSRF).
+
 2.1.1 - 2022-8-17
 ----------------------------------------------------------------------
 - Compatibility with Easy Digital Downloads plugin.

diff --git a/tuxedo_big_file_uploads.php b/tuxedo_big_file_uploads.php
@@ -2,7 +2,7 @@
 /**
  * Plugin Name: Big File Uploads
  * Description: Enable large file uploads in the built-in WordPress media uploader via multipart uploads, and set maximum upload file size to any value based on user role. Uploads can be as large as available disk space allows.
- * Version:     2.1.1
+ * Version:     2.1.2
  * Author:      Infinite Uploads
  * Author URI:  https://infiniteuploads.com/?utm_source=bfu_plugin&utm_medium=plugin&utm_campaign=bfu_plugin&utm_content=meta
  * Network:     true
@@ -34,7 +34,7 @@
 	die();
 }
 
-define( 'BIG_FILE_UPLOADS_VERSION', '2.1.1' );
+define( 'BIG_FILE_UPLOADS_VERSION', '2.1.2' );
 
 /**
  * Big File Uploads manager class.