Issue 12 - Security improvements

page-settings.php

@@ -1,13 +1,6 @@
 <script>
 (function($) {
     $(function() {
-        var settings = <?php echo json_encode( $this->settings ); ?>;
-        $('.pm-enabled').prop('checked', settings.enabled);
-        $('.pm-api-key').val(settings.api_key);
-        $('.pm-sender-address').val(settings.sender_address);
-        $('.pm-force-html').prop('checked', settings.force_html);
-        $('.pm-track-opens').prop('checked', settings.track_opens);
-
         $(document).on('click', '.save-settings', function() {
             var data = {
                 'enabled': $('.pm-enabled').is(':checked') ? 1 : 0,
@@ -19,7 +12,8 @@
 
             $.post(ajaxurl, {
                 'action': 'postmark_save',
-                'data': JSON.stringify(data)
+                'data': JSON.stringify(data),
+                '_wpnonce': $('[name=_wpnonce]').val()
             }, function(response) {
                 $('.pm-notice').html('<p>' + response + '</p>');
                 $('.pm-notice').removeClass('hidden');
@@ -31,7 +25,8 @@
                 'action': 'postmark_test',
                 'email': $('.pm-test-email').val(),
                 'with_tracking_and_html': $('.pm-test-with-opens').is(':checked') ? 1 : 0,
-                'override_from_address' : $('.pm-test-email-sender').val()
+                'override_from_address' : $('.pm-test-email-sender').val(),
+                '_wpnonce': $('[name=_wpnonce]').val()
             }, function(response) {
                 $('.pm-notice').html('<p>' + response + '</p>');
                 $('.pm-notice').removeClass('hidden');
@@ -71,25 +66,26 @@
     </div>
     <br/>
     <div class="updated notice pm-notice hidden"></div>
+    <?php wp_nonce_field( 'postmark_nonce' ); ?>
     <table class="form-table" style="max-width:740px;">
         <tr>
             <th><label>Enabled?</label></th>
             <td>
-                <input type="checkbox" class="pm-enabled" value="1" />
+                <input type="checkbox" class="pm-enabled" value="1" <?php checked($this->settings['enabled']); ?> />
                 <span class="footnote">Send emails using Postmark's REST API</span>
             </td>
         </tr>
         <tr>
             <th><label>API Key</label></th>
             <td>
-                <input type="text" class="pm-api-key" value="" />
+                <input type="text" class="pm-api-key" value="<?php echo esc_attr($this->settings['api_key']); ?>" />
                 <div class="footnote">Your API key is available in the <strong>Credentials</strong> screen of your <a href="https://account.postmarkapp.com/servers" target="_blank">Postmark Server</a>.</div>
             </td>
         </tr>
         <tr>
             <th><label>Sender Email Address</label></th>
             <td>
-                <input type="text" class="pm-sender-address" value="" />
+                <input type="email" class="pm-sender-address" value="<?php echo esc_attr($this->settings['sender_address']); ?>" />
                 <div class="footnote">This email must be a verified <a href="https://account.postmarkapp.com/signatures" target="_blank">Sender Signature</a>. It will appear as the "from" address on all outbound emails.<br/><br/>
                 You may override the "From" address set here on individual emails, by including a 'From' header with the address you wish to send from. <a href="#example">See the example below.</a>
                 </div>
@@ -98,15 +94,15 @@
         <tr>
             <th><label>Force HTML</label></th>
             <td>
-                <input type="checkbox" class="pm-force-html" value="1" />
+                <input type="checkbox" class="pm-force-html" value="1" <?php checked($this->settings['force_html']); ?> />
                 <span class="footnote">Force emails to be sent as HTML.<br/><br/>DEPRECATED: Instead of enabling this feature, add a header to your HTML message with name 'Content-Type' and value 'text/html'. <a href="#example">See the example below.</a>
                 </span>
             </td>
         </tr>
         <tr>
             <th><label>Track Opens</label></th>
             <td>
-                <input type="checkbox" class="pm-track-opens" value="1" />
+                <input type="checkbox" class="pm-track-opens" value="1" <?php checked($this->settings['track_opens']); ?> />
                 <span class="footnote">Track email opens (which also requires emails to be "forced" to HTML).<br/><br/>DEPRECATED: Instead of enabling this feature, add a header to your HTML message called 'X-PM-Track-Opens' and a value of 'true'. <a href="#example">See the example below.</a>
             </td>
         </tr>
@@ -120,11 +116,11 @@
     <table class="form-table">
         <tr>
             <th><label>Recipient</label></th>
-            <td><input type="text" class="pm-test-email" value="" placeholder="recipient@example.com" /></td>
+            <td><input type="email" class="pm-test-email" value="" placeholder="recipient@example.com" /></td>
         </tr>
         <tr>
             <th><label>Override Sender Email Address</label></th>
-            <td><input type="text" class="pm-test-email-sender" value="" placeholder="sender@example.com" /></td>
+            <td><input type="email" class="pm-test-email-sender" value="" placeholder="sender@example.com" /></td>
         </tr>
         <tr>
             <td colspan="2"><input type="checkbox" name="with_tracking_and_html" class="pm-test-with-opens" value="" />Send test as HTML, with Open Tracking Enabled.</td>

postmark.php

@@ -24,10 +24,6 @@ function __construct() {
 
 
     function init() {
-        if ( ! current_user_can( 'manage_options' ) ) {
-            return;
-        }
-
         add_action( 'admin_menu', array( $this, 'admin_menu' ) );
         add_action( 'wp_ajax_postmark_save', array( $this, 'save_settings' ) );
         add_action( 'wp_ajax_postmark_test', array( $this, 'send_test_email' ) );
@@ -61,48 +57,139 @@ function admin_menu() {
 
 
     function send_test_email() {
-        $to = $_POST['email'];
-        $with_tracking_and_html = $_POST['with_tracking_and_html'];
+
+	    // We check the wp_nonce.
+	    if ( ! isset($_POST['_wpnonce']) || ! wp_verify_nonce( $_POST['_wpnonce'], 'postmark_nonce' ) ) {
+		    wp_die(__('Cheatin’ uh?'));
+	    }
+
+	    // We check that the current user is allowed to update settings.
+	    if ( ! current_user_can('manage_options') ) {
+		    wp_die(__('Cheatin’ uh?'));
+	    }
+
+        // We validate that 'email' is a valid email address
+        if ( isset($_POST['email']) && is_email($_POST['email']) ) {
+	        $to = sanitize_email($_POST['email']);
+        }
+        else {
+	        wp_die(__('You need to specify a valid recipient email address.', 'postmark-wordpress'));
+        }
+
+        // We validate that 'with_tracking_and_html' is a numeric boolean
+        if ( isset($_POST['with_tracking_and_html']) && 1 === $_POST['with_tracking_and_html'] ) {
+	        $with_tracking_and_html = true;
+        }
+        else {
+	        $with_tracking_and_html = false;
+        }
+
+        // We validate that 'override_from_address' is a valid email address
+        if ( isset($_POST['override_from_address']) && is_email($_POST['override_from_address']) ) {
+	        $override_from = sanitize_email($_POST['override_from_address']);
+        }
+        else {
+	        $override_from = false;
+        }
+
         $subject = 'Postmark Test: ' . get_bloginfo( 'name' );
         $override_from = $_POST['override_from_address'];
         $headers = array();
 
         if( $with_tracking_and_html ){
             $message = 'This is an <strong>HTML test</strong> email sent using the Postmark plugin. It has Open Tracking enabled.';
             array_push($headers, 'X-PM-Track-Opens: true');
-        }else{ 
+        }
+        else{ 
             $message = 'This is a test email sent using the Postmark plugin.';
         }
 
-
-        if( isset( $override_from ) && $override_from != '' ) {
+        if( false !== $override_from ) {
             array_push($headers, 'From: ' . $override_from);
         }
 
         $response = wp_mail( $to, $subject, $message, $headers );
+
         if ( false !== $response ) {
-		echo 'Test sent';
-	}
-	else{
-		$dump = print_r(Postmark_Mail::$LAST_ERROR, true);
-		echo 'Test failed, the following is the error generated when running the test send:<br/><pre class="diagnostics">'.$dump.'</pre>';	
-	}
-	wp_die();
+			echo 'Test sent';
+		}
+		else{
+			$dump = print_r(Postmark_Mail::$LAST_ERROR, true);
+			echo 'Test failed, the following is the error generated when running the test send:<br/><pre class="diagnostics">'.$dump.'</pre>';	
+		}
+
+		wp_die();
     }
 
     function save_settings() {
-        $settings = stripslashes( $_POST['data'] );
-        $json_test = json_decode( $settings, true );
-
-        // Check for valid JSON
-        if ( isset( $json_test['enabled'] ) ) {
-            update_option( 'postmark_settings', $settings );
-            echo 'Settings saved';
+
+	    // We check the wp_nonce.
+	    if ( ! isset($_POST['_wpnonce']) || ! wp_verify_nonce( $_POST['_wpnonce'], 'postmark_nonce' ) ) {
+		    wp_die(__('Cheatin’ uh?'));
+	    }
+
+	    // We check that the current user is allowed to update settings.
+	    if ( ! current_user_can('manage_options') ) {
+		    wp_die(__('Cheatin’ uh?'));
+	    }
+
+	    // We check that we have received some data.
+	    if ( ! isset($_POST['data']) ) {
+		    wp_die(__('Cheatin’ uh?'));
+	    }
+
+        $data = json_decode( stripslashes( $_POST['data'] ), true);
+
+        $settings = array();
+
+        // We check that we were able to decode data.
+        if ( ! is_array($data) ) {
+	        wp_die(__('Something went wrong!', 'postmark-wordpress'));
+        }
+
+        // We validate that 'enabled' is a numeric boolean
+        if ( isset($data['enabled']) && 1 === $data['enabled'] ) {
+	        $settings['enabled'] = 1;
+        }
+        else {
+	        $settings['enabled'] = 0;
+        }
+
+        // We validate that 'api_key' contains only allowed caracters [letters, numbers, dash]
+        if ( isset($data['api_key']) && 1 === preg_match('/^[A-Za-z0-9\-]*$/', $data['api_key']) ) {
+	        $settings['api_key'] = $data['api_key'];
         }
         else {
-            echo 'Error: invalid JSON';
+	        $settings['api_key'] = '';
         }
-        wp_die();
+
+        // We validate that 'sender_address' is a valid email address
+        if ( isset($data['sender_address']) && is_email($data['sender_address']) ) {
+	        $settings['sender_address'] = sanitize_email($data['sender_address']);
+        }
+        else {
+	        $settings['sender_address'] = '';
+        }
+
+        // We validate that 'force_html' is a numeric boolean
+        if ( isset($data['force_html']) && 1 === $data['force_html'] ) {
+	        $settings['force_html'] = 1;
+        }
+        else {
+	        $settings['force_html'] = 0;
+        }
+
+        // We validate that 'track_opens' is a numeric boolean
+        if ( isset($data['track_opens']) && 1 === $data['track_opens'] ) {
+	        $settings['track_opens'] = 1;
+        }
+        else {
+	        $settings['track_opens'] = 0;
+        }
+
+        update_option( 'postmark_settings', json_encode($settings) );
+
+        wp_die('Settings saved');
     }