Merge branch 'dev' into remove-sql-calc-found-rows

Author: brianhogg

.changelogs/llms-verify-nonce-removal.yml

@@ -0,0 +1,3 @@
+significance: patch
+type: changed
+entry: Using standard WP nonce check functions instead of llms_verify_nonce.

includes/abstracts/abstract.llms.admin.metabox.php

@@ -466,7 +466,7 @@ public function register() {
 	 */
 	protected function save( $post_id ) {
 
-		if ( ! llms_verify_nonce( 'lifterlms_meta_nonce', 'lifterlms_save_data' ) || ! current_user_can( $this->capability, $post_id ) ) {
+		if ( ! isset( $_REQUEST['lifterlms_meta_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['lifterlms_meta_nonce'] ) ), 'lifterlms_save_data' ) || ! current_user_can( $this->capability, $post_id ) ) {
 			return -1;
 		}
 

includes/abstracts/llms-abstract-admin-wizard.php

@@ -377,7 +377,7 @@ public function save(): ?WP_Error {
 		$nonce  = "llms_{$this->id}_nonce";
 		$action = "llms_{$this->id}_save";
 
-		if ( ! isset( $_POST[ $nonce ] ) || ! llms_verify_nonce( $nonce, $action ) || ! current_user_can( 'manage_lifterlms' ) ) {
+		if ( ! isset( $_POST[ $nonce ] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST[ $nonce ] ) ), $action ) || ! current_user_can( 'manage_lifterlms' ) ) {
 			return null;
 		}
 

includes/abstracts/llms-abstract-controller-user-engagements.php

@@ -158,11 +158,8 @@ public function maybe_handle_awarded_engagement_sync_actions() {
 		}
 
 		// Verify nonce.
-		if ( ! llms_verify_nonce(
-			"_llms_{$this->engagement_type}_sync_actions_nonce",
-			"llms-{$this->engagement_type}-sync-actions",
-			'GET'
-		) ) {
+		$nonce_field = "_llms_{$this->engagement_type}_sync_actions_nonce";
+		if ( ! isset( $_REQUEST[ $nonce_field ] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST[ $nonce_field ] ) ), "llms-{$this->engagement_type}-sync-actions" ) ) {
 			$result = new WP_Error(
 				"llms-sync-awarded-{$this->engagement_type}s-invalid-nonce",
 				$this->get_text( self::TEXT_SYNC_AWARDED_ENGAGEMENTS_INVALID_NONCE )

includes/abstracts/llms-abstract-email-provider.php

@@ -253,7 +253,8 @@ public function ajax_callback_remote_install_verify() {
 	 */
 	protected function can_remote_install() {
 
-		if ( ! llms_verify_nonce( '_llms_' . $this->id . '_nonce', 'llms-' . $this->id . '-install' ) ) {
+		$nonce_field = '_llms_' . $this->id . '_nonce';
+		if ( ! isset( $_REQUEST[ $nonce_field ] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST[ $nonce_field ] ) ), 'llms-' . $this->id . '-install' ) ) {
 			return array(
 				'code'    => 'llms_' . $this->id . '_install_nonce_failure',
 				'message' => esc_html__( 'Security check failed.', 'lifterlms' ),

includes/admin/class-llms-admin-export-download.php

@@ -45,7 +45,7 @@ public function maybe_serve_export() {
 		}
 
 		// Verify nonce.
-		if ( ! llms_verify_nonce( 'llms_dl_export_nonce', LLMS_Abstract_Exportable_Admin_Table::EXPORT_NONCE_ACTION, 'GET' ) ) {
+		if ( ! isset( $_REQUEST['llms_dl_export_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['llms_dl_export_nonce'] ) ), LLMS_Abstract_Exportable_Admin_Table::EXPORT_NONCE_ACTION ) ) {
 			wp_die( esc_html__( 'Cheatin’ huh?', 'lifterlms' ) );
 		}
 

includes/admin/class-llms-admin-review.php

@@ -123,7 +123,7 @@ public function admin_footer( $text ) {
 	 */
 	public function dismiss() {
 
-		if ( ! current_user_can( 'manage_lifterlms' ) || ! llms_verify_nonce( 'nonce', 'llms-admin-review-request-dismiss' ) ) {
+		if ( ! current_user_can( 'manage_lifterlms' ) || ! isset( $_REQUEST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['nonce'] ) ), 'llms-admin-review-request-dismiss' ) ) {
 			wp_die();
 		}
 

includes/admin/class.llms.admin.addons.php

@@ -239,7 +239,7 @@ private function get_products_for_cat( $cat, $include_bundles = true ) {
 	public function handle_actions() {
 
 		// Activate & deactivate addons.
-		if ( llms_verify_nonce( '_llms_manage_addon_nonce', 'llms_manage_addon' ) ) {
+		if ( isset( $_REQUEST['_llms_manage_addon_nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['_llms_manage_addon_nonce'] ) ), 'llms_manage_addon' ) ) {
 
 			$this->handle_manage_addons();
 			LLMS_Admin_Notices::output_notices();

includes/admin/class.llms.admin.import.php

@@ -81,7 +81,7 @@ public function add_help_tabs() {
 	 */
 	public function cloud_import() {
 
-		if ( ! llms_verify_nonce( 'llms_cloud_importer_nonce', 'llms-cloud-importer' ) || ! current_user_can( 'manage_lifterlms' ) ) {
+		if ( ! isset( $_REQUEST['llms_cloud_importer_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['llms_cloud_importer_nonce'] ) ), 'llms-cloud-importer' ) || ! current_user_can( 'manage_lifterlms' ) ) {
 			return false;
 		}
 
@@ -277,7 +277,7 @@ protected function show_error( $error ) {
 	 */
 	public function upload_import() {
 
-		if ( ! llms_verify_nonce( 'llms_importer_nonce', 'llms-importer' ) || ! current_user_can( 'manage_lifterlms' ) || empty( $_FILES['llms_import'] ) ) {
+		if ( ! isset( $_REQUEST['llms_importer_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['llms_importer_nonce'] ) ), 'llms-importer' ) || ! current_user_can( 'manage_lifterlms' ) || empty( $_FILES['llms_import'] ) ) {
 			return false;
 		}
 

includes/admin/class.llms.admin.notices.php

@@ -246,7 +246,7 @@ public static function has_notice( $notice_id ) {
 	 */
 	public static function hide_notices() {
 		if ( ( isset( $_GET['llms-hide-notice'] ) || isset( $_GET['llms-remind-notice'] ) ) && isset( $_GET['_llms_notice_nonce'] ) ) {
-			if ( ! llms_verify_nonce( '_llms_notice_nonce', 'llms_hide_notices_nonce', 'GET' ) ) {
+			if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_llms_notice_nonce'] ) ), 'llms_hide_notices_nonce' ) ) {
 				wp_die( esc_html__( 'Action failed. Please refresh the page and retry.', 'lifterlms' ) );
 			}
 			if ( ! current_user_can( 'manage_options' ) ) {