From ab8a02bca559143a868ba5b83a0c1f61a0a62ff6 Mon Sep 17 00:00:00 2001
From: Jason Rouet <56646501+jaz-on@users.noreply.github.com>
Date: Tue, 1 Aug 2023 21:21:46 +0200
Subject: [PATCH] Add nonces to several `lws-settings` (#26)

* Add extra nonces to fix security report. Resolves #23, resolves #25

* Fix preivous commit (nonces parameters were reversed)

* Additional fix (nonces parameters were reversed)

* Additional fix (nonces parameters were reversed)

* Additional fix (nonces parameters were reversed)

* Additional fix

* Delete switch_metric function in function switch_simplified
---
 .DS_Store                          | Bin 8196 -> 10244 bytes
 admin/SystemPluginAdmin.php        |  69 +++++++++++++++++++----------
 admin/partials/SettingsGeneral.php |  12 ++---
 3 files changed, 52 insertions(+), 29 deletions(-)

diff --git a/.DS_Store b/.DS_Store
index 769a4e44c2d278f5a8bdef88a6e9da2ea45081af..46b69713380e8dd83bb430c2cbc64a7e237d9afc 100644
GIT binary patch
literal 10244
zcmeHMPmdcl6n{?A?xx#qS89>qfI1QvRBc1D{U;R;={87kB^5nDwPbce5_K|8lSxyw
zT9I>G)E?l1IP^@55E2(YK*c90Ck{p8$_MD7!0*|UtUZ}zdnsB8do_MD_IvhwzxSRU
zdx=PF4ucAjM?}kbn64c~l~K5#pP7<NTF!zB$kT_R-1bB1<9ls}+ch`@90Cpjhk!%C
zA#e~7z@E)zc|}uKI|Lj84uL5Gygqn%m{t=y)>JJWsMHYvw18$+@UDLPgL>QmT21I!
zQ?#H6EefhdMRLRt$;m-zar9Rc{;{T7oP?Sg<0LbS<b)!UgNN`GJBg~Mu677G1ZEN7
zvwML`)S?c>sq_0~^p*ZmMF~#%!d9ieExSF{dZ+NMIYw93YRMe{r{wmp?>*shrm|fb
zO#A=(x#p+)du?Ovubx4aj!pEV2F3X6Lsy@Mcx%!irSp&AH+5c`%C;fl+uY*K#oU&i
zlsg9Q)Oe<~f8Lbw_uASSu05OQb6J+_Wsof&k%Ywo^-#lJ{GCxPt&}ZyQ?@LWwJghD
zKMmQ1{HC4XeKWOlADKO?UslG#AU}p$bO>G#s0*J*DT|+@*Yvf)>5m4zBnp4=dtqk~
zm&?D2T)uGV@Dj?(()D^<j_PqE9u77e{ZIJos+6HWd2je1cbcQEwUbw56gN6iv#$g?
zK@%*WUh71G9Bs;B6bzJXU3U~ww$|R*+1V&>tb6Ax8@ub?PUXVI%DQ*qTzPl5xcu5%
z@4Wlb){U?mNp={DNOm+@)!)<l9^MR-ESDYm<DuPaI*4d|ElDdw-b_4j{QgLXs=;A_
ze_U;(M(?e9KMG~k!n~~UQMiRuP*RA8T~tDdwy9@3DaZV#lU8XPTn&n_<TRCR3z9M2
zPA@;Xr!$hDW5x*bF@izjZIC@@{>qFb&lTb6V`kR5KS%PXl;kpp9cBzMbHM3mTUR)>
zAHU_bOF!_hmYFe4-<>=WPZp63zP*H6#Ao^OgJ+nMipmbQ;C8m<#EbM}W3kt>V^f&J
z&kL=|Uj#<lt3y!6JB5{6Z1<6{(8|B~QfWRju8G&*OT!6X85)=|znIg)te|3l1r~MS
zdybp|>dYt=oW-V9uPdor;6H<<yQ$)>4cf=|0BCaj>FCYO7r~2~Io@%dRfs+bT}q%G
zHBJeh>{4jQqslf@x~R4diJEg|UY3~>hrx@DQrm8iuJURwujRYDPrrs8)>x+3?)AQy
zcrC@V7vb}GEKl8kfN2ojyfx}=g8kH`Af-9ywW;}$ltczHDz{CURkix?dZ7In0;5bH
zaxRI}MlP|At~dl70uBL(fJ5MbAduI3czpl={`~*{9}sPw8V&)6z^gz&6l(R_CPtpz
zM5HI-Q>%yPGdx_FZ>*^jL8Y$aLDh9UKKSnMZ9L3dX37Qc)r5{UMGMM*|IYw-{!iW0
Oxbwep?fic@|Njefv?pu;

delta 416
zcmZn(XmOBWU|?W$DortDU;r^WfEYvza8E20o2aKKC<l@U@)>f{4TF>Oa|<>WPGg_g
zAh?;GgM~vDB+J5}$B@pD$xs4Q0Tg3ksCoQua)5vobHl+^lXC^6Ss55WtX=^bre=l7
zqJoZWXSfVIoYf}B2r9ssO@c0ynS^ZEKKfQRNUKe*5K<D#%};Sj%E?ax8pr_`c9{G~
zsDZ=6!cs@U*urFTmT;u=DFvVkR)$1|6oy=&Q}S~2UEunFGOt(J9CbujfiM}YVltbE
zJR`$oH4(YVQKF74K(RTK=ZmVq7!s53i;7MT6BC>~Q_Kh=cwS5m#*msUEG|6RL&6dw
z&?=z-VXTx;-&p#aNst+691uuw0|{49=x!|h&ODi4C6EIcwxBR)m>kbDl^YbkAPz(S
JgpGxNm;g~SWtac}

diff --git a/admin/SystemPluginAdmin.php b/admin/SystemPluginAdmin.php
index 4cb99c6..2f4927b 100644
--- a/admin/SystemPluginAdmin.php
+++ b/admin/SystemPluginAdmin.php
@@ -2050,10 +2050,13 @@ protected function lws_view_admin_page($name, array $args = array()) {
      * @since 3.0.0
      */
     private function switch_simplified() {
-        update_option('live_weather_station_advanced_mode', 0);
-        add_settings_error('lws_nonce_success', 200, sprintf(__('%s now runs in simplified mode.', 'live-weather-station'), LWS_PLUGIN_NAME), 'updated');
-        Logger::info($this->service, null, null, null, null, null, 0, 'Weather Station now runs in simplified mode.');
-        $this->switch_metric();
+        if( isset($_GET['lwssettingsswitchsimplifiednonce']) && wp_verify_nonce( $_GET['lwssettingsswitchsimplifiednonce'], 'lwssettingsswitchsimplifiednonce') ) {
+            update_option('live_weather_station_advanced_mode', 0);
+            add_settings_error('lws_nonce_success', 200, sprintf(__('%s now runs in simplified mode.', 'live-weather-station'), LWS_PLUGIN_NAME), 'updated');
+            Logger::info($this->service, null, null, null, null, null, 0, 'Weather Station now runs in simplified mode.');
+        } else {
+            wp_die('NOPE');
+        }
     }
 
     /**
@@ -2062,9 +2065,13 @@ private function switch_simplified() {
      * @since 3.0.0
      */
     private function switch_extended() {
-        update_option('live_weather_station_advanced_mode', 1);
-        add_settings_error('lws_nonce_success', 200, sprintf(__('%s now runs in extended mode.', 'live-weather-station'), LWS_PLUGIN_NAME), 'updated');
-        Logger::info($this->service, null, null, null, null, null, 0, 'Weather Station now runs in extended mode.');
+        if( isset($_GET['lwssettingsswitchextendednonce']) && wp_verify_nonce( $_GET['lwssettingsswitchextendednonce'], 'lwssettingsswitchextendednonce') ) {
+            update_option('live_weather_station_advanced_mode', 1);
+            add_settings_error('lws_nonce_success', 200, sprintf(__('%s now runs in extended mode.', 'live-weather-station'), LWS_PLUGIN_NAME), 'updated');
+            Logger::info($this->service, null, null, null, null, null, 0, 'Weather Station now runs in extended mode.');
+        } else {
+            wp_die('NOPE');
+        }
     }
 
     /**
@@ -2073,9 +2080,13 @@ private function switch_extended() {
      * @since 3.0.0
      */
     private function switch_metric() {
-        self::switch_to_metric();
-        add_settings_error('lws_nonce_success', 200, sprintf(__('%s now displays its data in the metric system.', 'live-weather-station'), LWS_PLUGIN_NAME), 'updated');
-        Logger::info($this->service, null, null, null, null, null, 0, 'Weather Station now displays its data in the metric system.');
+        if( isset($_GET['lwssettingsswitchmetricnonce']) && wp_verify_nonce( $_GET['lwssettingsswitchmetricnonce'], 'lwssettingsswitchmetricnonce') ) {
+            self::switch_to_metric();
+            add_settings_error('lws_nonce_success', 200, sprintf(__('%s now displays its data in the metric system.', 'live-weather-station'), LWS_PLUGIN_NAME), 'updated');
+            Logger::info($this->service, null, null, null, null, null, 0, 'Weather Station now displays its data in the metric system.');
+        } else {
+            wp_die('NOPE');
+        }
     }
 
     /**
@@ -2084,9 +2095,13 @@ private function switch_metric() {
      * @since 3.0.0
      */
     private function switch_imperial() {
-        self::switch_to_imperial();
-        add_settings_error('lws_nonce_success', 200, sprintf(__('%s now displays its data in the imperial system.', 'live-weather-station'), LWS_PLUGIN_NAME), 'updated');
-        Logger::info($this->service, null, null, null, null, null, 0, 'Weather Station now displays its data in the imperial system.');
+        if( isset($_GET['lwssettingsswitchimperialnonce']) && wp_verify_nonce( $_GET['lwssettingsswitchimperialnonce'], 'lwssettingsswitchimperialnonce' ) ) {
+            self::switch_to_imperial();
+            add_settings_error('lws_nonce_success', 200, sprintf(__('%s now displays its data in the imperial system.', 'live-weather-station'), LWS_PLUGIN_NAME), 'updated');
+            Logger::info($this->service, null, null, null, null, null, 0, 'Weather Station now displays its data in the imperial system.');
+        } else {
+            wp_die('NOPE');
+        }
     }
 
     /**
@@ -2095,11 +2110,15 @@ private function switch_imperial() {
      * @since 3.0.0
      */
     private function switch_full_translation() {
-        update_option('live_weather_station_partial_translation', 0);
-        $i18n = new Intl();
-        $i18n->delete_mo_files();
-        add_settings_error('lws_nonce_success', 200, sprintf(__('%s no longer uses partial translations.', 'live-weather-station'), LWS_PLUGIN_NAME), 'updated');
-        Logger::info($this->service, null, null, null, null, null, 0, 'Weather Station no longer uses partial translations.');
+        if( isset($_GET['lwssettingsswitchfulltranslationnonce']) && wp_verify_nonce( $_GET['lwssettingsswitchfulltranslationnonce'], 'lwssettingsswitchfulltranslationnonce' ) ) {
+            update_option('live_weather_station_partial_translation', 0);
+            $i18n = new Intl();
+            $i18n->delete_mo_files();
+            add_settings_error('lws_nonce_success', 200, sprintf(__('%s no longer uses partial translations.', 'live-weather-station'), LWS_PLUGIN_NAME), 'updated');
+            Logger::info($this->service, null, null, null, null, null, 0, 'Weather Station no longer uses partial translations.');
+        } else {
+            wp_die('NOPE');
+        }
     }
 
     /**
@@ -2108,11 +2127,15 @@ private function switch_full_translation() {
      * @since 3.0.0
      */
     private function switch_partial_translation() {
-        update_option('live_weather_station_partial_translation', 1);
-        $i18n = new Intl();
-        $i18n->cron_run();
-        add_settings_error('lws_nonce_success', 200, sprintf(__('%s now uses a partial translation.', 'live-weather-station'), LWS_PLUGIN_NAME), 'updated');
-        Logger::info($this->service, null, null, null, null, null, 0, 'Weather Station now uses a partial translation.');
+        if( isset($_GET['lwssettingsswitchpartialtranslationnonce']) && wp_verify_nonce( $_GET['lwssettingsswitchpartialtranslationnonce'], 'lwssettingsswitchpartialtranslationnonce' ) ) {
+            update_option('live_weather_station_partial_translation', 1);
+            $i18n = new Intl();
+            $i18n->cron_run();
+            add_settings_error('lws_nonce_success', 200, sprintf(__('%s now uses a partial translation.', 'live-weather-station'), LWS_PLUGIN_NAME), 'updated');
+            Logger::info($this->service, null, null, null, null, null, 0, 'Weather Station now uses a partial translation.');
+        } else {
+            wp_die('NOPE');
+        }
     }
 
     /**
diff --git a/admin/partials/SettingsGeneral.php b/admin/partials/SettingsGeneral.php
index 1540807..edaab5b 100644
--- a/admin/partials/SettingsGeneral.php
+++ b/admin/partials/SettingsGeneral.php
@@ -20,19 +20,19 @@
         <?php echo sprintf(__('%s runs currently in extended mode. If you want to make your life easier, switch to simplified mode.', 'live-weather-station'), LWS_PLUGIN_NAME);?><br/>
         <em><?php echo __('Note: if you choose the simplified mode, all settings (like display options, units, etc.) will be automatically set for you.', 'live-weather-station');?></em>
     </p>
-    <p><a class="button button-primary" href="<?php echo esc_url(lws_get_admin_page_url('lws-settings', 'switch-simplified')); ?>"><?php echo __('Switch to Simplified Mode', 'live-weather-station');?></a></p>
+    <p><a class="button button-primary" href="<?php echo esc_url(wp_nonce_url( lws_get_admin_page_url('lws-settings', 'switch-simplified'), 'lwssettingsswitchsimplifiednonce', 'lwssettingsswitchsimplifiednonce')); ?>"><?php echo __('Switch to Simplified Mode', 'live-weather-station');?></a></p>
 <?php } else { ?>
     <p>&nbsp;</p>
     <p><?php echo sprintf(__('%s runs currently in simplified mode. If you want to access all the available settings, you must switch to extended mode.', 'live-weather-station'), LWS_PLUGIN_NAME);?></p>
-    <p><a class="button button-primary" href="<?php echo esc_url(lws_get_admin_page_url('lws-settings', 'switch-extended')); ?>"><?php echo __('Switch to Extended Mode', 'live-weather-station');?></a></p>
+    <p><a class="button button-primary" href="<?php echo esc_url(wp_nonce_url( lws_get_admin_page_url('lws-settings', 'switch-extended'), 'lwssettingsswitchextendednonce', 'lwssettingsswitchextendednonce')); ?>"><?php echo __('Switch to Extended Mode', 'live-weather-station');?></a></p>
     <?php if ((0 == get_option('live_weather_station_unit_temperature'))) { ?>
         <p>&nbsp;</p>
         <p><?php echo sprintf(__('The data displayed by %s are in <em>metric units</em>. If that does not suit your needs, you can choose imperial units.', 'live-weather-station'), LWS_PLUGIN_NAME);?></p>
-        <p><a class="button button-primary" href="<?php echo esc_url(lws_get_admin_page_url('lws-settings', 'switch-imperial')); ?>"><?php echo __('Display Data in Imperial Units', 'live-weather-station');?></a></p>
+        <p><a class="button button-primary" href="<?php echo esc_url(wp_nonce_url( lws_get_admin_page_url('lws-settings', 'switch-imperial'), 'lwssettingsswitchimperialnonce', 'lwssettingsswitchimperialnonce')); ?>"><?php echo __('Display Data in Imperial Units', 'live-weather-station');?></a></p>
     <?php } else { ?>
         <p>&nbsp;</p>
         <p><?php echo sprintf(__('The data displayed by %s are in <em>imperial units</em>. If that does not suit your needs, you can choose metric units.', 'live-weather-station'), LWS_PLUGIN_NAME);?></p>
-        <p><a class="button button-primary" href="<?php echo esc_url(lws_get_admin_page_url('lws-settings', 'switch-metric')); ?>"><?php echo __('Display Data in Metric Units', 'live-weather-station');?></a></p>
+        <p><a class="button button-primary" href="<?php echo esc_url(wp_nonce_url( lws_get_admin_page_url('lws-settings', 'switch-metric'), 'lwssettingsswitchmetricnonce', 'lwssettingsswitchmetricnonce')); ?>"><?php echo __('Display Data in Metric Units', 'live-weather-station');?></a></p>
     <?php } ?>
 <?php } ?>
 
@@ -42,13 +42,13 @@
         <p>
             <?php echo sprintf(__('Currently, %s uses a partial translation of your language. If you do not like half finished things, click the button below:', 'live-weather-station'), LWS_PLUGIN_NAME);?>
         </p>
-        <p><a id="partial-translation" class="button button-primary" href="<?php echo esc_url(lws_get_admin_page_url('lws-settings', 'switch-full-translation')); ?>"><?php echo __('Use Only Full Translation', 'live-weather-station');?></a>
+        <p><a id="partial-translation" class="button button-primary" href="<?php echo esc_url(wp_nonce_url( lws_get_admin_page_url('lws-settings', 'switch-full-translation'), 'lwssettingsswitchfulltranslationnonce', 'lwssettingsswitchfulltranslationnonce')); ?>"><?php echo __('Use Only Full Translation', 'live-weather-station');?></a>
             <span id="span-sync" style="display: none;"><i class="<?php echo LWS_FAS;?> fa-cog fa-spin fa-lg fa-fw"></i>&nbsp;<strong><?php echo __('Deactivating partial translation, please wait', 'live-weather-station');?>&hellip;</strong></span></p>
     <?php } else { ?>
         <p>
             <?php echo sprintf(__('Currently, %s is not displayed in your language. But, there is a partial translation that can be used!', 'live-weather-station'), LWS_PLUGIN_NAME);?>
         </p>
-        <p><a id="partial-translation" class="button button-primary" href="<?php echo esc_url(lws_get_admin_page_url('lws-settings', 'switch-partial-translation')); ?>"><?php echo __('Use Partial Translation', 'live-weather-station');?></a>
+        <p><a id="partial-translation" class="button button-primary" href="<?php echo esc_url(wp_nonce_url( lws_get_admin_page_url('lws-settings', 'switch-partial-translation'), 'lwssettingsswitchpartialtranslationnonce', 'lwssettingsswitchpartialtranslationnonce')); ?>"><?php echo __('Use Partial Translation', 'live-weather-station');?></a>
             <span id="span-sync" style="display: none;"><i class="<?php echo LWS_FAS;?> fa-cog fa-spin fa-lg fa-fw"></i>&nbsp;<strong><?php echo __('Activating partial translation, please wait', 'live-weather-station');?>&hellip;</strong></span></p>
     <?php } ?>
 <?php } ?>