tmdinosaurcenter
/
tainacan
mirror of https://github.com/tainacan/tainacan
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: add nonce on request protect files

This commit is contained in:
vnmedeiros 2024-02-26 11:46:29 -03:00
parent 65f96ff558
commit e7c8872049
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/classes/api/endpoints/class-tainacan-rest-background-processes-controller.php
View File

@ -244,6 +244,8 @@ class REST_Background_Processes_Controller extends REST_Controller {
public function prepare_item_for_response($item, $request) { public function prepare_item_for_response($item, $request) {
$item->log = $this->get_log_url($item->ID, $item->action); $item->log = $this->get_log_url($item->ID, $item->action);
$item->error_log = $this->get_log_url($item->ID, $item->action, 'error'); $item->error_log = $this->get_log_url($item->ID, $item->action, 'error');
$nonce = wp_create_nonce( 'wp_rest' );
$item->output = str_replace("&_wpnonce=[nonce]", "&_wpnonce=$nonce", $item->output);
return $item; return $item;
} }
@ -351,7 +353,8 @@ class REST_Background_Processes_Controller extends REST_Controller {
if (!file_exists( $upload_url['basedir'] . '/tainacan/' . $filename )) { if (!file_exists( $upload_url['basedir'] . '/tainacan/' . $filename )) {
return null; return null;
} }
$logs_url = esc_url_raw( rest_url() ) . "tainacan/v2/bg-processes/file?guid=$filename"; $nonce = wp_create_nonce( 'wp_rest' );
$logs_url = esc_url_raw( rest_url() ) . "tainacan/v2/bg-processes/file?guid=$filename&_wpnonce=$nonce";
return $logs_url; return $logs_url;
} }

7
src/classes/exporter/class-tainacan-exporter.php
View File

@ -700,7 +700,7 @@ abstract class Exporter {
} }
$file_name = "{$upload_dir}{$file_suffix}"; $file_name = "{$upload_dir}{$file_suffix}";
$guid = "exporter/{$prefix}_{$key}"; $guid = "exporter/{$prefix}_{$key}";
$file_url = esc_url_raw( rest_url() ) . "tainacan/v2/bg-processes/file?guid=$guid"; $file_url = esc_url_raw( rest_url() ) . "tainacan/v2/bg-processes/file?guid=$guid&_wpnonce=[nonce]";
$this->output_files[$key] = [ $this->output_files[$key] = [
'filename' => $file_name, 'filename' => $file_name,
'url' => $file_url 'url' => $file_url
@ -776,7 +776,10 @@ abstract class Exporter {
$user = get_userdata( (int) $author ); $user = get_userdata( (int) $author );
if ($user instanceof \WP_User) { if ($user instanceof \WP_User) {
$msg = $this->get_output(); $msg = $this->get_output();
$this->add_log('Sending email to ' . $user->user_email); $email_parts = explode('@', $user->user_email);
$first_letter = substr($email_parts[0], 0, 1);
$anonymized_email = $first_letter . '*****@' . $email_parts[1];
$this->add_log('Sending email to ' . $anonymized_email);
wp_mail($user->user_email, __('Finished export.', 'tainacan'), $msg); wp_mail($user->user_email, __('Finished export.', 'tainacan'), $msg);
} }