Commit 43778729 authored by Steven K Word's avatar Steven K Word

Version 0.5.3 - Security Update

Security Update
* Correct security vulnerability allowing both private and password protected posts from being accessed through the print page
* Creates is_protected() method to determine if the print page should be visible to the current user
* Remove print_url links from the content when the current user does not have the necessary capabilities to view the print page
ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss
parent c3709561
=== WP Print Friendly ===
Contributors: ethitter, thinkoomph
Contributors: ethitter, stevenkword, thinkoomph
Donate link: http://www.thinkoomph.com/plugins-modules/wp-print-friendly/
Tags: print, template, printer, printable
Requires at least: 3.1
Tested up to: 3.5
Stable tag: 0.5.2
Stable tag: 0.5.3
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html
......@@ -59,6 +59,11 @@ This plugin is known to conflict with certain plugins, many pertaining to SEO an
== Changelog ==
= 0.5.3 =
* Creates is_protected() method to determine if the print page should be visible to the current user
* Correct security vulnerability allowing both private and password protected posts from being accessed through the print page
* Remove print_url links from the content when the current user does not have the necessary capabilities to view the print page
= 0.5.2 =
* Revert change in is_print() method made in version 0.5 as it breaks the method when no page number is specified. See [https://github.com/ethitter/WP-Print-Friendly/issues/2](https://github.com/ethitter/WP-Print-Friendly/issues/2).
......@@ -174,4 +179,4 @@ This release expands the plugin's page rewrite rules to accomodate permalink str
This release fixes bug that displayed post links automatically on the wrong post types.
= 0.4 =
This release addresses numerous bugs reported by the community, including print templates for child pages. All admin text, save the plugin's name, are now ready for translation. Templates are now completely customizable, and new template functions are included.
\ No newline at end of file
This release addresses numerous bugs reported by the community, including print templates for child pages. All admin text, save the plugin's name, are now ready for translation. Templates are now completely customizable, and new template functions are included.
......@@ -3,8 +3,8 @@
Plugin Name: WP Print Friendly
Plugin URI: http://www.thinkoomph.com/plugins-modules/wp-print-friendly/
Description: Extends WordPress' template system to support printer-friendly templates. Works with permalink structures to support nice URLs.
Author: Erick Hitter & Oomph, Inc.
Version: 0.5.2
Author: Erick Hitter, Steven K Word & Oomph, Inc.
Version: 0.5.3
Author URI: http://www.thinkoomph.com/
This program is free software; you can redistribute it and/or modify
......@@ -80,6 +80,7 @@ class wp_print_friendly {
add_action( 'admin_menu', array( $this, 'action_admin_menu' ) );
add_filter( 'request', array( $this, 'filter_request' ) );
add_action( 'pre_get_posts', array( $this, 'action_pre_get_posts' ) );
add_action( 'wp', array( $this, 'action_wp' ) );
add_filter( 'template_include', array( $this, 'filter_template_include' ) );
add_filter( 'redirect_canonical', array( $this, 'filter_redirect_canonical' ) );
add_filter( 'body_class', array( $this, 'filter_body_class' ) );
......@@ -161,6 +162,23 @@ class wp_print_friendly {
update_option( $this->notice_key, 1 );
}
/**
* Determine if the print page should be visible to the current user
*
* @uses current_user_can, post_password_required
* @global $wp_query, $post
* @return bool
*/
public function is_protected() {
global $post;
// If the global $post object is not set OR BOTH the current user is NOT an admin AND the post is private
$private = ( ! isset( $post ) || ( ! current_user_can( 'read_private_posts' ) && 'private' == $post->post_status ) ) ? true : false;
// If the password is required OR if the current user does not have the capability to view private posts
return post_password_required() || true === $private;
}
/**
* Determine if print template is being requested.
*
......@@ -273,15 +291,34 @@ class wp_print_friendly {
return $query;
}
/**
* Throw a 404 if the print page should not be visible to the user
*
* @action wp
* @global $wp_query
* @uses $this::is_print, $this::is_protected
* @return null
*/
function action_wp() {
global $wp_query;
if( $this->is_print() && $this->is_protected() ) {
$wp_query->set_404();
status_header( 404 );
nocache_headers();
}
}
/**
* Filter template include to return print template if requested.
*
* @param string $template
* @filter template_include
* @uses this::is_protected
* @return string
*/
public function filter_template_include( $template ) {
if ( $this->is_print() && ( $print_template = $this->template_chooser() ) )
if ( $this->is_print() && ! $this->is_protected() && ( $print_template = $this->template_chooser() ) )
$template = $print_template[ 'path' ];
return $template;
......@@ -350,7 +387,7 @@ class wp_print_friendly {
* Filter the content if automatic inclusion is selected.
*
* @param string $content
* @uses $this::get_options, $post, $this::print_url, get_query_var, apply_filters
* @uses $this::get_options, $post, $this::print_url, $this::is_protected, get_query_var, apply_filters
* @filter the_content
* @return string
*/
......@@ -359,6 +396,10 @@ class wp_print_friendly {
global $post;
// Do not display the print_url link if the print page is not be accessible to the user
if( $this->is_protected() )
return $content;
if ( is_array( $options ) && array_key_exists( 'auto', $options ) && $options[ 'auto' ] == true && in_array( $post->post_type, $options[ 'post_types' ] ) && ! $this->is_print() ) {
extract( $options );
......@@ -928,4 +969,4 @@ if ( ! function_exists( 'is_print' ) ) {
return $wpf->is_print();
}
}
?>
\ No newline at end of file
?>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment