From 4d11191a5dfc71732a0f96ac0e33224b31fcddf1 Mon Sep 17 00:00:00 2001 From: JR Tashjian <85627927+mtashjianjr-godaddy@users.noreply.github.com> Date: Fri, 20 Dec 2024 16:13:41 -0500 Subject: [PATCH] Improve nonce handling and permissions in crop settings API (#2624) * Conditionally include crop settings nonce * Improve nonce validation and permission checks in crop settings API * Sanitize nonce input in crop settings API for improved security --- .../admin/class-coblocks-crop-settings.php | 36 ++++++++--------- includes/class-coblocks-block-assets.php | 40 +++++++++---------- 2 files changed, 38 insertions(+), 38 deletions(-) diff --git a/includes/admin/class-coblocks-crop-settings.php b/includes/admin/class-coblocks-crop-settings.php index a15e4b4fe29..65c605c7211 100644 --- a/includes/admin/class-coblocks-crop-settings.php +++ b/includes/admin/class-coblocks-crop-settings.php @@ -86,26 +86,22 @@ public function hide_cropped_from_library( $query ) { * Retrieve the original image. */ public function get_original_image() { - $nonce = filter_input( INPUT_POST, 'nonce' ); - - if ( ! $nonce ) { - - wp_send_json_error( 'No nonce value present.' ); - + if ( ! wp_verify_nonce( sanitize_text_field( filter_input( INPUT_POST, 'nonce' ) ), 'cropSettingsOriginalImageNonce' ) ) { + wp_send_json_error( 'Invalid nonce value.', 403 ); } - if ( ! wp_verify_nonce( htmlspecialchars( $nonce ), 'cropSettingsOriginalImageNonce' ) ) { - - wp_send_json_error( 'Invalid nonce value.' ); - + if ( ! current_user_can( 'upload_files' ) ) { + wp_send_json_error( 'You do not have permission.', 403 ); } $id = filter_input( INPUT_POST, 'id', FILTER_SANITIZE_NUMBER_INT ); if ( ! $id ) { - wp_send_json_error( 'Missing id value.' ); + } + if ( ! current_user_can( 'edit_post', $id ) ) { + wp_send_json_error( 'You do not have permission to edit this attachment.', 403 ); } $attachment_meta = wp_get_attachment_metadata( $id ); @@ -127,18 +123,22 @@ public function get_original_image() { * Cropping. */ public function api_crop() { - $nonce = filter_input( INPUT_POST, 'nonce' ); - - if ( ! $nonce ) { - - wp_send_json_error( 'No nonce value present.' ); + if ( ! wp_verify_nonce( sanitize_text_field( filter_input( INPUT_POST, 'nonce' ) ), 'cropSettingsNonce' ) ) { + wp_send_json_error( 'Invalid nonce value.', 403 ); + } + if ( ! current_user_can( 'upload_files' ) ) { + wp_send_json_error( 'You do not have permission.', 403 ); } - if ( ! wp_verify_nonce( htmlspecialchars( $nonce ), 'cropSettingsNonce' ) ) { + $id = filter_input( INPUT_POST, 'id', FILTER_SANITIZE_NUMBER_INT ); - wp_send_json_error( 'Invalid nonce value.' ); + if ( ! $id ) { + wp_send_json_error( 'Missing id value.' ); + } + if ( ! current_user_can( 'edit_post', $id ) ) { + wp_send_json_error( 'You do not have permission to edit this attachment.', 403 ); } if ( diff --git a/includes/class-coblocks-block-assets.php b/includes/class-coblocks-block-assets.php index 314cd3f6ce2..eef7f0e5fe6 100644 --- a/includes/class-coblocks-block-assets.php +++ b/includes/class-coblocks-block-assets.php @@ -288,28 +288,28 @@ public function editor_assets() { $form_subject = $form->default_subject(); $success_text = $form->default_success_text(); - wp_localize_script( - 'coblocks-editor', - 'coblocksBlockData', - array( - 'form' => array( - 'adminEmail' => $email_to, - 'emailSubject' => $form_subject, - 'successText' => $success_text, - ), - 'cropSettingsOriginalImageNonce' => wp_create_nonce( 'cropSettingsOriginalImageNonce' ), - 'cropSettingsNonce' => wp_create_nonce( 'cropSettingsNonce' ), - 'labsSiteDesignNonce' => wp_create_nonce( 'labsSiteDesignNonce' ), - 'bundledIconsEnabled' => $bundled_icons_enabled, - 'customIcons' => $this->get_custom_icons(), - 'customIconConfigExists' => file_exists( get_stylesheet_directory() . '/coblocks/icons/config.json' ), - 'typographyControlsEnabled' => $typography_controls_enabled, - 'animationControlsEnabled' => $animation_controls_enabled, - 'localeCode' => get_locale(), - 'baseApiNamespace' => COBLOCKS_API_NAMESPACE, - ) + $localize_data = array( + 'form' => array( + 'adminEmail' => $email_to, + 'emailSubject' => $form_subject, + 'successText' => $success_text, + ), + 'labsSiteDesignNonce' => wp_create_nonce( 'labsSiteDesignNonce' ), + 'bundledIconsEnabled' => $bundled_icons_enabled, + 'customIcons' => $this->get_custom_icons(), + 'customIconConfigExists' => file_exists( get_stylesheet_directory() . '/coblocks/icons/config.json' ), + 'typographyControlsEnabled' => $typography_controls_enabled, + 'animationControlsEnabled' => $animation_controls_enabled, + 'localeCode' => get_locale(), + 'baseApiNamespace' => COBLOCKS_API_NAMESPACE, ); + if ( current_user_can( 'upload_files' ) ) { + $localize_data['cropSettingsOriginalImageNonce'] = wp_create_nonce( 'cropSettingsOriginalImageNonce' ); + $localize_data['cropSettingsNonce'] = wp_create_nonce( 'cropSettingsNonce' ); + } + + wp_localize_script( 'coblocks-editor', 'coblocksBlockData', $localize_data ); } /**