mirror of
https://github.com/10h30/ultimatemember.git
synced 2026-06-05 15:09:37 +09:00
- fixed security issue with Profile/Registration form;
This commit is contained in:
nikitasinelnikov
@@ -21,7 +21,7 @@ if ( ! class_exists( 'um\core\GDPR' ) ) {
|
||||
function __construct() {
|
||||
add_action( 'um_submit_form_register', array( &$this, 'agreement_validation' ), 9 );
|
||||
|
||||
add_filter( 'um_before_save_filter_submitted', array( &$this, 'add_agreement_date' ), 10, 1 );
|
||||
add_filter( 'um_before_save_filter_submitted', array( &$this, 'add_agreement_date' ), 10, 2 );
|
||||
add_filter( 'um_email_registration_data', array( &$this, 'email_registration_data' ), 10, 1 );
|
||||
|
||||
add_action( 'um_after_form_fields', array( &$this, 'display_option' ) );
|
||||
@@ -52,10 +52,11 @@ if ( ! class_exists( 'um\core\GDPR' ) ) {
|
||||
|
||||
/**
|
||||
* @param $submitted
|
||||
* @param $args
|
||||
*
|
||||
* @return mixed
|
||||
*/
|
||||
function add_agreement_date( $submitted ) {
|
||||
function add_agreement_date( $submitted, $args ) {
|
||||
if ( isset( $submitted['use_gdpr_agreement'] ) ) {
|
||||
$submitted['use_gdpr_agreement'] = time();
|
||||
}
|
||||
|
||||
@@ -954,9 +954,10 @@ if ( ! class_exists( 'um\core\User' ) ) {
|
||||
/**
|
||||
* Set user's registration details
|
||||
*
|
||||
* @param $submitted
|
||||
* @param array $submitted
|
||||
* @param array $args
|
||||
*/
|
||||
function set_registration_details( $submitted ) {
|
||||
function set_registration_details( $submitted, $args ) {
|
||||
|
||||
if ( isset( $submitted['user_pass'] ) ) {
|
||||
unset( $submitted['user_pass'] );
|
||||
@@ -991,21 +992,22 @@ if ( ! class_exists( 'um\core\User' ) ) {
|
||||
* @title um_before_save_filter_submitted
|
||||
* @description Change submitted data before save usermeta "submitted" on registration process
|
||||
* @input_vars
|
||||
* [{"var":"$submitted","type":"array","desc":"Submitted data"}]
|
||||
* [{"var":"$submitted","type":"array","desc":"Submitted data"},
|
||||
* {"var":"$args","type":"array","desc":"Form Args"}]
|
||||
* @change_log
|
||||
* ["Since: 2.0"]
|
||||
* @usage
|
||||
* <?php add_filter( 'um_before_save_filter_submitted', 'function_name', 10, 1 ); ?>
|
||||
* <?php add_filter( 'um_before_save_filter_submitted', 'function_name', 10, 2 ); ?>
|
||||
* @example
|
||||
* <?php
|
||||
* add_filter( 'um_before_save_filter_submitted', 'my_before_save_filter_submitted', 10, 1 );
|
||||
* function my_before_save_filter_submitted( $submitted ) {
|
||||
* add_filter( 'um_before_save_filter_submitted', 'my_before_save_filter_submitted', 10, 2 );
|
||||
* function my_before_save_filter_submitted( $submitted, $args ) {
|
||||
* // your code here
|
||||
* return $submitted;
|
||||
* }
|
||||
* ?>
|
||||
*/
|
||||
$submitted = apply_filters( 'um_before_save_filter_submitted', $submitted );
|
||||
$submitted = apply_filters( 'um_before_save_filter_submitted', $submitted, $args );
|
||||
|
||||
/**
|
||||
* UM hook
|
||||
@@ -1672,7 +1674,7 @@ if ( ! class_exists( 'um\core\User' ) ) {
|
||||
|
||||
foreach ( $changes as $key => $value ) {
|
||||
if ( ! in_array( $key, $this->update_user_keys ) ) {
|
||||
if( $value === 0 ){
|
||||
if ( $value === 0 ) {
|
||||
update_user_meta( $this->id, $key, '0' );
|
||||
} else {
|
||||
update_user_meta( $this->id, $key, $value );
|
||||
|
||||
@@ -22,7 +22,8 @@ if ( ! class_exists( 'um\core\Validation' ) ) {
|
||||
$this->regex_phone_number = '/\A[\d\-\.\+\(\)\ ]+\z/';
|
||||
|
||||
|
||||
add_filter( 'um_user_pre_updating_files_array', array( $this, 'validate_files' ) );
|
||||
add_filter( 'um_user_pre_updating_files_array', array( $this, 'validate_files' ), 10, 1 );
|
||||
add_filter( 'um_before_save_filter_submitted', array( $this, 'validate_fields_values' ), 10, 2 );
|
||||
}
|
||||
|
||||
|
||||
@@ -46,6 +47,52 @@ if ( ! class_exists( 'um\core\Validation' ) ) {
|
||||
}
|
||||
|
||||
|
||||
|
||||
function validate_fields_values( $changes, $args ) {
|
||||
$fields = array();
|
||||
if ( ! empty( $args['custom_fields'] ) ) {
|
||||
$fields = unserialize( $args['custom_fields'] );
|
||||
}
|
||||
|
||||
foreach ( $changes as $key => $value ) {
|
||||
//rating field validation
|
||||
if ( isset( $fields[ $key ]['type'] ) && $fields[ $key ]['type'] == 'rating' ) {
|
||||
if ( ! is_numeric( $value ) ) {
|
||||
unset( $changes[ $key ] );
|
||||
} else {
|
||||
if ( $fields[ $key ]['number'] == 5 ) {
|
||||
if ( ! in_array( $value, range( 1, 5 ) ) ) {
|
||||
unset( $changes[ $key ] );
|
||||
}
|
||||
} elseif ( $fields[ $key ]['number'] == 10 ) {
|
||||
if ( ! in_array( $value, range( 1, 10 ) ) ) {
|
||||
unset( $changes[ $key ] );
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//validation of correct values from options in wp-admin
|
||||
if ( in_array( $fields[ $key ]['type'], array( 'select', 'radio' ) ) &&
|
||||
isset( $value ) && ! empty( $fields[ $key ]['options'] ) &&
|
||||
! in_array( $value, $fields[ $key ]['options'] ) ) {
|
||||
unset( $changes[ $key ] );
|
||||
}
|
||||
|
||||
//validation of correct values from options in wp-admin
|
||||
//the user cannot set invalid value in the hidden input at the page
|
||||
if ( in_array( $fields[ $key ]['type'], array( 'multiselect', 'checkbox' ) ) &&
|
||||
isset( $value ) && ! empty( $fields[ $key ]['options'] ) ) {
|
||||
|
||||
$changes[ $key ] = array_intersect( $value, $fields[ $key ]['options'] );
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
return $changes;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Removes html from any string
|
||||
*
|
||||
|
||||
@@ -228,6 +228,39 @@ function um_user_edit_profile( $args ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
//the same code in class-validation.php validate_fields_values for registration form
|
||||
//rating field validation
|
||||
if ( $array['type'] == 'rating' && isset( $args['submitted'][ $key ] ) ) {
|
||||
if ( ! is_numeric( $args['submitted'][ $key ] ) ) {
|
||||
continue;
|
||||
} else {
|
||||
if ( $array['number'] == 5 ) {
|
||||
if ( ! in_array( $args['submitted'][ $key ], range( 1, 5 ) ) ) {
|
||||
continue;
|
||||
}
|
||||
} elseif ( $array['number'] == 10 ) {
|
||||
if ( ! in_array( $args['submitted'][ $key ], range( 1, 10 ) ) ) {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//validation of correct values from options in wp-admin
|
||||
if ( in_array( $array['type'], array( 'select', 'radio' ) ) &&
|
||||
isset( $args['submitted'][ $key ] ) && ! empty( $array['options'] ) &&
|
||||
! in_array( $args['submitted'][ $key ], $array['options'] ) ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
//validation of correct values from options in wp-admin
|
||||
//the user cannot set invalid value in the hidden input at the page
|
||||
if ( in_array( $array['type'], array( 'multiselect', 'checkbox' ) ) &&
|
||||
isset( $args['submitted'][ $key ] ) && ! empty( $array['options'] ) ) {
|
||||
|
||||
$args['submitted'][ $key ] = array_intersect( $args['submitted'][ $key ], $array['options'] );
|
||||
}
|
||||
|
||||
if ( $array['type'] == 'multiselect' || $array['type'] == 'checkbox' && ! isset( $args['submitted'][ $key ] ) ) {
|
||||
delete_user_meta( um_user( 'ID' ), $key );
|
||||
}
|
||||
|
||||
@@ -56,7 +56,7 @@ function um_after_insert_user( $user_id, $args ) {
|
||||
|
||||
um_fetch_user( $user_id );
|
||||
if ( ! empty( $args['submitted'] ) ) {
|
||||
UM()->user()->set_registration_details( $args['submitted'] );
|
||||
UM()->user()->set_registration_details( $args['submitted'], $args );
|
||||
}
|
||||
UM()->user()->set_status( um_user( 'status' ) );
|
||||
|
||||
@@ -589,8 +589,9 @@ add_action( 'um_main_register_fields', 'um_add_register_fields', 100 );
|
||||
*/
|
||||
function um_registration_save_files( $user_id, $args ) {
|
||||
|
||||
if ( empty( $args['custom_fields'] ) )
|
||||
if ( empty( $args['custom_fields'] ) ) {
|
||||
return;
|
||||
}
|
||||
|
||||
$files = array();
|
||||
|
||||
@@ -603,11 +604,11 @@ function um_registration_save_files( $user_id, $args ) {
|
||||
|
||||
if ( isset( $args['submitted'][$key] ) ) {
|
||||
|
||||
if ( isset( $fields[$key]['type'] ) && in_array( $fields[$key]['type'], array( 'image', 'file' ) ) &&
|
||||
( um_is_temp_file( $args['submitted'][$key] ) || $args['submitted'][$key] == 'empty_file' )
|
||||
if ( isset( $fields[ $key ]['type'] ) && in_array( $fields[ $key ]['type'], array( 'image', 'file' ) ) &&
|
||||
( um_is_temp_file( $args['submitted'][ $key ] ) || $args['submitted'][ $key ] == 'empty_file' )
|
||||
) {
|
||||
|
||||
$files[$key] = $args['submitted'][$key];
|
||||
$files[ $key ] = $args['submitted'][ $key ];
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -671,7 +671,7 @@ function um_profile_field_filter_xss_validation( $value, $data, $type = '' ) {
|
||||
|
||||
return $value;
|
||||
}
|
||||
add_filter( 'um_profile_field_filter_hook__','um_profile_field_filter_xss_validation', 10, 3 );
|
||||
add_filter( 'um_profile_field_filter_hook__', 'um_profile_field_filter_xss_validation', 10, 3 );
|
||||
|
||||
|
||||
/**
|
||||
|
||||
@@ -824,7 +824,7 @@ function um_filtered_value( $key, $data = false ) {
|
||||
* }
|
||||
* ?>
|
||||
*/
|
||||
$value = apply_filters( "um_profile_field_filter_hook__", $value, $data, $type );
|
||||
$value = apply_filters( 'um_profile_field_filter_hook__', $value, $data, $type );
|
||||
|
||||
/**
|
||||
* UM hook
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: Ultimate Member\n"
|
||||
"POT-Creation-Date: 2019-05-08 11:05+0300\n"
|
||||
"PO-Revision-Date: 2019-05-08 11:05+0300\n"
|
||||
"POT-Creation-Date: 2019-05-08 16:04+0300\n"
|
||||
"PO-Revision-Date: 2019-05-08 16:04+0300\n"
|
||||
"Last-Translator: \n"
|
||||
"Language-Team: \n"
|
||||
"Language: en_US\n"
|
||||
@@ -268,7 +268,7 @@ msgstr ""
|
||||
#: includes/admin/core/class-admin-forms.php:951
|
||||
#: includes/admin/core/class-admin-forms.php:960
|
||||
#: includes/admin/core/class-admin-notices.php:390
|
||||
#: includes/core/um-actions-profile.php:556
|
||||
#: includes/core/um-actions-profile.php:592
|
||||
msgid "Remove"
|
||||
msgstr ""
|
||||
|
||||
@@ -3615,11 +3615,11 @@ msgstr ""
|
||||
#: includes/admin/templates/modal/fonticons.php:11
|
||||
#: includes/admin/templates/role/publish.php:24
|
||||
#: includes/core/class-fields.php:2333 includes/core/class-fields.php:2430
|
||||
#: includes/core/um-actions-profile.php:557
|
||||
#: includes/core/um-actions-profile.php:696
|
||||
#: includes/core/um-actions-profile.php:729
|
||||
#: includes/core/um-actions-profile.php:1074
|
||||
#: includes/core/um-actions-profile.php:1081
|
||||
#: includes/core/um-actions-profile.php:593
|
||||
#: includes/core/um-actions-profile.php:732
|
||||
#: includes/core/um-actions-profile.php:765
|
||||
#: includes/core/um-actions-profile.php:1110
|
||||
#: includes/core/um-actions-profile.php:1117
|
||||
msgid "Cancel"
|
||||
msgstr ""
|
||||
|
||||
@@ -3982,7 +3982,7 @@ msgid "Members"
|
||||
msgstr ""
|
||||
|
||||
#: includes/class-config.php:133 includes/class-config.php:745
|
||||
#: includes/core/um-actions-profile.php:1080
|
||||
#: includes/core/um-actions-profile.php:1116
|
||||
#: includes/core/um-actions-user.php:15
|
||||
msgid "Logout"
|
||||
msgstr ""
|
||||
@@ -4250,7 +4250,7 @@ msgstr ""
|
||||
msgid "You must add a shortcode to the content area"
|
||||
msgstr ""
|
||||
|
||||
#: includes/core/class-builtin.php:663 includes/core/class-user.php:1544
|
||||
#: includes/core/class-builtin.php:663 includes/core/class-user.php:1546
|
||||
msgid "Only me"
|
||||
msgstr ""
|
||||
|
||||
@@ -4399,7 +4399,7 @@ msgid "Cover Photo"
|
||||
msgstr ""
|
||||
|
||||
#: includes/core/class-builtin.php:1085
|
||||
#: includes/core/um-actions-profile.php:519
|
||||
#: includes/core/um-actions-profile.php:555
|
||||
msgid "Change your cover photo"
|
||||
msgstr ""
|
||||
|
||||
@@ -6369,7 +6369,7 @@ msgid "Upload Photo"
|
||||
msgstr ""
|
||||
|
||||
#: includes/core/class-fields.php:2308 includes/core/class-fields.php:2332
|
||||
#: includes/core/um-actions-profile.php:727
|
||||
#: includes/core/um-actions-profile.php:763
|
||||
msgid "Change photo"
|
||||
msgstr ""
|
||||
|
||||
@@ -6945,46 +6945,46 @@ msgstr ""
|
||||
msgid "Your membership request has been rejected."
|
||||
msgstr ""
|
||||
|
||||
#: includes/core/um-actions-profile.php:186
|
||||
#: includes/core/um-actions-profile.php:192
|
||||
msgid "You are not allowed to edit this user."
|
||||
msgstr ""
|
||||
|
||||
#: includes/core/um-actions-profile.php:243
|
||||
#: includes/core/um-actions-profile.php:279
|
||||
#, php-format
|
||||
msgid "Your choosed %s"
|
||||
msgstr ""
|
||||
|
||||
#: includes/core/um-actions-profile.php:555
|
||||
#: includes/core/um-actions-profile.php:591
|
||||
msgid "Change cover photo"
|
||||
msgstr ""
|
||||
|
||||
#: includes/core/um-actions-profile.php:598
|
||||
#: includes/core/um-actions-profile.php:634
|
||||
msgid "Upload a cover photo"
|
||||
msgstr ""
|
||||
|
||||
#: includes/core/um-actions-profile.php:695
|
||||
#: includes/core/um-actions-profile.php:731
|
||||
msgid "Upload photo"
|
||||
msgstr ""
|
||||
|
||||
#: includes/core/um-actions-profile.php:728
|
||||
#: includes/core/um-actions-profile.php:764
|
||||
msgid "Remove photo"
|
||||
msgstr ""
|
||||
|
||||
#: includes/core/um-actions-profile.php:892
|
||||
#: includes/core/um-actions-profile.php:928
|
||||
msgid "Tell us a bit about yourself..."
|
||||
msgstr ""
|
||||
|
||||
#: includes/core/um-actions-profile.php:908
|
||||
#: includes/core/um-actions-profile.php:944
|
||||
#, php-format
|
||||
msgid "This user account status is %s"
|
||||
msgstr ""
|
||||
|
||||
#: includes/core/um-actions-profile.php:1047
|
||||
#: includes/core/um-actions-profile.php:1078
|
||||
#: includes/core/um-actions-profile.php:1083
|
||||
#: includes/core/um-actions-profile.php:1114
|
||||
msgid "Edit Profile"
|
||||
msgstr ""
|
||||
|
||||
#: includes/core/um-actions-profile.php:1079
|
||||
#: includes/core/um-actions-profile.php:1115
|
||||
msgid "My Account"
|
||||
msgstr ""
|
||||
|
||||
|
||||
Reference in New Issue
Block a user