Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14506 from woocommerce/fix/14496 

Prevent nonce check outside admin when calculating for reports
This commit is contained in:
Mike Jolley 2017-04-19 15:05:31 +01:00 committed by GitHub
parent 84c9ce9ceb 2da71bd7fb
commit be96e8c8a1
9 changed files with 26 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
includes/admin/reports/class-wc-admin-report.php
View File

@ -514,11 +514,6 @@ class WC_Admin_Report {
case 'custom' : case 'custom' :
if ( ! isset( $_GET['wc_reports_nonce'] ) || ! wp_verify_nonce( $_GET['wc_reports_nonce'], 'custom_range' ) ) {
wp_safe_redirect( remove_query_arg( array( 'start_date', 'end_date', 'range', 'wc_reports_nonce' ) ) );
exit;
}
$this->start_date = max( strtotime( '-20 years' ), strtotime( sanitize_text_field( $_GET['start_date'] ) ) ); $this->start_date = max( strtotime( '-20 years' ), strtotime( sanitize_text_field( $_GET['start_date'] ) ) );
if ( empty( $_GET['end_date'] ) ) { if ( empty( $_GET['end_date'] ) ) {
@ -650,4 +645,21 @@ class WC_Admin_Report {
* Output the report. * Output the report.
*/ */
public function output_report() {} public function output_report() {}
/**
* Check nonce for current range.
*
* @since 3.0.4
* @param string $current_range Current range.
*/
public function check_current_range_nonce( $current_range ) {
if ( 'custom' !== $current_range ) {
return;
}
if ( ! isset( $_GET['wc_reports_nonce'] ) || ! wp_verify_nonce( $_GET['wc_reports_nonce'], 'custom_range' ) ) {
wp_safe_redirect( remove_query_arg( array( 'start_date', 'end_date', 'range', 'wc_reports_nonce' ) ) );
exit;
}
}
} }

1
includes/admin/reports/class-wc-report-coupon-usage.php
View File

@ -144,6 +144,7 @@ class WC_Report_Coupon_Usage extends WC_Admin_Report {
$current_range = '7day'; $current_range = '7day';
} }
$this->check_current_range_nonce( $current_range );
$this->calculate_current_range( $current_range ); $this->calculate_current_range( $current_range );
include( WC()->plugin_path() . '/includes/admin/views/html-report-by-date.php' ); include( WC()->plugin_path() . '/includes/admin/views/html-report-by-date.php' );

1
includes/admin/reports/class-wc-report-customers.php
View File

@ -178,6 +178,7 @@ class WC_Report_Customers extends WC_Admin_Report {
$current_range = '7day'; $current_range = '7day';
} }
$this->check_current_range_nonce( $current_range );
$this->calculate_current_range( $current_range ); $this->calculate_current_range( $current_range );
$admin_users = new WP_User_Query( $admin_users = new WP_User_Query(

1
includes/admin/reports/class-wc-report-sales-by-category.php
View File

@ -125,6 +125,7 @@ class WC_Report_Sales_By_Category extends WC_Admin_Report {
$current_range = '7day'; $current_range = '7day';
} }
$this->check_current_range_nonce( $current_range );
$this->calculate_current_range( $current_range ); $this->calculate_current_range( $current_range );
// Get item sales data // Get item sales data

1
includes/admin/reports/class-wc-report-sales-by-date.php
View File

@ -562,6 +562,7 @@ class WC_Report_Sales_By_Date extends WC_Admin_Report {
$current_range = '7day'; $current_range = '7day';
} }
$this->check_current_range_nonce( $current_range );
$this->calculate_current_range( $current_range ); $this->calculate_current_range( $current_range );
include( WC()->plugin_path() . '/includes/admin/views/html-report-by-date.php' ); include( WC()->plugin_path() . '/includes/admin/views/html-report-by-date.php' );

4
includes/admin/reports/class-wc-report-sales-by-product.php
View File

@ -138,9 +138,11 @@ class WC_Report_Sales_By_Product extends WC_Admin_Report {
$current_range = ! empty( $_GET['range'] ) ? sanitize_text_field( $_GET['range'] ) : '7day'; $current_range = ! empty( $_GET['range'] ) ? sanitize_text_field( $_GET['range'] ) : '7day';
if ( ! in_array( $current_range, array( 'custom', 'year', 'last_month', 'month', '7day' ) ) ) if ( ! in_array( $current_range, array( 'custom', 'year', 'last_month', 'month', '7day' ) ) ) {
$current_range = '7day'; $current_range = '7day';
}
$this->check_current_range_nonce( $current_range );
$this->calculate_current_range( $current_range ); $this->calculate_current_range( $current_range );
include( WC()->plugin_path() . '/includes/admin/views/html-report-by-date.php' ); include( WC()->plugin_path() . '/includes/admin/views/html-report-by-date.php' );

1
includes/admin/reports/class-wc-report-taxes-by-code.php
View File

@ -57,6 +57,7 @@ class WC_Report_Taxes_By_Code extends WC_Admin_Report {
$current_range = 'last_month'; $current_range = 'last_month';
} }
$this->check_current_range_nonce( $current_range );
$this->calculate_current_range( $current_range ); $this->calculate_current_range( $current_range );
$hide_sidebar = true; $hide_sidebar = true;

1
includes/admin/reports/class-wc-report-taxes-by-date.php
View File

@ -57,6 +57,7 @@ class WC_Report_Taxes_By_Date extends WC_Admin_Report {
$current_range = 'last_month'; $current_range = 'last_month';
} }
$this->check_current_range_nonce( $current_range );
$this->calculate_current_range( $current_range ); $this->calculate_current_range( $current_range );
$hide_sidebar = true; $hide_sidebar = true;

2
includes/api/v1/class-wc-rest-report-sales-controller.php
View File

@ -249,7 +249,6 @@ class WC_REST_Report_Sales_V1_Controller extends WC_REST_Controller {
$this->report = new WC_Report_Sales_By_Date(); $this->report = new WC_Report_Sales_By_Date();
if ( empty( $filter['period'] ) ) { if ( empty( $filter['period'] ) ) {
// Custom date range. // Custom date range.
$filter['period'] = 'custom'; $filter['period'] = 'custom';
@ -265,7 +264,6 @@ class WC_REST_Report_Sales_V1_Controller extends WC_REST_Controller {
$_GET['start_date'] = $_GET['end_date'] = date( 'Y-m-d', current_time( 'timestamp' ) ); $_GET['start_date'] = $_GET['end_date'] = date( 'Y-m-d', current_time( 'timestamp' ) );
} }
} else { } else {
$filter['period'] = empty( $filter['period'] ) ? 'week' : $filter['period']; $filter['period'] = empty( $filter['period'] ) ? 'week' : $filter['period'];
// Change "week" period to "7day". // Change "week" period to "7day".