From 25616a97c0fb50c1fa3982e45ed6cfcc46735b99 Mon Sep 17 00:00:00 2001 From: Kenneth Reitz Date: Wed, 5 May 2010 01:41:30 -0400 Subject: [PATCH] plugins update --- .../plugins/twitter-tools/README.txt | 17 ++- .../twitter-tools/twitter-tools-bitly.php | 6 +- .../twitter-tools-excludecat.php | 6 +- .../twitter-tools/twitter-tools-hashtags.php | 6 +- .../plugins/twitter-tools/twitter-tools.php | 130 +++++++++--------- 5 files changed, 96 insertions(+), 69 deletions(-) diff --git a/blog/wp-content/plugins/twitter-tools/README.txt b/blog/wp-content/plugins/twitter-tools/README.txt index f50ad97..3553e9b 100644 --- a/blog/wp-content/plugins/twitter-tools/README.txt +++ b/blog/wp-content/plugins/twitter-tools/README.txt @@ -1,9 +1,9 @@ === Twitter Tools === Tags: twitter, tweet, integration, post, digest, notify, integrate, archive, widget -Contributors: alexkingorg. crowdfavorite +Contributors: alexkingorg, crowdfavorite Requires at least: 2.6 -Tested up to: 2.9.1 -Stable tag: 2.2.1 +Tested up to: 3.0b1 +Stable tag: 2.3.1 Twitter Tools is a plugin that creates a complete integration between your WordPress blog and your Twitter account. @@ -221,6 +221,17 @@ No, this is not a good idea. Twitter Tools needs to be able to look at the begin == Changelog == += 2.3.1 = + +* Fixed a typo that was breaking the latest tweet template tag. + += 2.3 = + +* Added nonces +* Patched several potential security issues (thanks Mark Jaquith) +* Load JS and CSS in separate process to possibly avoid some race conditions + + = 2.2.1 = * Typo-fix that should allow resetting digests properly (not sure when this broke, thanks lionel_chollet). diff --git a/blog/wp-content/plugins/twitter-tools/twitter-tools-bitly.php b/blog/wp-content/plugins/twitter-tools/twitter-tools-bitly.php index e483267..b39b2e2 100644 --- a/blog/wp-content/plugins/twitter-tools/twitter-tools-bitly.php +++ b/blog/wp-content/plugins/twitter-tools/twitter-tools-bitly.php @@ -3,7 +3,7 @@ Plugin Name: Twitter Tools - Bit.ly URLs Plugin URI: http://crowdfavorite.com/wordpress/ Description: Use Bit.ly for URL shortening with Twitter Tools. This plugin relies on Twitter Tools, configure it on the Twitter Tools settings page. -Version: 2.2.1 +Version: 2.3.1 Author: Crowd Favorite Author URI: http://crowdfavorite.com */ @@ -68,6 +68,9 @@ function aktt_bitly_request_handler() { if (!empty($_POST['cf_action'])) { switch ($_POST['cf_action']) { case 'aktt_bitly_update_settings': + if (!wp_verify_nonce($_POST['_wpnonce'], 'aktt_bitly_save_settings')) { + wp_die('Oops, please try again.'); + } aktt_bitly_save_settings(); wp_redirect(admin_url('options-general.php?page=twitter-tools.php&updated=true')); die(); @@ -159,6 +162,7 @@ function aktt_bitly_settings_form() {

+ '.wp_nonce_field('aktt_bitly_save_settings', '_wpnonce', true, false).wp_referer_field(false).' '); diff --git a/blog/wp-content/plugins/twitter-tools/twitter-tools-excludecat.php b/blog/wp-content/plugins/twitter-tools/twitter-tools-excludecat.php index 897a2d5..8a6f1d5 100644 --- a/blog/wp-content/plugins/twitter-tools/twitter-tools-excludecat.php +++ b/blog/wp-content/plugins/twitter-tools/twitter-tools-excludecat.php @@ -3,7 +3,7 @@ Plugin Name: Twitter Tools - Exclude Category Plugin URI: http://crowdfavorite.com/wordpress/ Description: Exclude posts in certain categories from being tweeted by Twitter Tools. This plugin relies on Twitter Tools, configure it on the Twitter Tools settings page. -Version: 2.2.1 +Version: 2.3.1 Author: Crowd Favorite Author URI: http://crowdfavorite.com */ @@ -20,6 +20,9 @@ function aktt_excludecat_request_handler() { if (!empty($_POST['cf_action'])) { switch ($_POST['cf_action']) { case 'aktt_excludecat_update_settings': + if (!wp_verify_nonce($_POST['_wpnonce'], 'aktt_excludecat_update_settings')) { + wp_die('Oops, please try again.'); + } aktt_excludecat_save_settings(); wp_redirect(admin_url('options-general.php?page=twitter-tools.php&updated=true')); die(); @@ -99,6 +102,7 @@ jQuery(function() {

+ '.wp_nonce_field('aktt_excludecat_update_settings', '_wpnonce', true, false).wp_referer_field(false).' '); diff --git a/blog/wp-content/plugins/twitter-tools/twitter-tools-hashtags.php b/blog/wp-content/plugins/twitter-tools/twitter-tools-hashtags.php index a74591b..cb77fb9 100644 --- a/blog/wp-content/plugins/twitter-tools/twitter-tools-hashtags.php +++ b/blog/wp-content/plugins/twitter-tools/twitter-tools-hashtags.php @@ -3,7 +3,7 @@ Plugin Name: Twitter Tools - Hashtags Plugin URI: http://crowdfavorite.com/wordpress/ Description: Set #hashtags for blog post tweets sent by Twitter Tools. This plugin relies on Twitter Tools, configure it on the Twitter Tools settings page. -Version: 2.2.1 +Version: 2.3.1 Author: Crowd Favorite Author URI: http://crowdfavorite.com */ @@ -78,6 +78,9 @@ function aktt_hash_request_handler() { if (!empty($_POST['cf_action'])) { switch ($_POST['cf_action']) { case 'aktt_hash_update_settings': + if (!wp_verify_nonce($_POST['_wpnonce'], 'aktt_hash_update_settings')) { + wp_die('Oops, please try again.'); + } aktt_hash_save_settings(); wp_redirect(admin_url('options-general.php?page=twitter-tools.php&updated=true')); die(); @@ -153,6 +156,7 @@ function aktt_hash_settings_form() {

+ '.wp_nonce_field('aktt_hash_update_settings', '_wpnonce', true, false).wp_referer_field(false).' '); diff --git a/blog/wp-content/plugins/twitter-tools/twitter-tools.php b/blog/wp-content/plugins/twitter-tools/twitter-tools.php index 534ac4e..5ea02c4 100644 --- a/blog/wp-content/plugins/twitter-tools/twitter-tools.php +++ b/blog/wp-content/plugins/twitter-tools/twitter-tools.php @@ -3,7 +3,7 @@ Plugin Name: Twitter Tools Plugin URI: http://alexking.org/projects/wordpress Description: A complete integration between your WordPress blog and Twitter. Bring your tweets into your blog and pass your blog posts to Twitter. Show your tweets in your sidebar, and post tweets from your WordPress admin. -Version: 2.2.1 +Version: 2.3.1 Author: Alex King Author URI: http://alexking.org */ @@ -389,7 +389,7 @@ class twitter_tools { $conditions = array(); $conditions[] = "tw_created_at >= '{$startGMT}'"; $conditions[] = "tw_created_at <= '{$endGMT}'"; - $conditions[] = "tw_text NOT LIKE '$this->tweet_prefix%'"; + $conditions[] = "tw_text NOT LIKE '".$wpdb->escape($this->tweet_prefix)."%'"; if ($this->exclude_reply_tweets) { $conditions[] = "tw_text NOT LIKE '@%'"; } @@ -847,7 +847,7 @@ function aktt_latest_tweet() { $tweets = $wpdb->get_results(" SELECT * FROM $wpdb->aktt - WHERE tw_text NOT LIKE '$aktt->tweet_prefix%' + WHERE tw_text NOT LIKE '".$wpdb->escape($aktt->tweet_prefix)."%' $where ORDER BY tw_created_at DESC LIMIT 1 @@ -967,6 +967,7 @@ function aktt_tweet_form($type = 'input', $extra = '') {

+ '.wp_nonce_field('aktt_new_tweet', '_wpnonce', true, false).wp_referer_field(false).' '; } @@ -1080,43 +1081,31 @@ function aktt_head_admin() { } add_action('admin_head', 'aktt_head_admin'); -function aktt_request_handler() { - global $wpdb, $aktt; +function aktt_resources() { if (!empty($_GET['ak_action'])) { switch($_GET['ak_action']) { - case 'aktt_update_tweets': - aktt_update_tweets(); - wp_redirect(admin_url('options-general.php?page=twitter-tools.php&tweets-updated=true')); - die(); - break; - case 'aktt_reset_tweet_checking': - aktt_reset_tweet_checking(); - wp_redirect(admin_url('options-general.php?page=twitter-tools.php&tweet-checking-reset=true')); - die(); - break; - case 'aktt_reset_digests': - aktt_reset_digests(); - wp_redirect(admin_url('options-general.php?page=twitter-tools.php&digest-reset=true')); - die(); - break; case 'aktt_js': - remove_action('shutdown', 'aktt_ping_digests'); header("Content-type: text/javascript"); switch ($aktt->js_lib) { case 'jquery': ?> function akttPostTweet() { var tweet_field = jQuery('#aktt_tweet_text'); + var tweet_form = tweet_field.parents('form'); var tweet_text = tweet_field.val(); if (tweet_text == '') { return; } var tweet_msg = jQuery("#aktt_tweet_posted_msg"); + var nonce = jQuery(tweet_form).find('input[name=_wpnonce]').val(); + var refer = jQuery(tweet_form).find('input[name=_wp_http_referer]').val(); jQuery.post( "", { ak_action: "aktt_post_tweet_sidebar", - aktt_tweet_text: tweet_text + aktt_tweet_text: tweet_text, + _wpnonce: nonce, + _wp_http_referer: refer }, function(data) { tweet_msg.html(data); @@ -1144,12 +1133,14 @@ function akttPostTweet() { return; } var tweet_msg = $("aktt_tweet_posted_msg"); + var nonce = $('_wpnonce').value; + var refer = $('_wpnonce').next('input').value; var akttAjax = new Ajax.Updater( tweet_msg, - "" + "", { method: "post", - parameters: "ak_action=aktt_post_tweet_sidebar&aktt_tweet_text=" + tweet_text, + parameters: "ak_action=aktt_post_tweet_sidebar&aktt_tweet_text=" + tweet_text + '&_wpnonce=' + nonce + '&_wp_http_referer=' + refer, onComplete: akttSetReset } ); @@ -1170,7 +1161,6 @@ function akttReset() { die(); break; case 'aktt_css': - remove_action('shutdown', 'aktt_ping_digests'); header("Content-Type: text/css"); ?> #aktt_tweet_form { @@ -1201,10 +1191,7 @@ function akttReset() { die(); break; case 'aktt_js_admin': - remove_action('shutdown', 'aktt_ping_digests'); header("Content-Type: text/javascript"); - switch ($aktt->js_lib) { - case 'jquery': ?> function akttTestLogin() { var result = jQuery('#aktt_login_test_result'); @@ -1363,36 +1350,9 @@ jQuery(function() { }); -function akttTestLogin() { - var username = $('aktt_twitter_username').value; - var password = $('aktt_twitter_password').value; - var result = $('aktt_login_test_result'); - result.className = 'aktt_login_result_wait'; - result.innerHTML = ''; - var akttAjax = new Ajax.Updater( - result, - "", - { - method: "post", - parameters: "ak_action=aktt_login_test&aktt_twitter_username=" + username + "&aktt_twitter_password=" + password, - onComplete: akttTestLoginResult - } - ); -} -function akttTestLoginResult() { - $('aktt_login_test_result').className = 'aktt_login_result'; - Fat.fade_element('aktt_login_test_result'); -} - #aktt_tweet_form { @@ -1490,9 +1450,45 @@ form.aktt p.submit, break; } } +} +add_action('init', 'aktt_resources', 1); + +function aktt_request_handler() { + global $wpdb, $aktt; + if (!empty($_GET['ak_action'])) { + switch($_GET['ak_action']) { + case 'aktt_update_tweets': + if (!wp_verify_nonce($_GET['_wpnonce'], 'aktt_update_tweets')) { + wp_die('Oops, please try again.'); + } + aktt_update_tweets(); + wp_redirect(admin_url('options-general.php?page=twitter-tools.php&tweets-updated=true')); + die(); + break; + case 'aktt_reset_tweet_checking': + if (!wp_verify_nonce($_GET['_wpnonce'], 'aktt_update_tweets')) { + wp_die('Oops, please try again.'); + } + aktt_reset_tweet_checking(); + wp_redirect(admin_url('options-general.php?page=twitter-tools.php&tweet-checking-reset=true')); + die(); + break; + case 'aktt_reset_digests': + if (!wp_verify_nonce($_GET['_wpnonce'], 'aktt_update_tweets')) { + wp_die('Oops, please try again.'); + } + aktt_reset_digests(); + wp_redirect(admin_url('options-general.php?page=twitter-tools.php&digest-reset=true')); + die(); + break; + } + } if (!empty($_POST['ak_action'])) { switch($_POST['ak_action']) { case 'aktt_update_settings': + if (!wp_verify_nonce($_POST['_wpnonce'], 'aktt_settings')) { + wp_die('Oops, please try again.'); + } $aktt->populate_settings(); $aktt->update_settings(); wp_redirect(admin_url('options-general.php?page=twitter-tools.php&updated=true')); @@ -1500,6 +1496,9 @@ form.aktt p.submit, break; case 'aktt_post_tweet_sidebar': if (!empty($_POST['aktt_tweet_text']) && current_user_can('publish_posts')) { + if (!wp_verify_nonce($_POST['_wpnonce'], 'aktt_new_tweet')) { + wp_die('Oops, please try again.'); + } $tweet = new aktt_tweet(); $tweet->tw_text = stripslashes($_POST['aktt_tweet_text']); if ($aktt->do_tweet($tweet)) { @@ -1512,6 +1511,9 @@ form.aktt p.submit, break; case 'aktt_post_tweet_admin': if (!empty($_POST['aktt_tweet_text']) && current_user_can('publish_posts')) { + if (!wp_verify_nonce($_POST['_wpnonce'], 'aktt_new_tweet')) { + wp_die('Oops, please try again.'); + } $tweet = new aktt_tweet(); $tweet->tw_text = stripslashes($_POST['aktt_tweet_text']); if ($aktt->do_tweet($tweet)) { @@ -1674,8 +1676,8 @@ function aktt_options_form() {
- - + +
@@ -1685,7 +1687,7 @@ function aktt_options_form() {
- '.__('Cannot be left blank. Will result in {Your prefix}: Title URL', 'twitter-tools').' + '.__('Cannot be left blank. Will result in {Your prefix}: Title URL', 'twitter-tools').'
@@ -1701,7 +1703,7 @@ function aktt_options_form() {
- + '.__('Separate multiple tags with commas. Example: tweets, twitter', 'twitter-tools').'
@@ -1714,7 +1716,7 @@ function aktt_options_form() {
- + '.__('Numbers only please.', 'twitter-tools').'
@@ -1736,7 +1738,7 @@ function aktt_options_form() {
- +
@@ -1746,12 +1748,12 @@ function aktt_options_form() {
- +
- + '.__('Include %s where you want the date. Example: Tweets on %s', 'twitter-tools').'
@@ -1766,6 +1768,7 @@ function aktt_options_form() {

+ '.wp_nonce_field('aktt_settings', '_wpnonce', true, false).wp_referer_field(false).' '); ?> @@ -1789,6 +1792,7 @@ var WPHC_WP_VERSION = '';

+ '.wp_nonce_field('aktt_update_tweets', '_wpnonce', true, false).wp_referer_field(false).' '); do_action('aktt_options_form');