Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: solve vulnerability with script metadata #816 #817

Merged
merged 2 commits into from
Dec 18, 2023
Merged

fix: solve vulnerability with script metadata #816 #817

merged 2 commits into from
Dec 18, 2023

Conversation

preda-bogdan
Copy link
Contributor

@preda-bogdan preda-bogdan commented Dec 18, 2023
edited
Loading

Summary

Fixes a vulnerability with using the custom fields to save data to the header/footer script boxes when the user does not have the capability to save unfiltered_html.

Screenshots

Post Preferences (pic. 1)

image

Post Preferences (pic. 2)

image

New custom fields name options (pic. 3)

image

How to test

  1. On a fresh instance with Orbit Fox
  2. Create a new user account with the Contributor role
  3. Login as a Contributor
  4. Create a new Post
  5. Enable Custom Fields from the Post Preferences (see pic. 1 and pic. 2)
  6. Check that obfx-header-scripts and obfx-footer-scripts is not listed under the Add new custom field name.
  7. Use the steps detailed here for further testing: https://github.com/Codeinwp/themeisle/issues/1612

References: Codeinwp/themeisle#1612
Closes: #816

@preda-bogdan preda-bogdan linked an issue Dec 18, 2023 that may be closed by this pull request
Vulnerability issue #816
Closed
@pirate-bot
Copy link
Contributor

pirate-bot commented Dec 18, 2023
edited
Loading

Plugin build for 5430f77 is ready 🛎️!

Soare-Robert-Daniel
Soare-Robert-Daniel requested changes Dec 18, 2023
View reviewed changes
Copy link
Contributor

@Soare-Robert-Daniel Soare-Robert-Daniel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only one issue with the function return comment. Otherwise a strong PR 💪

@preda-bogdan
Copy link
Contributor Author

@Soare-Robert-Daniel I think this could have been an NIT so as to not block instead of a change request.

@Soare-Robert-Daniel
Copy link
Contributor

@preda-bogdan, I was thinking about that. But I considered it pretty important since analyzing tools use the PHPDocs heavily. I see that PHPStan is not enabled in this project, which normally should not pass the check.

I considered this NIT as an exception.

@irinelenache
Copy link

@preda-bogdan Tested and the issue is fixed now, thank you 👍

@vytisbulkevicius vytisbulkevicius merged commit e3cfa01 into development Dec 18, 2023
4 checks passed
@vytisbulkevicius vytisbulkevicius deleted the fix/scripts_box_metadata_vulnerability branch December 18, 2023 14:35
@pirate-bot
Copy link
Contributor

🎉 This PR is included in version 2.10.27 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@pirate-bot pirate-bot added the released Indicate that an issue has been resolved and released in a particular version of the product. label Dec 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Soare-Robert-Daniel Soare-Robert-Daniel Soare-Robert-Daniel approved these changes

Assignees
No one assigned
Labels
released Indicate that an issue has been resolved and released in a particular version of the product.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability issue
5 participants
@preda-bogdan @pirate-bot @Soare-Robert-Daniel @irinelenache @vytisbulkevicius