Version: 1.8.4 (#94)

* Security - Improve URL checks in REST controller.

Author: Endzevich

changelog.txt

@@ -1,3 +1,31 @@
+= 1.8.1, May 16 2022 =
+* Improved the support for right-to-left languages.
+
+= 1.8.0, May 02 2022 =
+* New block: added the Content Slider block.
+
+= 1.7.10, Apr 26 2022 =
+* Added the ability to add a link to the Background Featured Image template part block.
+* Fixed an issue with the font size picker.
+* Fixed an issue when content of Post Slider and Post Carousel blocks may disappear in the block editor.
+
+= 1.7.9, Mar 16 2022 =
+* Improved compatibility with WordPress 5.9.
+* Increased the maximum number of slides in the Media & Text Slider block.
+* Fixed an issue when the first slide's content may have disappeared in the Media & Text Slider block.
+* Fixed an issue with the slide content class in the Media & Text Slider block.
+* Fixed an issue with the button width in the Button Group block.
+* Fixed an issue when some blocks may have not been displayed in the block inserter.
+
+= 1.7.8, Dec 14 2021 =
+* Minor bugfixes and improvements of the Google Maps, Table and Image Slider blocks.
+
+= 1.7.7, Nov 2 2021 =
+* Fixed an issue with the empty terms list in the Custom Post Type and related blocks.
+
+= 1.7.6, Oct 27 2021 =
+* Security - sanitization and escaping.
+
 = 1.7.5, Oct 1 2021 =
 * Security - added nonces to prevent CSRF.
 

getwid.php

@@ -3,7 +3,7 @@
  * Plugin Name: Getwid
  * Plugin URI: https://motopress.com/products/getwid/
  * Description: Extra Gutenberg blocks for building seamless and aesthetic websites in the WordPress block editor.
- * Version: 1.8.3
+ * Version: 1.8.4
  * Author: MotoPress
  * Author URI: https://motopress.com/
  * License: GPLv2 or later

includes/rest-api.php

@@ -71,7 +71,7 @@ public function register_rest_route(){
 	}
 
 	public function permissions_check( $request ) {
-		if ( ! current_user_can( 'read' ) ) {
+		if ( ! current_user_can( 'edit_posts' ) ) {
 			return new \WP_Error(
 				'rest_forbidden',
 				esc_html__( 'Forbidden.' ),
@@ -165,7 +165,7 @@ public function templates_schema() {
 
 	public function get_remote_templates() {
 
-		$cache = sanitize_text_field( wp_unslash( $_GET['cache'] ) );
+		$cache = isset( $_GET['cache'] ) ? sanitize_text_field( wp_unslash( $_GET['cache'] ) ) : 'refresh';
 		$templates_data = [];
 
 		if ($cache == 'cache'){
@@ -207,18 +207,21 @@ public function get_remote_templates() {
 	}
 
 	public function get_remote_content() {
-		$get_content_url = esc_url_raw( $_GET['get_content_url'] );
+
+		$get_content_url = isset( $_GET['get_content_url'] ) ? esc_url_raw( $_GET['get_content_url'] ) : false;
+
+		if ( ! $this->content_url_is_valid( $get_content_url ) ) {
+			return __( 'Please provide a valid URL.', 'getwid' );
+		}
 
 		//Get Templates from remote server
 		$response = wp_remote_get(
 			$get_content_url,
 			array(
 				'timeout' => 15,
-				)
+			)
 		);
 
-		// var_dump( wp_remote_retrieve_body( $response ) ); exit();
-
 		$templates_data = json_decode( wp_remote_retrieve_body( $response ) );
 
 		//JSON valid
@@ -289,4 +292,35 @@ public function get_templates($object) {
 		}
 		return $return;
 	}
+
+	private function content_url_is_valid( $url ) {
+
+		$parsed_url = wp_parse_url( $url );
+
+		if ( ! $parsed_url ) {
+			return false;
+		}
+
+		$valid_hosts = array( 'elements.getwid.getmotopress.com' );
+		$valid_path = '/wp-json/getwid-templates-server/v1/get_content';
+
+		$remote_library_url = wp_parse_url( $this->remote_template_library_url );
+
+		if ( $remote_library_url && isset( $remote_library_url['host'] ) ) {
+			$valid_hosts[] = $remote_library_url['host'];
+		}
+
+		$host_is_valid = false;
+		$path_is_valid = false;
+
+		if ( isset( $parsed_url['host'] ) && in_array( $parsed_url['host'], $valid_hosts ) ) {
+			$host_is_valid = true;
+		}
+
+		if ( isset( $parsed_url['path'] ) && $valid_path == $parsed_url['path'] ) {
+			$path_is_valid = true;
+		}
+
+		return $host_is_valid && $path_is_valid;
+	}
 }

languages/getwid.pot

@@ -9,7 +9,7 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2023-01-26T15:31:47+02:00\n"
+"POT-Creation-Date: 2023-04-13T12:51:34+03:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.7.1\n"
 "X-Domain: getwid\n"
@@ -227,7 +227,7 @@ msgstr ""
 #: includes/blocks/instagram.php:152
 #: includes/instagram-token-manager.php:84
 #: includes/rest-api.php:201
-#: includes/rest-api.php:228
+#: includes/rest-api.php:231
 msgid "Error in json_decode."
 msgstr ""
 
@@ -419,6 +419,10 @@ msgstr ""
 msgid "No templates found in Trash"
 msgstr ""
 
+#: includes/rest-api.php:214
+msgid "Please provide a valid URL."
+msgstr ""
+
 #: includes/scripts-manager.php:70
 msgid "Full Size"
 msgstr ""

readme.txt

@@ -3,9 +3,9 @@ Contributors: MotoPress
 Donate link: https://motopress.com/
 Tags: gutenberg, gutenberg blocks, wordpress blocks, blocks, editor, block, gutenberg library, templates, page builder, section, google maps, mailchimp, acf
 Requires at least: 5.5
-Tested up to: 6.0
+Tested up to: 6.1
 Requires PHP: 5.6
-Stable tag: 1.8.2
+Stable tag: 1.8.4
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -182,6 +182,9 @@ Getwid plugin is distributed under the terms of the GNU GPL.
 
 == Changelog ==
 
+= 1.8.4, Apr 13 2023 =
+* Security - Improve URL checks in REST controller.
+
 = 1.8.3, Jan 26 2023 =
 * Improved accessibility of the Video Popup block.
 * Added the ability to load block assets outside Getwid.
@@ -197,34 +200,6 @@ Getwid plugin is distributed under the terms of the GNU GPL.
 * Fixed an issue with the Image Slider block not being initialized if added from the Template Library.
 * Minor bugfixes and improvements.
 
-= 1.8.1, May 16 2022 =
-* Improved the support for right-to-left languages.
-
-= 1.8.0, May 02 2022 =
-* New block: added the Content Slider block.
-
-= 1.7.10, Apr 26 2022 =
-* Added the ability to add a link to the Background Featured Image template part block.
-* Fixed an issue with the font size picker.
-* Fixed an issue when content of Post Slider and Post Carousel blocks may disappear in the block editor.
-
-= 1.7.9, Mar 16 2022 =
-* Improved compatibility with WordPress 5.9.
-* Increased the maximum number of slides in the Media & Text Slider block.
-* Fixed an issue when the first slide's content may have disappeared in the Media & Text Slider block.
-* Fixed an issue with the slide content class in the Media & Text Slider block.
-* Fixed an issue with the button width in the Button Group block.
-* Fixed an issue when some blocks may have not been displayed in the block inserter.
-
-= 1.7.8, Dec 14 2021 =
-* Minor bugfixes and improvements of the Google Maps, Table and Image Slider blocks.
-
-= 1.7.7, Nov 2 2021 =
-* Fixed an issue with the empty terms list in the Custom Post Type and related blocks.
-
-= 1.7.6, Oct 27 2021 =
-* Security - sanitization and escaping.
-
 --------
 
 [See the previous changelogs here](https://plugins.svn.wordpress.org/getwid/trunk/changelog.txt).