diff --git a/classes/Pods.php b/classes/Pods.php index 8afaf099a0..ab1866a8c0 100644 --- a/classes/Pods.php +++ b/classes/Pods.php @@ -4051,6 +4051,15 @@ public function form( $params = null, $label = null, $thank_you = null ) { $fields_only = $params['fields_only']; $output_type = $params['output_type']; + // Sanitize thank_you for security. + if ( ! empty( $thank_you ) ) { + // Additional sanitization. + $thank_you = sanitize_text_field( $thank_you ); + + // Fallback to '' so that the logic below can kick in if the thank you URL was not safe. + $thank_you = pods_enforce_safe_url( $thank_you, '' ); + } + if ( empty( $output_type ) ) { $output_type = 'div'; } diff --git a/includes/data.php b/includes/data.php index cc828a2fa1..b2fe659653 100644 --- a/includes/data.php +++ b/includes/data.php @@ -2998,3 +2998,23 @@ function pods_objects_keyed_by_name( $objects ) { return $new_list; } + +/** + * Enforce a URL as safe and fallback to another URL if it is not safe. + * + * @since 3.1.4.1 + * + * @param string $url The URL to enforce as safe. + * @param string|null $fallback_url The fallback URL to use if the URL is not valid. + * + * @return string The safe URL or the fallback URL if that was not valid. + */ +function pods_enforce_safe_url( string $url, ?string $fallback_url = null ) { + $url = wp_sanitize_redirect( $url ); + + if ( null === $fallback_url ) { + $fallback_url = pods_current_url(); + } + + return wp_validate_redirect( $url, $fallback_url ); +} diff --git a/init.php b/init.php index c8cecfa249..653259b4a8 100644 --- a/init.php +++ b/init.php @@ -10,7 +10,7 @@ * Plugin Name: Pods - Custom Content Types and Fields * Plugin URI: https://pods.io/ * Description: Pods is a framework for creating, managing, and deploying customized content types and fields - * Version: 3.1.4 + * Version: 3.1.4.1 * Author: Pods Framework Team * Author URI: https://pods.io/about/ * Text Domain: pods @@ -43,7 +43,7 @@ add_action( 'init', 'pods_deactivate_pods_ui' ); } else { // Current version. - define( 'PODS_VERSION', '3.1.4' ); + define( 'PODS_VERSION', '3.1.4.1' ); // Current database version, this is the last version the database changed. define( 'PODS_DB_VERSION', '2.3.5' ); diff --git a/package.json b/package.json index 433ad7ab5c..3b39d71976 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "pods", - "version": "3.1.4", + "version": "3.1.4.1", "description": "Pods is a development framework for creating, extending, managing, and deploying customized content types in WordPress.", "author": "Pods Foundation, Inc", "homepage": "https://pods.io/", diff --git a/readme.txt b/readme.txt index f496666947..70daf1f6f0 100644 --- a/readme.txt +++ b/readme.txt @@ -5,7 +5,7 @@ Tags: pods, custom post types, custom taxonomies, content types, custom fields Requires at least: 6.0 Tested up to: 6.5 Requires PHP: 7.2 -Stable tag: 3.1.4 +Stable tag: 3.1.4.1 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html @@ -181,6 +181,12 @@ Pods really wouldn't be where it is without all the contributions from our [dono == Changelog == += 3.1.4.1 - May 8th, 2024 = + +*Security Release* + +* Security hardening: Enforce safe URLs for Pods form submission confirmation page URLs. Props to the wesley (wcraft) / Wordfence for responsibly reporting this. (@sc0ttkclark) + = 3.1.4 - February 28th, 2024 = * Fixed: Defaults now show correctly for checkbox groups in the Edit Field modals. (@sc0ttkclark) diff --git a/src/Pods/Blocks/API.php b/src/Pods/Blocks/API.php index fec956bca6..7eb484ed38 100644 --- a/src/Pods/Blocks/API.php +++ b/src/Pods/Blocks/API.php @@ -144,6 +144,11 @@ public function register_assets() { */ $blocks_config = (array) apply_filters( 'pods_blocks_api_config', $blocks_config ); + // Sanitize callbackUrl for security. + foreach ( $blocks_config['commands'] as $key => $command ) { + $blocks_config['commands'][ $key ]['callbackUrl'] = pods_enforce_safe_url( (string) $command['callbackUrl'] ); + } + wp_localize_script( 'pods-blocks-api', 'podsBlocksConfig', $blocks_config ); wp_enqueue_style( 'pods-styles' ); diff --git a/ui/front/form.php b/ui/front/form.php index 8c7ccbaf7e..e96bd1cc1c 100644 --- a/ui/front/form.php +++ b/ui/front/form.php @@ -102,7 +102,7 @@ action="" method="post" class="pods-submittable pods-form pods-form-front pods-form-pod-<?php echo esc_attr( $pod_name ); ?> pods-submittable-ajax" - data-location="<?php echo esc_attr( $thank_you ); ?>" + data-location="<?php echo esc_attr( pods_enforce_safe_url( $thank_you ) ); ?>" id="pods-form-<?php echo esc_attr( $pod_name . '-' . $counter ); ?>" data-pods-pod-name="<?php echo esc_attr( $pod_name ); ?>" data-pods-item-id="<?php echo esc_attr( $id ); ?>"