Merge branch 'develop'

CHANGES.md

@@ -1,5 +1,10 @@
 #### [unreleased]
 
+#### 10.6.15 / 2022-03-02
+* show overridden plugins/themes by [Skip Updates](https://wordpress.org/plugins/skip-updates/) plugin in Git Updater Settings tab
+* use `sanitize_key()` for nonces
+* update Freemius/wordpress-sdk
+
 #### 10.6.14 / 2022-02-05
 * allow hooks to run if no settings to be saved in `Settings::update_settings()`
 * composer update

git-updater.php

@@ -12,7 +12,7 @@
  * Plugin Name:       Git Updater
  * Plugin URI:        https://git-updater.com
  * Description:       A plugin to automatically update GitHub hosted plugins, themes, and language packs. Additional API plugins available for Bitbucket, GitLab, Gitea, and Gist.
- * Version:           10.6.14
+ * Version:           10.6.15
  * Author:            Andy Fragen
  * License:           MIT
  * Domain Path:       /languages

src/Git_Updater/Add_Ons.php

@@ -198,7 +198,7 @@ public function add_admin_page( $tab, $action ) {
 	 * Display appropriate notice for Remote Management page action.
 	 */
 	private function admin_page_notices() {
-		if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'gu_settings' ) ) {
+		if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['_wpnonce'] ) ), 'gu_settings' ) ) {
 			return;
 		}
 		$display = isset( $_POST['install_api_plugin'] ) && '1' === $_POST['install_api_plugin'];

src/Git_Updater/Base.php

@@ -157,7 +157,7 @@ function () {
 			);
 		}
 
-		if ( isset( $_POST['_wpnonce'], $_POST['gu_refresh_cache'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'gu_refresh_cache' ) ) {
+		if ( isset( $_POST['_wpnonce'], $_POST['gu_refresh_cache'] ) && wp_verify_nonce( sanitize_key( wp_unslash( $_POST['_wpnonce'] ) ), 'gu_refresh_cache' ) ) {
 			/**
 			 * Fires later in cycle when Refreshing Cache.
 			 *

src/Git_Updater/Messages.php

@@ -45,7 +45,7 @@ public function create_error_message( $type = '' ) {
 		$update_pages   = [ 'update-core.php', 'plugins.php', 'themes.php' ];
 		$settings_pages = [ 'settings.php', 'options-general.php' ];
 
-		if ( ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'gu_settings' ) )
+		if ( ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( sanitize_key( wp_unslash( $_GET['_wpnonce'] ) ), 'gu_settings' ) )
 			&& ( ( ! isset( $_GET['page'] ) || 'git-updater' !== $_GET['page'] )
 			&& in_array( $pagenow, $settings_pages, true ) )
 			|| ! in_array( $pagenow, array_merge( $update_pages, $settings_pages ), true )

src/Git_Updater/Plugin.php

@@ -439,7 +439,7 @@ public function update_site_transient( $transient ) {
 
 				// Set transient on rollback.
 				if ( isset( $_GET['_wpnonce'], $_GET['plugin'], $_GET['rollback'] )
-					&& wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'upgrade-plugin_' . $plugin->file )
+					&& wp_verify_nonce( sanitize_key( wp_unslash( $_GET['_wpnonce'] ) ), 'upgrade-plugin_' . $plugin->file )
 				) {
 					$transient->response[ $plugin->file ] = ( new Branch() )->set_rollback_transient( 'plugin', $plugin );
 				}

src/Git_Updater/Settings.php

@@ -68,7 +68,7 @@ public function __construct() {
 	 * Check for cache refresh.
 	 */
 	protected function refresh_caches() {
-		if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'gu_refresh_cache' ) ) {
+		if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['_wpnonce'] ) ), 'gu_refresh_cache' ) ) {
 			return;
 		}
 
@@ -256,7 +256,7 @@ private function options_sub_tabs() {
 	 * Options page callback.
 	 */
 	public function create_admin_page() {
-		if ( isset( $_GET['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'gu_settings' ) ) {
+		if ( isset( $_GET['_wpnonce'] ) && ! wp_verify_nonce( sanitize_key( wp_unslash( $_GET['_wpnonce'] ) ), 'gu_settings' ) ) {
 			return;
 		}
 		$action = is_multisite() ? 'edit.php?action=git-updater' : 'options.php';
@@ -325,7 +325,7 @@ public function create_admin_page() {
 	 * Display appropriate notice for Settings page actions.
 	 */
 	private function admin_page_notices() {
-		if ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'gu_settings' ) ) {
+		if ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( sanitize_key( wp_unslash( $_GET['_wpnonce'] ) ), 'gu_settings' ) ) {
 			return;
 		}
 		$display = ( isset( $_GET['updated'] ) && is_multisite() )
@@ -598,6 +598,13 @@ private function display_dot_org_overrides() {
 		 */
 		$overrides = empty( $overrides ) ? apply_filters_deprecated( 'github_updater_override_dot_org', [ [] ], '10.0.0', 'gu_override_dot_org' ) : $overrides;
 
+		// Show plugins/themes skipped using Skip Updates plugin.
+		$skip_updates = get_site_option( 'skip_updates', [] );
+		foreach ( $skip_updates as $skip_update ) {
+			$overrides[] = $skip_update['slug'];
+		}
+		$overrides = \array_unique( $overrides );
+
 		if ( ! empty( $overrides ) ) {
 			echo '<h4>' . esc_html__( 'Overridden Plugins and Themes', 'git-updater' ) . '</h4>';
 			echo '<p>' . esc_html__( 'The following plugins or themes might exist on wp.org, but any updates will be downloaded from their respective git repositories.', 'git-updater' ) . '</p>';
@@ -655,7 +662,7 @@ public function token_callback_checkbox( $args ) {
 	 * @link http://benohead.com/wordpress-network-wide-plugin-settings/
 	 */
 	public function update_settings() {
-		if ( isset( $_POST['_wpnonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'git_updater-options' ) ) {
+		if ( isset( $_POST['_wpnonce'] ) && wp_verify_nonce( sanitize_key( wp_unslash( $_POST['_wpnonce'] ) ), 'git_updater-options' ) ) {
 			if ( ( isset( $_POST['option_page'] )
 			&& 'git_updater' === $_POST['option_page'] )
 			) {
@@ -689,7 +696,7 @@ public function update_settings() {
 	 * @return array|mixed
 	 */
 	private function filter_options() {
-		if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'git_updater-options' ) ) {
+		if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['_wpnonce'] ) ), 'git_updater-options' ) ) {
 			return;
 		}
 		$options = self::$options;
@@ -779,7 +786,7 @@ protected function redirect_on_save() {
 	 * @return bool
 	 */
 	private function refresh_transients() {
-		if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'gu_refresh_cache' ) ) {
+		if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['_wpnonce'] ) ), 'gu_refresh_cache' ) ) {
 			return false;
 		}
 		if ( isset( $_REQUEST['git_updater_refresh_transients'] ) ) {

src/Git_Updater/Theme.php

@@ -642,7 +642,7 @@ public function update_site_transient( $transient ) {
 
 			// Set transient for rollback.
 			if ( isset( $_GET['_wpnonce'], $_GET['theme'], $_GET['rollback'] )
-				&& wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'upgrade-theme_' . $theme->slug )
+				&& wp_verify_nonce( sanitize_key( wp_unslash( $_GET['_wpnonce'] ) ), 'upgrade-theme_' . $theme->slug )
 			) {
 				$transient->response[ $theme->slug ] = ( new Branch() )->set_rollback_transient( 'theme', $theme );
 			}

src/Git_Updater/Traits/GU_Trait.php

@@ -25,7 +25,7 @@ trait GU_Trait {
 	 * @return bool
 	 */
 	public static function is_heartbeat() {
-		if ( isset( $_POST['action'], $_POST['_nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_nonce'] ) ), 'heartbeat-nonce' ) ) {
+		if ( isset( $_POST['action'], $_POST['_nonce'] ) && wp_verify_nonce( sanitize_key( wp_unslash( $_POST['_nonce'] ) ), 'heartbeat-nonce' ) ) {
 			return 'heartbeat' === $_POST['action'];
 		}
 			return false;

vendor/afragen/wp-dependency-installer/composer.json

@@ -1,7 +1,7 @@
 {
   "name": "afragen/wp-dependency-installer",
   "description": "Library that helps WordPress plugin dependency management.",
-  "version": "4.3.3",
+  "version": "4.3.4",
   "type": "library",
   "license": "MIT",
   "authors": [

vendor/afragen/wp-dependency-installer/wp-dependency-installer.php

@@ -366,7 +366,7 @@ public function admin_footer() {
 		 */
 		public function ajax_router() {
 			if ( ! isset( $_POST['nonce'], $_POST['slug'] )
-				|| ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wp-dependency-installer_' . sanitize_text_field( wp_unslash( $_POST['slug'] ) ) )
+				|| ! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['nonce'] ) ), 'wp-dependency-installer_' . sanitize_text_field( wp_unslash( $_POST['slug'] ) ) )
 			) {
 				return;
 			}

vendor/composer/installed.json

@@ -102,24 +102,24 @@
         },
         {
             "name": "afragen/wp-dependency-installer",
-            "version": "4.3.3",
-            "version_normalized": "4.3.3.0",
+            "version": "4.3.4",
+            "version_normalized": "4.3.4.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/afragen/wp-dependency-installer.git",
-                "reference": "5947e52d91969d2fc8e47a25c02325643b154ec8"
+                "reference": "d13c7f2caab8781758c46ebef508953ce98259db"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/afragen/wp-dependency-installer/zipball/5947e52d91969d2fc8e47a25c02325643b154ec8",
-                "reference": "5947e52d91969d2fc8e47a25c02325643b154ec8",
+                "url": "https://api.github.com/repos/afragen/wp-dependency-installer/zipball/d13c7f2caab8781758c46ebef508953ce98259db",
+                "reference": "d13c7f2caab8781758c46ebef508953ce98259db",
                 "shasum": ""
             },
             "require": {
                 "afragen/wp-dismiss-notice": "*",
                 "php": ">=5.6"
             },
-            "time": "2022-02-05T23:04:53+00:00",
+            "time": "2022-02-08T22:15:57+00:00",
             "type": "library",
             "installation-source": "dist",
             "autoload": {

vendor/composer/installed.php

@@ -16,7 +16,7 @@
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
-            'reference' => '089e23eefd3d661c7a1f4246e38534623f353012',
+            'reference' => '6ef7a25b7fa6b6e35a2f35312a78b717686da4e3',
             'dev_requirement' => false,
         ),
         'afragen/singleton' => array(
@@ -42,12 +42,12 @@
             'dev_requirement' => false,
         ),
         'afragen/wp-dependency-installer' => array(
-            'pretty_version' => '4.3.3',
-            'version' => '4.3.3.0',
+            'pretty_version' => '4.3.4',
+            'version' => '4.3.4.0',
             'type' => 'library',
             'install_path' => __DIR__ . '/../afragen/wp-dependency-installer',
             'aliases' => array(),
-            'reference' => '5947e52d91969d2fc8e47a25c02325643b154ec8',
+            'reference' => 'd13c7f2caab8781758c46ebef508953ce98259db',
             'dev_requirement' => false,
         ),
         'afragen/wp-dismiss-notice' => array(

vendor/freemius/wordpress-sdk/includes/class-freemius.php

@@ -3550,6 +3550,8 @@ static function _add_debug_section() {
          * @since  1.1.7.3
          */
         static function _toggle_debug_mode() {
+            check_admin_referer( 'fs_toggle_debug_mode' );
+
             if ( ! is_super_admin() ) {
                 return;
             }
@@ -3571,10 +3573,19 @@ static function _toggle_debug_mode() {
          * @since  1.2.1.6
          */
         static function _get_debug_log() {
+            check_admin_referer( 'fs_get_debug_log' );
+
+            if ( ! is_super_admin() ) {
+                return;
+            }
+
+            $limit  = min( ! empty( $_POST['limit'] ) ? absint( $_POST['limit'] ) : 200, 200 );
+            $offset = min( ! empty( $_POST['offset'] ) ? absint( $_POST['offset'] ) : 200, 200 );
+
             $logs = FS_Logger::load_db_logs(
                 fs_request_get( 'filters', false, 'post' ),
-                ! empty( $_POST['limit'] ) && is_numeric( $_POST['limit'] ) ? $_POST['limit'] : 200,
-                ! empty( $_POST['offset'] ) && is_numeric( $_POST['offset'] ) ? $_POST['offset'] : 0
+                $limit,
+                $offset
             );
 
             self::shoot_ajax_success( $logs );
@@ -4447,6 +4458,12 @@ function _add_connectivity_issue_message( $api_result, $is_first_failure = true
          * @since  1.0.9
          */
         function _email_about_firewall_issue() {
+            check_admin_referer( 'fs_resolve_firewall_issues' );
+
+            if ( ! current_user_can( is_multisite() ? 'manage_options' : 'activate_plugins' ) ) {
+                return;
+            }
+
             $this->_admin_notices->remove_sticky( 'failed_connect_api' );
 
             $pong = $this->ping();
@@ -4521,6 +4538,12 @@ function _email_about_firewall_issue() {
          * @since  1.1.7.4
          */
         function _retry_connectivity_test() {
+            check_admin_referer( 'fs_retry_connectivity_test' );
+
+            if ( ! current_user_can( is_multisite() ? 'manage_options' : 'activate_plugins' ) ) {
+                return;
+            }
+
             $this->_admin_notices->remove_sticky( 'failed_connect_api_first' );
 
             $pong = $this->ping();

vendor/freemius/wordpress-sdk/includes/managers/class-fs-admin-notice-manager.php

@@ -175,7 +175,12 @@ protected function __construct(
          *
          */
         function dismiss_notice_ajax_callback() {
-            $this->_sticky_storage->remove( $_POST['message_id'] );
+            check_admin_referer( 'fs_dismiss_notice_action' );
+
+            if ( ! is_numeric( $_POST['message_id'] ) ) {
+                $this->_sticky_storage->remove( $_POST['message_id'] );
+            }
+
             wp_die();
         }
 
@@ -469,4 +474,4 @@ private function get_notices_type() {
         }
 
         #endregion
-    }
+    }

vendor/freemius/wordpress-sdk/includes/sdk/Exceptions/ArgumentNotExistException.php

@@ -1,9 +1,13 @@
 <?php
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
 	if ( ! class_exists( 'Freemius_InvalidArgumentException' ) ) {
 		exit;
 	}
 
 	if ( ! class_exists( 'Freemius_ArgumentNotExistException' ) ) {
 		class Freemius_ArgumentNotExistException extends Freemius_InvalidArgumentException {
 		}
-	}
+	}

vendor/freemius/wordpress-sdk/includes/sdk/Exceptions/EmptyArgumentException.php

@@ -1,9 +1,13 @@
 <?php
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
 	if ( ! class_exists( 'Freemius_InvalidArgumentException' ) ) {
 		exit;
 	}
 
 	if ( ! class_exists( 'Freemius_EmptyArgumentException' ) ) {
 		class Freemius_EmptyArgumentException extends Freemius_InvalidArgumentException {
 		}
-	}
+	}

vendor/freemius/wordpress-sdk/includes/sdk/Exceptions/Exception.php

@@ -1,4 +1,8 @@
 <?php
+        if ( ! defined( 'ABSPATH' ) ) {
+            exit;
+        }
+
 	if ( ! class_exists( 'Freemius_Exception' ) ) {
 		/**
 		 * Thrown when an API call returns an exception.
@@ -71,4 +75,4 @@ public function __toString() {
 				return $str . $this->getMessage();
 			}
 		}
-	}
+	}

vendor/freemius/wordpress-sdk/includes/sdk/Exceptions/InvalidArgumentException.php

@@ -1,8 +1,12 @@
 <?php
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
 	if ( ! class_exists( 'Freemius_Exception' ) ) {
 		exit;
 	}
 
 	if ( ! class_exists( 'Freemius_InvalidArgumentException' ) ) {
 		class Freemius_InvalidArgumentException extends Freemius_Exception { }
-	}
+	}