From 6199f892091be5279eb03fd9455184c3dd3ec03d Mon Sep 17 00:00:00 2001
From: vnmedeiros
Date: Wed, 18 May 2022 17:58:18 -0300
Subject: [PATCH 01/17] fix: remove `curl_exec`
---
src/classes/class-tainacan-media.php | 53 +++-------------------------
1 file changed, 5 insertions(+), 48 deletions(-)
diff --git a/src/classes/class-tainacan-media.php b/src/classes/class-tainacan-media.php
index 87412b9e7..0b008e627 100644
--- a/src/classes/class-tainacan-media.php
+++ b/src/classes/class-tainacan-media.php
@@ -103,54 +103,11 @@ class Media {
* @return string the file path
*/
public function save_remote_file($url) {
- set_time_limit(0);
-
- $filename = tempnam(sys_get_temp_dir(), basename($url));
-
- # Open the file for writing...
- self::$file_handle = fopen($filename, 'w+');
- self::$file_name = $filename;
-
- $callback = function ($ch, $str) {
- $len = fwrite(self::$file_handle, $str);
- return $len;
- };
-
- $ch = curl_init();
- curl_setopt($ch, CURLOPT_URL, $url);
- curl_setopt($ch, CURLOPT_FILE, self::$file_handle);
- curl_setopt($ch, CURLOPT_HEADER, 0);
- curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
- curl_setopt($ch, CURLOPT_BINARYTRANSFER, true);
- curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); # optional
- curl_setopt($ch, CURLOPT_TIMEOUT, -1); # optional: -1 = unlimited, 3600 = 1 hour
- curl_setopt($ch, CURLOPT_VERBOSE, false); # Set to true to see all the innards
-
- # Only if you need to bypass SSL certificate validation
- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-
- # Assign a callback function to the CURL Write-Function
- curl_setopt($ch, CURLOPT_WRITEFUNCTION, $callback);
-
- # Execute the download - note we DO NOT put the result into a variable!
- curl_exec($ch);
- if (curl_errno($ch)) {
- $error_msg = curl_error($ch);
- # Close CURL
- curl_close($ch);
- # Close the file pointer
- fclose(self::$file_handle);
- throw new \Exception( "[save_remote_file]:" . $error_msg);
- }
-
- # Close CURL
- curl_close($ch);
-
- # Close the file pointer
- fclose(self::$file_handle);
-
- return $filename;
+ $filename = download_url($url, 900);
+ if( is_wp_error($filename) ) {
+ throw new \Exception( "[save_remote_file]:" . implode("\n", $filename->get_error_messages()));
+ }
+ return $filename;
}
From a7de746a6c35834bc1b6d321605bf76a2be9ce33 Mon Sep 17 00:00:00 2001
From: vnmedeiros
Date: Wed, 18 May 2022 18:11:02 -0300
Subject: [PATCH 02/17] fix not using `file_get_contents` to get remote files
---
.../class-tainacan-rest-items-controller.php | 7 ++++-
.../class-tainacan-flickr-importer.php | 18 +++++++++----
.../importer/class-tainacan-test-importer.php | 4 ++-
.../class-tainacan-youtube-importer.php | 26 ++++++++++++++-----
4 files changed, 41 insertions(+), 14 deletions(-)
diff --git a/src/classes/api/endpoints/class-tainacan-rest-items-controller.php b/src/classes/api/endpoints/class-tainacan-rest-items-controller.php
index 2220cb62d..d7232d2f9 100644
--- a/src/classes/api/endpoints/class-tainacan-rest-items-controller.php
+++ b/src/classes/api/endpoints/class-tainacan-rest-items-controller.php
@@ -1383,7 +1383,12 @@ class REST_Items_Controller extends REST_Controller {
], 400);
}
$secret_key = get_option("tnc_option_recaptch_secret_key");
- $response = json_decode(file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=$secret_key&response=".$captcha_data."&remoteip=".$_SERVER['REMOTE_ADDR']));
+ $api_url = "https://www.google.com/recaptcha/api/siteverify?secret=$secret_key&response=".$captcha_data."&remoteip=".$_SERVER['REMOTE_ADDR'];
+
+ $response = wp_remote_get( $api_url );
+ $body = wp_remote_retrieve_body( $response );
+ $response = json_decode($body);
+
if ($response->success) {
return true;
} else {
diff --git a/src/classes/importer/class-tainacan-flickr-importer.php b/src/classes/importer/class-tainacan-flickr-importer.php
index 9865c2891..920c212ff 100644
--- a/src/classes/importer/class-tainacan-flickr-importer.php
+++ b/src/classes/importer/class-tainacan-flickr-importer.php
@@ -188,7 +188,9 @@ class Flickr_Importer extends Importer {
$this->add_log('url ' . $api_url);
- $json = json_decode(file_get_contents($api_url));
+ $response = wp_remote_get( $api_url );
+ $body = wp_remote_retrieve_body( $response );
+ $json = json_decode($body);
if( $json && isset($json->photoset) ){
return $json;
}
@@ -203,7 +205,10 @@ class Flickr_Importer extends Importer {
$this->add_log('url ' . $api_url);
- $json = json_decode(file_get_contents($api_url));
+ $response = wp_remote_get( $api_url );
+ $body = wp_remote_retrieve_body( $response );
+ $json = json_decode($body);
+
if( $json && isset($json->photos) ){
return $json;
@@ -218,7 +223,9 @@ class Flickr_Importer extends Importer {
$this->add_log('url ' . $api_url);
- $json = json_decode(file_get_contents($api_url));
+ $response = wp_remote_get( $api_url );
+ $body = wp_remote_retrieve_body( $response );
+ $json = json_decode($body);
if( $json && isset($json->photo) ){
return $json;
@@ -428,8 +435,9 @@ class Flickr_Importer extends Importer {
. $id . $this->format;
$this->add_log('url ' . $api_url);
-
- $json = json_decode(file_get_contents($api_url));
+ $response = wp_remote_get( $api_url );
+ $body = wp_remote_retrieve_body( $response );
+ $json = json_decode($body);
if( $json && isset($json->photo) ){
return $json;
diff --git a/src/classes/importer/class-tainacan-test-importer.php b/src/classes/importer/class-tainacan-test-importer.php
index 8494244c1..08ef31fc3 100644
--- a/src/classes/importer/class-tainacan-test-importer.php
+++ b/src/classes/importer/class-tainacan-test-importer.php
@@ -649,8 +649,10 @@ class Test_Importer extends Importer {
$keyword = ( $this->get_option('keyword_images') ) ? $this->get_option('keyword_images') : '';
$url = "https://loremflickr.com/$horizontal_size/$vertical_size/$keyword";
+ $response = wp_remote_get( $url );
+ $content = wp_remote_retrieve_body( $response );
- $id = $TainacanMedia->insert_attachment_from_blob(file_get_contents($url), time() . '.jpg', $inserted_item->get_id());
+ $id = $TainacanMedia->insert_attachment_from_blob($content, time() . '.jpg', $inserted_item->get_id());
if(!$id){
$this->add_error_log('Error in imported URL ' . $url);
diff --git a/src/classes/importer/class-tainacan-youtube-importer.php b/src/classes/importer/class-tainacan-youtube-importer.php
index f058f5d49..9c598276e 100644
--- a/src/classes/importer/class-tainacan-youtube-importer.php
+++ b/src/classes/importer/class-tainacan-youtube-importer.php
@@ -231,7 +231,9 @@ class Youtube_Importer extends Importer {
$api_url = 'https://www.googleapis.com/youtube/v3/channels?part=statistics,snippet,contentDetails&id='
. $id . '&key=' . $api_key;
- $json = json_decode(file_get_contents($api_url));
+ $response = wp_remote_get( $api_url );
+ $body = wp_remote_retrieve_body( $response );
+ $json = json_decode($body);
if( $json && isset($json->items) ){
$item = $json->items[0];
@@ -239,7 +241,9 @@ class Youtube_Importer extends Importer {
. $pageToken . '&maxResults=1&playlistId='
. $item->contentDetails->relatedPlaylists->uploads . '&key=' . $api_key;
- $json = json_decode(file_get_contents($api_url));
+ $response = wp_remote_get( $api_url );
+ $body = wp_remote_retrieve_body( $response );
+ $json = json_decode($body);
if( $json && isset($json->items) ){
return $json;
@@ -251,8 +255,10 @@ class Youtube_Importer extends Importer {
case 'user':
$api_url = 'https://www.googleapis.com/youtube/v3/channels?part=statistics,snippet,contentDetails&forUsername='
. $id . '&key=' . $api_key;
-
- $json = json_decode(file_get_contents($api_url));
+
+ $response = wp_remote_get( $api_url );
+ $body = wp_remote_retrieve_body( $response );
+ $json = json_decode($body);
if( $json && isset($json->items) ){
$item = $json->items[0];
@@ -260,7 +266,9 @@ class Youtube_Importer extends Importer {
. $pageToken . '&maxResults=1&playlistId='
. $item->contentDetails->relatedPlaylists->uploads . '&key=' . $api_key;
- $json = json_decode(file_get_contents($api_url));
+ $response = wp_remote_get( $api_url );
+ $body = wp_remote_retrieve_body( $response );
+ $json = json_decode($body);
if( $json && isset($json->items) ){
return $json;
@@ -274,7 +282,9 @@ class Youtube_Importer extends Importer {
. $pageToken . '&maxResults=1&playlistId='
. $id . '&key=' . $api_key;
- $json = json_decode(file_get_contents($api_url));
+ $response = wp_remote_get( $api_url );
+ $body = wp_remote_retrieve_body( $response );
+ $json = json_decode($body);
if( $json && isset($json->items) ){
return $json;
@@ -285,7 +295,9 @@ class Youtube_Importer extends Importer {
$api_url = 'https://www.googleapis.com/youtube/v3/videos?part=snippet%2CcontentDetails&maxResults=1&id='
. $id . '&key=' . $api_key;
- $json = json_decode(file_get_contents($api_url));
+ $response = wp_remote_get( $api_url );
+ $body = wp_remote_retrieve_body( $response );
+ $json = json_decode($body);
if( $json && isset($json->items) ){
return $json;
From 66fa425cc7ca017a46c6e36c259e17a60186f639 Mon Sep 17 00:00:00 2001
From: vnmedeiros
Date: Wed, 18 May 2022 21:40:54 -0300
Subject: [PATCH 03/17] fix: remove require `wp-blog-header.php`
---
src/classes/importer/import.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/classes/importer/import.php b/src/classes/importer/import.php
index d14e23c0d..0be1f3c3b 100644
--- a/src/classes/importer/import.php
+++ b/src/classes/importer/import.php
@@ -64,7 +64,7 @@ class ScriptTainacanOld {
define( 'WP_USE_THEMES', false );
define( 'SHORTINIT', false );
- require( dirname(__FILE__) . '/../../../../wp-blog-header.php' );
+ // require( dirname(__FILE__) . '/../../../../wp-blog-header.php' );
$old_tainacan = new \Tainacan\Importer\Old_Tainacan();
$id = $old_tainacan->get_id();
From bcc4a6b57fdab80076ea7db6eb14b0420bf79791 Mon Sep 17 00:00:00 2001
From: vnmedeiros
Date: Wed, 18 May 2022 22:28:27 -0300
Subject: [PATCH 04/17] fix: sanitized and escaped input and output
---
src/classes/class-tainacan-media.php | 2 +-
src/classes/class-tainacan-private-files.php | 6 +++---
src/classes/exporter/class-tainacan-csv.php | 4 ++--
.../exporter/class-tainacan-term-exporter.php | 4 ++--
.../exposers/class-tainacan-exposers-handler.php | 2 +-
src/classes/importer/class-tainacan-csv.php | 8 ++++----
.../importer/class-tainacan-test-importer.php | 12 ++++++------
.../importer/class-tainacan-youtube-importer.php | 2 +-
.../class-tainacan-term-importer.php | 4 ++--
src/classes/theme-helper/template-tags.php | 16 ++++++++--------
src/views/class-tainacan-admin.php | 6 +++---
11 files changed, 33 insertions(+), 33 deletions(-)
diff --git a/src/classes/class-tainacan-media.php b/src/classes/class-tainacan-media.php
index 0b008e627..e8867d681 100644
--- a/src/classes/class-tainacan-media.php
+++ b/src/classes/class-tainacan-media.php
@@ -338,7 +338,7 @@ class Media {
}
- echo $output;
+ echo wp_kses_post($output);
exit();
diff --git a/src/classes/class-tainacan-private-files.php b/src/classes/class-tainacan-private-files.php
index 9e489b2b6..160525220 100644
--- a/src/classes/class-tainacan-private-files.php
+++ b/src/classes/class-tainacan-private-files.php
@@ -117,12 +117,12 @@ class Private_Files {
// regular ajax uploads via Admin Panel will send post_id
if ( isset($_REQUEST['post_id']) && $_REQUEST['post_id'] ) {
- $post_id = $_REQUEST['post_id'];
+ $post_id = sanitize_text_field($_REQUEST['post_id']);
}
// API requests to media endpoint will send post
if ( false === $post_id && isset($_REQUEST['post']) && is_numeric($_REQUEST['post']) ) {
- $post_id = $_REQUEST['post'];
+ $post_id = sanitize_text_field($_REQUEST['post']);
}
// tainacan internals, scripts and tests, will set this global
@@ -191,7 +191,7 @@ class Private_Files {
$upload_dir = wp_get_upload_dir();
$base_upload_url = preg_replace('/^https?:\/\//', '', $upload_dir['baseurl']);
- $requested_uri = $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
+ $requested_uri = sanitize_text_field($_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']);
if ( strpos($requested_uri, $base_upload_url) === false ) {
// Not uploads
diff --git a/src/classes/exporter/class-tainacan-csv.php b/src/classes/exporter/class-tainacan-csv.php
index a9bab17cf..6b277b7c5 100644
--- a/src/classes/exporter/class-tainacan-csv.php
+++ b/src/classes/exporter/class-tainacan-csv.php
@@ -312,7 +312,7 @@ class CSV extends Exporter {
-
+
@@ -334,7 +334,7 @@ class CSV extends Exporter {
-
+
diff --git a/src/classes/exporter/class-tainacan-term-exporter.php b/src/classes/exporter/class-tainacan-term-exporter.php
index 7fe612680..552382c8f 100644
--- a/src/classes/exporter/class-tainacan-term-exporter.php
+++ b/src/classes/exporter/class-tainacan-term-exporter.php
@@ -98,7 +98,7 @@ class Term_Exporter extends Exporter {
-
+
@@ -127,7 +127,7 @@ class Term_Exporter extends Exporter {
$taxonomies = $Tainacan_Taxonomies->fetch( ['nopaging' => true], 'OBJECT' );
foreach( $taxonomies as $taxonomie) {
?>
- get_name() ?>
+ get_name()); ?>
diff --git a/src/classes/exposers/class-tainacan-exposers-handler.php b/src/classes/exposers/class-tainacan-exposers-handler.php
index 28bdee911..249412484 100644
--- a/src/classes/exposers/class-tainacan-exposers-handler.php
+++ b/src/classes/exposers/class-tainacan-exposers-handler.php
@@ -148,7 +148,7 @@ class Exposers_Handler {
$type_responde = $exposer->rest_request_after_callbacks($response, $handler, $request);
if(self::request_has_url_param($request)) {
header(implode('', $response->get_headers()));
- echo stripcslashes($response->get_data());
+ echo esc_attr(stripcslashes($response->get_data()));
exit();
}
return $type_responde;
diff --git a/src/classes/importer/class-tainacan-csv.php b/src/classes/importer/class-tainacan-csv.php
index 9322d8f79..fea113b08 100644
--- a/src/classes/importer/class-tainacan-csv.php
+++ b/src/classes/importer/class-tainacan-csv.php
@@ -334,7 +334,7 @@ class CSV extends Importer {
-
+
@@ -357,7 +357,7 @@ class CSV extends Importer {
-
+
@@ -410,7 +410,7 @@ class CSV extends Importer {
-
+
@@ -467,7 +467,7 @@ class CSV extends Importer {
-
+
: on this link.', 'tainacan')); ?>
diff --git a/src/classes/importer/class-tainacan-test-importer.php b/src/classes/importer/class-tainacan-test-importer.php
index 08ef31fc3..0e4d6b948 100644
--- a/src/classes/importer/class-tainacan-test-importer.php
+++ b/src/classes/importer/class-tainacan-test-importer.php
@@ -125,7 +125,7 @@ class Test_Importer extends Importer {
-
+
@@ -149,7 +149,7 @@ class Test_Importer extends Importer {
-
+
@@ -204,7 +204,7 @@ class Test_Importer extends Importer {
-
+
@@ -266,7 +266,7 @@ class Test_Importer extends Importer {
-
+
@@ -290,7 +290,7 @@ class Test_Importer extends Importer {
-
+
@@ -312,7 +312,7 @@ class Test_Importer extends Importer {
-
+
diff --git a/src/classes/importer/class-tainacan-youtube-importer.php b/src/classes/importer/class-tainacan-youtube-importer.php
index 9c598276e..7ce7751b7 100644
--- a/src/classes/importer/class-tainacan-youtube-importer.php
+++ b/src/classes/importer/class-tainacan-youtube-importer.php
@@ -411,7 +411,7 @@ class Youtube_Importer extends Importer {
-
+
diff --git a/src/classes/importer/term-importer/class-tainacan-term-importer.php b/src/classes/importer/term-importer/class-tainacan-term-importer.php
index 2309200b5..a97d2c4cb 100644
--- a/src/classes/importer/term-importer/class-tainacan-term-importer.php
+++ b/src/classes/importer/term-importer/class-tainacan-term-importer.php
@@ -60,7 +60,7 @@ class Term_Importer extends Importer {
-
+
@@ -101,7 +101,7 @@ class Term_Importer extends Importer {
-
+
diff --git a/src/classes/theme-helper/template-tags.php b/src/classes/theme-helper/template-tags.php
index 1308d9995..85ec5071e 100644
--- a/src/classes/theme-helper/template-tags.php
+++ b/src/classes/theme-helper/template-tags.php
@@ -472,37 +472,37 @@ function tainacan_get_the_media_component_slide( $args = array() ) {
-
+
-
+
-