From 776893ef4e7a0a3a081936cc11895eddbcf7b0e1 Mon Sep 17 00:00:00 2001 From: Scott Kingsley Clark Date: Tue, 7 May 2024 09:39:22 -0500 Subject: [PATCH] Security patch --- classes/Pods.php | 9 +++++++++ includes/data.php | 20 ++++++++++++++++++++ init.php | 4 ++-- package.json | 2 +- readme.txt | 14 +++++++++++++- ui/front/form.php | 2 +- 6 files changed, 46 insertions(+), 5 deletions(-) diff --git a/classes/Pods.php b/classes/Pods.php index f9b02fefa9..5a3266d8e2 100644 --- a/classes/Pods.php +++ b/classes/Pods.php @@ -4112,6 +4112,15 @@ public function form( $params = null, $label = null, $thank_you = null ) { $thank_you = $params['thank_you']; $fields_only = $params['fields_only']; + // Sanitize thank_you for security. + if ( ! empty( $thank_you ) ) { + // Additional sanitization. + $thank_you = sanitize_text_field( $thank_you ); + + // Fallback to '' so that the logic below can kick in if the thank you URL was not safe. + $thank_you = pods_enforce_safe_url( $thank_you, '' ); + } + PodsForm::$form_counter ++; ob_start(); diff --git a/includes/data.php b/includes/data.php index 3a843b3af4..01f48609e2 100644 --- a/includes/data.php +++ b/includes/data.php @@ -2452,3 +2452,23 @@ function pods_list_filter( $list, $args = array(), $operator = 'AND' ) { return $filtered; } + +/** + * Enforce a URL as safe and fallback to another URL if it is not safe. + * + * @since 2.7.31.3 + * + * @param string $url The URL to enforce as safe. + * @param string|null $fallback_url The fallback URL to use if the URL is not valid. + * + * @return string The safe URL or the fallback URL if that was not valid. + */ +function pods_enforce_safe_url( $url, $fallback_url = null ) { + $url = wp_sanitize_redirect( $url ); + + if ( null === $fallback_url ) { + $fallback_url = pods_current_url(); + } + + return wp_validate_redirect( $url, $fallback_url ); +} diff --git a/init.php b/init.php index d38f219ee7..c4ec61c312 100644 --- a/init.php +++ b/init.php @@ -3,7 +3,7 @@ Plugin Name: Pods - Custom Content Types and Fields Plugin URI: https://pods.io/ Description: Pods is a framework for creating, managing, and deploying customized content types and fields -Version: 2.7.31.1 +Version: 2.7.31.3 Author: Pods Framework Team Author URI: https://pods.io/about/ Text Domain: pods @@ -37,7 +37,7 @@ add_action( 'init', 'pods_deactivate_pods_ui' ); } else { // Current version - define( 'PODS_VERSION', '2.7.31.1' ); + define( 'PODS_VERSION', '2.7.31.3' ); // Version tracking between DB updates themselves define( 'PODS_DB_VERSION', '2.3.5' ); diff --git a/package.json b/package.json index c2dfb25ff4..e607d19c71 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "pods", - "version": "2.7.31.1", + "version": "2.7.31.3", "description": "Pods is a development framework for creating, extending, managing, and deploying customized content types in WordPress.", "author": "Pods Foundation, Inc", "homepage": "https://pods.io/", diff --git a/readme.txt b/readme.txt index 6d20eccf87..c91cffcfee 100644 --- a/readme.txt +++ b/readme.txt @@ -5,7 +5,7 @@ Tags: pods, custom post types, custom taxonomies, content types, custom fields, Requires at least: 4.5 Tested up to: 5.8 Requires PHP: 5.3 -Stable tag: 2.7.31.1 +Stable tag: 2.7.31.3 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html @@ -190,6 +190,18 @@ We are also available through our [Live Slack Chat](https://pods.io/chat/) to he == Changelog == += 2.7.31.3 - May 8th, 2024 = + +*Security Release* + +* Security hardening: Enforce safe URLs for Pods form submission confirmation page URLs. Props to the wesley (wcraft) / Wordfence for responsibly reporting this. (@sc0ttkclark) + += 2.7.31.2 - February 21st, 2024 = + +*Security Release* + +Resolved issue with release deployment, see previous version for more details about the release. + = 2.7.31.1 - February 21st, 2024 = *Security Release* diff --git a/ui/front/form.php b/ui/front/form.php index 027f8868b4..6effa4e7d9 100644 --- a/ui/front/form.php +++ b/ui/front/form.php @@ -77,7 +77,7 @@ if ( !$fields_only ) { $field_prefix = 'pods_field_'; ?> -
+