Merge branch 'develop'

CHANGES.md

@@ -1,5 +1,8 @@
 #### [unreleased]
 
+#### 10.6.13 / 2022-02-01
+* update nonce condtionals, require variables be set
+
 #### 10.6.12 / 2022-01-18
 * composer update for `wp-dependency-installer` fixes
 

git-updater.php

@@ -12,7 +12,7 @@
  * Plugin Name:       Git Updater
  * Plugin URI:        https://git-updater.com
  * Description:       A plugin to automatically update GitHub hosted plugins, themes, and language packs. Additional API plugins available for Bitbucket, GitLab, Gitea, and Gist.
- * Version:           10.6.12
+ * Version:           10.6.13
  * Author:            Andy Fragen
  * License:           MIT
  * Domain Path:       /languages

languages/git-updater.pot

@@ -2,21 +2,21 @@
 # This file is distributed under the MIT.
 msgid ""
 msgstr ""
-"Project-Id-Version: Git Updater 10.6.12\n"
+"Project-Id-Version: Git Updater 10.6.12.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/git-updater\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2022-01-18T21:53:35+00:00\n"
+"POT-Creation-Date: 2022-01-19T01:08:50+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.5.0\n"
 "X-Domain: git-updater\n"
 
 #. Plugin Name of the plugin
 #: src/Git_Updater/Settings.php:165
-#: src/Git_Updater/Settings.php:274
+#: src/Git_Updater/Settings.php:270
 msgid "Git Updater"
 msgstr ""
 
@@ -181,12 +181,12 @@ msgid "Please be patient while WP-Cron finishes making API calls."
 msgstr ""
 
 #: src/Git_Updater/Settings.php:137
-#: src/Git_Updater/Settings.php:811
+#: src/Git_Updater/Settings.php:808
 msgid "Settings"
 msgstr ""
 
 #: src/Git_Updater/Settings.php:212
-#: src/Git_Updater/Settings.php:373
+#: src/Git_Updater/Settings.php:369
 msgid "Git Updater Settings"
 msgstr ""
 
@@ -195,59 +195,59 @@ msgctxt "Menu item"
 msgid "Git Updater"
 msgstr ""
 
-#: src/Git_Updater/Settings.php:297
+#: src/Git_Updater/Settings.php:293
 msgid "Refresh Cache"
 msgstr ""
 
-#: src/Git_Updater/Settings.php:342
+#: src/Git_Updater/Settings.php:338
 msgid "Settings saved."
 msgstr ""
 
-#: src/Git_Updater/Settings.php:344
+#: src/Git_Updater/Settings.php:340
 msgid "Cache refreshed."
 msgstr ""
 
-#: src/Git_Updater/Settings.php:386
+#: src/Git_Updater/Settings.php:382
 msgid "Enable Branch Switching"
 msgstr ""
 
-#: src/Git_Updater/Settings.php:399
+#: src/Git_Updater/Settings.php:395
 msgid "Bypass WP-Cron Background Processing for Debugging"
 msgstr ""
 
-#: src/Git_Updater/Settings.php:411
+#: src/Git_Updater/Settings.php:407
 msgid "Display `deprecated hook` messaging in debug.log"
 msgstr ""
 
-#: src/Git_Updater/Settings.php:574
+#: src/Git_Updater/Settings.php:570
 msgid "Check to enable."
 msgstr ""
 
-#: src/Git_Updater/Settings.php:606
+#: src/Git_Updater/Settings.php:602
 msgid "Overridden Plugins and Themes"
 msgstr ""
 
-#: src/Git_Updater/Settings.php:607
+#: src/Git_Updater/Settings.php:603
 msgid "The following plugins or themes might exist on wp.org, but any updates will be downloaded from their respective git repositories."
 msgstr ""
 
-#: src/Git_Updater/Settings.php:845
+#: src/Git_Updater/Settings.php:842
 msgid "This is a private repository."
 msgstr ""
 
-#: src/Git_Updater/Settings.php:846
+#: src/Git_Updater/Settings.php:843
 msgid "This repository has not connected to the API or was unable to connect."
 msgstr ""
 
-#: src/Git_Updater/Settings.php:847
+#: src/Git_Updater/Settings.php:844
 msgid "This repository is hosted on WordPress.org."
 msgstr ""
 
-#: src/Git_Updater/Settings.php:848
+#: src/Git_Updater/Settings.php:845
 msgid "This repository has been ignored and does not connect to the API."
 msgstr ""
 
-#: src/Git_Updater/Settings.php:892
+#: src/Git_Updater/Settings.php:889
 msgid "Installed Plugins and Themes"
 msgstr ""
 

src/Git_Updater/Add_Ons.php

@@ -198,7 +198,7 @@ public function add_admin_page( $tab, $action ) {
 	 * Display appropriate notice for Remote Management page action.
 	 */
 	private function admin_page_notices() {
-		if ( isset( $_POST['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'gu_settings' ) ) {
+		if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'gu_settings' ) ) {
 			return;
 		}
 		$display = isset( $_POST['install_api_plugin'] ) && '1' === $_POST['install_api_plugin'];

src/Git_Updater/Messages.php

@@ -45,7 +45,7 @@ public function create_error_message( $type = '' ) {
 		$update_pages   = [ 'update-core.php', 'plugins.php', 'themes.php' ];
 		$settings_pages = [ 'settings.php', 'options-general.php' ];
 
-		if ( ( isset( $_GET['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'gu_settings' ) )
+		if ( ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'gu_settings' ) )
 			&& ( ( ! isset( $_GET['page'] ) || 'git-updater' !== $_GET['page'] )
 			&& in_array( $pagenow, $settings_pages, true ) )
 			|| ! in_array( $pagenow, array_merge( $update_pages, $settings_pages ), true )

src/Git_Updater/Plugin.php

@@ -438,10 +438,8 @@ public function update_site_transient( $transient ) {
 				}
 
 				// Set transient on rollback.
-				if ( isset( $_GET['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'upgrade-plugin_' . $plugin->file ) ) {
-					continue;
-				}
-				if ( isset( $_GET['plugin'], $_GET['rollback'] ) && $plugin->file === $_GET['plugin']
+				if ( isset( $_GET['_wpnonce'], $_GET['plugin'], $_GET['rollback'] )
+					&& wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'upgrade-plugin_' . $plugin->file )
 				) {
 					$transient->response[ $plugin->file ] = ( new Branch() )->set_rollback_transient( 'plugin', $plugin );
 				}

src/Git_Updater/Settings.php

@@ -68,7 +68,7 @@ public function __construct() {
 	 * Check for cache refresh.
 	 */
 	protected function refresh_caches() {
-		if ( isset( $_POST['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'gu_refresh_cache' ) ) {
+		if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'gu_refresh_cache' ) ) {
 			return;
 		}
 
@@ -226,9 +226,7 @@ public function add_plugin_page() {
 	 * @access private
 	 */
 	private function options_tabs() {
-		if ( isset( $_GET['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'gu_settings' ) ) {
-			return;
-		}
+		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
 		$current_tab = isset( $_GET['tab'] ) ? sanitize_title_with_dashes( wp_unslash( $_GET['tab'] ) ) : 'git_updater_settings';
 		echo '<nav class="nav-tab-wrapper" aria-label="Secondary menu">';
 		foreach ( $this->settings_tabs() as $key => $name ) {
@@ -244,9 +242,7 @@ private function options_tabs() {
 	 * @access private
 	 */
 	private function options_sub_tabs() {
-		if ( isset( $_GET['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'gu_settings' ) ) {
-			return;
-		}
+		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
 		$current_tab = isset( $_GET['subtab'] ) ? sanitize_title_with_dashes( wp_unslash( $_GET['subtab'] ) ) : 'git_updater';
 		echo '<nav class="nav-tab-wrapper" aria-label="Tertiary menu">';
 		foreach ( $this->settings_sub_tabs() as $key => $name ) {
@@ -329,7 +325,7 @@ public function create_admin_page() {
 	 * Display appropriate notice for Settings page actions.
 	 */
 	private function admin_page_notices() {
-		if ( isset( $_GET['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'gu_settings' ) ) {
+		if ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'gu_settings' ) ) {
 			return;
 		}
 		$display = ( isset( $_GET['updated'] ) && is_multisite() )
@@ -659,8 +655,9 @@ public function token_callback_checkbox( $args ) {
 	 * @link http://benohead.com/wordpress-network-wide-plugin-settings/
 	 */
 	public function update_settings() {
-		if ( isset( $_POST['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'git_updater-options' ) ) {
+		if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'git_updater-options' ) ) {
 			$this->redirect_on_save();
+			return;
 		}
 		if ( ( isset( $_POST['option_page'] )
 			&& 'git_updater' === $_POST['option_page'] )
@@ -694,7 +691,7 @@ public function update_settings() {
 	 * @return array|mixed
 	 */
 	private function filter_options() {
-		if ( isset( $_POST['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'git_updater-options' ) ) {
+		if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'git_updater-options' ) ) {
 			return;
 		}
 		$options = self::$options;
@@ -784,7 +781,7 @@ protected function redirect_on_save() {
 	 * @return bool
 	 */
 	private function refresh_transients() {
-		if ( isset( $_POST['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'gu_refresh_cache' ) ) {
+		if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'gu_refresh_cache' ) ) {
 			return false;
 		}
 		if ( isset( $_REQUEST['git_updater_refresh_transients'] ) ) {

src/Git_Updater/Theme.php

@@ -641,10 +641,8 @@ public function update_site_transient( $transient ) {
 			}
 
 			// Set transient for rollback.
-			if ( isset( $_GET['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'upgrade-theme_' . $theme->slug ) ) {
-				continue;
-			}
-			if ( isset( $_GET['theme'], $_GET['rollback'] ) && $theme->slug === $_GET['theme']
+			if ( isset( $_GET['_wpnonce'], $_GET['theme'], $_GET['rollback'] )
+				&& wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'upgrade-theme_' . $theme->slug )
 			) {
 				$transient->response[ $theme->slug ] = ( new Branch() )->set_rollback_transient( 'theme', $theme );
 			}

vendor/afragen/wp-dependency-installer/README.md

@@ -61,9 +61,13 @@ You will then need to update `wp-dependencies.json` to suit your requirements.
 
 ```php
 require_once __DIR__ . '/vendor/autoload.php';
-WP_Dependency_Installer::instance( __DIR__ )->run();
+add_action( 'plugins_loaded', function() {
+  WP_Dependency_Installer::instance( __DIR__ )->run();
+});
 ```
 
+`WP_Dependency_Installer` should be loaded via an action hook like `plugins_loaded` or `init` to function properly as it requires `wp-includes/pluggable.php` to be loaded for `wp_create_nonce()`.
+
 4. (optional) Take a look at some of built in [Hooks](https://github.com/afragen/wp-dependency-installer/wiki/Actions-and-Hooks) and [Functions](https://github.com/afragen/wp-dependency-installer/wiki/Helper-Functions) to further customize your plugin look and behaviour:
 
 That's it, happy blogging!

vendor/afragen/wp-dependency-installer/composer.json

@@ -1,7 +1,7 @@
 {
   "name": "afragen/wp-dependency-installer",
   "description": "Library that helps WordPress plugin dependency management.",
-  "version": "4.3.0",
+  "version": "4.3.2",
   "type": "library",
   "license": "MIT",
   "authors": [

vendor/afragen/wp-dependency-installer/wp-dependency-installer.php

@@ -168,11 +168,7 @@ public function register( $config, $caller = false ) {
 				$dependency['source']    = $source;
 				$dependency['sources'][] = $source;
 				$slug                    = $dependency['slug'];
-
-				if ( ! function_exists( 'wp_create_nonce' ) ) {
-					require_once ABSPATH . WPINC . '/pluggable.php';
-				}
-				$dependency['nonce'] = \wp_create_nonce( 'wp-dependency-installer_' . $slug );
+				$dependency['nonce']     = \wp_create_nonce( 'wp-dependency-installer_' . $slug );
 
 				// Keep a reference of all dependent plugins.
 				if ( isset( $this->config[ $slug ] ) ) {
@@ -369,8 +365,8 @@ public function admin_footer() {
 		 * AJAX router.
 		 */
 		public function ajax_router() {
-			if ( isset( $_POST['nonce'], $_POST['slug'] )
-				&& ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wp-dependency-installer_' . sanitize_text_field( wp_unslash( $_POST['slug'] ) ) )
+			if ( ! isset( $_POST['nonce'], $_POST['slug'] )
+				|| ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wp-dependency-installer_' . sanitize_text_field( wp_unslash( $_POST['slug'] ) ) )
 			) {
 				return;
 			}

vendor/composer/installed.json

@@ -102,24 +102,24 @@
         },
         {
             "name": "afragen/wp-dependency-installer",
-            "version": "4.3.0",
-            "version_normalized": "4.3.0.0",
+            "version": "4.3.2",
+            "version_normalized": "4.3.2.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/afragen/wp-dependency-installer.git",
-                "reference": "5c14a929387b9ff266c66291aae23546134a9bdf"
+                "reference": "707d659fcbf690999dde8d5a4359e32e0675cf98"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/afragen/wp-dependency-installer/zipball/5c14a929387b9ff266c66291aae23546134a9bdf",
-                "reference": "5c14a929387b9ff266c66291aae23546134a9bdf",
+                "url": "https://api.github.com/repos/afragen/wp-dependency-installer/zipball/707d659fcbf690999dde8d5a4359e32e0675cf98",
+                "reference": "707d659fcbf690999dde8d5a4359e32e0675cf98",
                 "shasum": ""
             },
             "require": {
                 "afragen/wp-dismiss-notice": "*",
                 "php": ">=5.6"
             },
-            "time": "2022-01-18T21:30:20+00:00",
+            "time": "2022-01-25T03:33:14+00:00",
             "type": "library",
             "installation-source": "dist",
             "autoload": {

vendor/composer/installed.php

@@ -5,7 +5,7 @@
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
-        'reference' => '2523a2eabb18ee0d0dc5de0715b7c3e00217f381',
+        'reference' => '680207b67585dfaaab7271e8f62ad45a54fa87b3',
         'name' => 'afragen/git-updater',
         'dev' => false,
     ),
@@ -16,7 +16,7 @@
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
-            'reference' => '2523a2eabb18ee0d0dc5de0715b7c3e00217f381',
+            'reference' => '680207b67585dfaaab7271e8f62ad45a54fa87b3',
             'dev_requirement' => false,
         ),
         'afragen/singleton' => array(
@@ -42,12 +42,12 @@
             'dev_requirement' => false,
         ),
         'afragen/wp-dependency-installer' => array(
-            'pretty_version' => '4.3.0',
-            'version' => '4.3.0.0',
+            'pretty_version' => '4.3.2',
+            'version' => '4.3.2.0',
             'type' => 'library',
             'install_path' => __DIR__ . '/../afragen/wp-dependency-installer',
             'aliases' => array(),
-            'reference' => '5c14a929387b9ff266c66291aae23546134a9bdf',
+            'reference' => '707d659fcbf690999dde8d5a4359e32e0675cf98',
             'dev_requirement' => false,
         ),
         'afragen/wp-dismiss-notice' => array(