froger-me/wp-packages-update-server

Activate / Deactivate functions don't validate package_slug

Closed this issue · 3 comments

ElementMedia commented

Sorry to bother you again. I am using version 1.4.16 and have 2 packages that need a license key. For both of the packages I created one:

image

For x-framework we have 32de42939f8fbb434f396d97
For x-image-search we have db8aa70fdb5fae9e2bf036f5

image

As you can see in the image above, I am able to activate a license key that is not meant for the package. It seems that there is no check between the given package_slug (to check on) and the package_slug that is given in the license details on the wp-packages-update-server end.

Hopefully I explained it well enough.

froger-me commented

Hi @ElementMedia !
It was perfectly clear, and this issue has been addressed in v2.x.

Although it is not straightforward, it is nonetheless possible to circumvent this with the 'wppus_did_read_license' action.
Essentially, you would:

  • get the package_slug from $wp->query_vars ($wp is global - so yeay us for WP bad practices, I guess)
  • compare it to the package_slug in the action's parameter
  • if they're not the same, you'd handle your own response

With a dirty closure, this would look like (untested):

add_action(
	'wppus_did_read_license',
	function ( $license ) {
		global $wp;

		if (
			is_object( $license ) &&
			isset(
				$wp->query_vars['package_slug'],
				$wp->query_vars['__wppus_license_api'],
				$wp->query_vars['action']
			) &&
			(
				'activate' === $wp->query_vars['action'] ||
				'deactivate' === $wp->query_vars['action']
			) &&
			$wp->query_vars['package_slug'] !== $license->package_slug
		) {
			wp_send_json( array( 'license_key' => $license->license_key ) );

			exit();
		}
	},
	10,
	1
);

Bonus points for also checking for package_type ;).
This is the sort of quirks that may be actually fixed in the source (instead of above reliance on hooks) by the community via pull request down the line when 1.x branch is up.

froger-me commented

Oh, and for why such array in the json response, see line 376 of class-wppus-license-api.php ; it's basically replicating the "Invalid License" response.

  • 👍1
ElementMedia commented

You are amazing. This is very helpful, was just about the walk a similar route like you shared, so this is super helpfull. I'll really and try to get some more Github experience so I can also contribute and make pull requests.

Really looking forward to the V2 version. Thanks for everything so far. Now I am back to coding again :)