CVE-2022-1187: admin.php in wp-youtube-live/trunk/inc – WordPress Plugin Repository

1<?php23if ( ! defined( ‘ABSPATH’ ) ) {4 exit;5}67require 'EmbedYoutubeLiveStreaming.php’;89/**10 * Enqueue backend assets11 */12function youtube_live_backend_assets() {13 wp_enqueue_script( 'wp-youtube-live-backend’, plugin_dir_url( __FILE__ ) . '…/js/wp-youtube-live-backend.min.js’, array( ‘jquery’ ), WP_YOUTUBE_LIVE_VERSION, true );14}15add_action( 'admin_enqueue_scripts’, ‘youtube_live_backend_assets’ );1617/**18 * Add settings page19 */20add_action( 'admin_menu’, ‘youtube_live_add_admin_menu’ );21add_action( 'admin_init’, ‘youtube_live_settings_init’ );2223/**24 * Add settings page to admin menu25 */26function youtube_live_add_admin_menu() {27 add_submenu_page( 'options-general.php’, 'YouTube Live’, 'YouTube Live Settings’, 'manage_options’, 'youtube-live’, ‘youtube_live_options_page’ );28}2930/**31 * Add settings section and fields32 */33function youtube_live_settings_init() {34 register_setting( 'youtube_live_options’, ‘youtube_live_settings’ );3536 // API settings.37 add_settings_section(38 'youtube_live_options_keys_section’,39 __( 'YouTube Details’, ‘youtube_live’ ),40 'youtube_live_api_settings_section_callback’,41 'youtube_live_options’42 );4344 add_settings_field(45 'youtube_live_api_key’,46 __( 'YouTube API Key’, ‘youtube_live’ ),47 'youtube_live_api_key_render’,48 'youtube_live_options’,49 'youtube_live_options_keys_section’50 );5152 add_settings_field(53 'youtube_live_channel_id’,54 __( 'YouTube Channel ID’, ‘youtube_live’ ),55 'youtube_live_channel_id_render’,56 'youtube_live_options’,57 'youtube_live_options_keys_section’58 );5960 add_settings_field(61 'youtube_subdomain’,62 __( 'YouTube Subdomain’, ‘youtube_live’ ),63 'youtube_live_subdomain_render’,64 'youtube_live_options’,65 'youtube_live_options_keys_section’66 );6768 add_settings_field(69 'youtube_live_player_settings’,70 __( 'Default Player Settings’, ‘youtube_live’ ),71 'youtube_live_player_settings_render’,72 'youtube_live_options’,73 'youtube_live_options_keys_section’74 );7576 add_settings_field(77 'fallback_behavior’,78 __( 'Fallback Behavior’, ‘youtube_live’ ),79 'fallback_behavior_render’,80 'youtube_live_options’,81 'youtube_live_options_keys_section’82 );8384 add_settings_field(85 'auto_refresh’,86 __( 'Auto-Refresh’, ‘youtube_live’ ),87 'youtube_live_auto_refresh_render’,88 'youtube_live_options’,89 'youtube_live_options_keys_section’90 );9192 add_settings_field(93 'transient_timeout’,94 __( 'Transient Timeout and Check Frequency’, ‘youtube_live’ ),95 'youtube_live_transient_timeout_render’,96 'youtube_live_options’,97 'youtube_live_options_keys_section’98 );99100 add_settings_field(101 'youtube_live_debugging’,102 __( 'Debugging’, ‘youtube_live’ ),103 'youtube_live_debugging_render’,104 'youtube_live_options’,105 'youtube_live_options_keys_section’106 );107108 add_settings_field(109 'youtube_live_tools’,110 __( 'Tools’, ‘youtube_live’ ),111 'youtube_live_tools_render’,112 'youtube_live_options’,113 'youtube_live_options_keys_section’114 );115116 add_settings_field(117 'youtube_live_terms’,118 __( 'Terms of Service and Privacy Policy’, ‘youtube_live’ ),119 'youtube_live_terms_render’,120 'youtube_live_options’,121 'youtube_live_options_keys_section’122 );123}124125/**126 * Print API Key field127 */128function youtube_live_api_key_render() {129 $options = get_option( ‘youtube_live_settings’ ); ?>130 <input type="text" name="youtube_live_settings[youtube_live_api_key]" placeholder="AIzaSyD4iE2xVSpkLLOXoyqT-RuPwURN3ddScAI" size="45" value="<?php echo esc_attr( $options[‘youtube_live_api_key’] ); ?>">131132 <p>Don’t have an API key?</p>133 <ol>134 <li>Go to the <a href="https://console.developers.google.com/apis/" target="_blank">Google APIs developers console</a> (create an account if necessary).</li>135 <li>Create a new project (if necessary).</li>136 <li>Enable the YouTube Data API v3.</li>137 <li>Go to Credentials, click the blue button, and choose “API key”.</li>138 <li>Enter referrers if you wish to limit use to your website(s) (highly recommended).</li>139 <li>Enter your API key above.</li>140 </ol>141 <p>See <a href="https://developers.google.com/youtube/registering_an_application" target="_blank">this page</a> for more information.</p>142143 <?php144}145146/**147 * Print Channel ID field148 */149function youtube_live_channel_id_render() {150 $options = get_option( ‘youtube_live_settings’ );151 ?>152 <input type="text" name="youtube_live_settings[youtube_live_channel_id]" placeholder="UcZliPwLMjeJbhOAnr1Md4gA" size="45" value="<?php echo esc_attr( $options[‘youtube_live_channel_id’] ); ?>">153154 <p>Go to <a href="https://youtube.com/account_advanced/" target="_blank">YouTube Advanced Settings</a> to find your YouTube Channel ID.</p>155 <?php156}157158/**159 * Print subdomain field160 */161function youtube_live_subdomain_render() {162 $options = get_option( 'youtube_live_settings’, array( ‘subdomain’ => ‘www’ ) );163 ?>164 <label><select name="youtube_live_settings[subdomain]“>165 <option value="www” <?php selected( $options[‘subdomain’], ‘www’ ); ?>>Default (www.youtube.com)</option>166 <option value="gaming" <?php selected( $options[‘subdomain’], ‘gaming’ ); ?>>Gaming (gaming.youtube.com)</option>167 </select></label>168 <?php169}170171/**172 * Print player settings fields173 */174function youtube_live_player_settings_render() {175 $options = get_option( ‘youtube_live_settings’ );176 if ( ! array_key_exists( 'default_width’, $options ) || is_null( $options[‘default_width’] ) ) {177 $options[‘default_width’] = 720;178 }179 if ( ! array_key_exists( 'default_height’, $options ) || is_null( $options[‘default_height’] ) ) {180 $options[‘default_height’] = 480;181 }182 if ( ! array_key_exists( 'autoplay’, $options ) ) {183 $options[‘autoplay’] = true;184 }185 if ( ! array_key_exists( 'show_related’, $options ) ) {186 $options[‘show_related’] = false;187 }188 ?>189 <p>190 <label>Width: <input type="number" name="youtube_live_settings[default_width]" placeholder="720" value="<?php echo esc_attr( $options[‘default_width’] ); ?>">px</label><br/>191 <label>Height: <input type="number" name="youtube_live_settings[default_height]" placeholder="480" value="<?php echo esc_attr( $options[‘default_height’] ); ?>">px</label>192 </p>193 <p>194 Should the player auto-play when a live video is available? <label><input type="radio" name="youtube_live_settings[autoplay]" value="true" <?php checked( $options[‘autoplay’], ‘true’ ); ?>> Yes</label> <label><input type="radio" name="youtube_live_settings[autoplay]" value="false" <?php checked( $options[‘autoplay’], ‘false’ ); ?>> No</label><br/>195 <span style="font-size: 85%;">Note: if this is not working correctly for you, please read <a href="https://developers.google.com/web/updates/2017/09/autoplay-policy-changes" target="_blank">this note</a> about Google Chrome’s autoplay policies.</span>196 </p>197 <p>198 Should the player show related videos when a video finishes? <label><input type="radio" name="youtube_live_settings[show_related]" value="true" <?php checked( $options[‘show_related’], ‘true’ ); ?>> Yes</label> <label><input type="radio" name="youtube_live_settings[show_related]" value="false" <?php checked( $options[‘show_related’], ‘false’ ); ?>> No</label>199 </p>200 <?php201}202203/**204 * Print fallback behavior fields205 */206function fallback_behavior_render() {207 $options = get_option( ‘youtube_live_settings’ );208 if ( ! array_key_exists( ‘fallback_behavior’, $options ) ) {209 $options[‘fallback_behavior’] = ‘message’;210 }211 if ( ! array_key_exists( ‘fallback_message’, $options ) ) {212 $options[‘fallback_message’] = ‘<p>Sorry, there’s no live stream at the moment. Please check back later or take a look at <a target="_blank" href="’ . esc_url( ‘https://youtube.com/channel/’ . $options[‘youtube_live_channel_id’] ) . ‘">all of our videos</a>.</p>213<p><button type="button" class="button" id="check-again">Check again</button><span class="spinner" style="display:none;"></span></p>’;214 }215 ?>216 <p>217 <label for="youtube_live_settings[fallback_behavior]“>If no live videos are available, what should be displayed?</label>218 <select name="youtube_live_settings[fallback_behavior]“>219 <option value="message” <?php selected( esc_attr( $options[‘fallback_behavior’] ), ‘message’ ); ?>>Show a custom HTML message (no additional quota cost)</option>220 <option value="upcoming” <?php selected( esc_attr( $options[‘fallback_behavior’] ), ‘upcoming’ ); ?>>Show scheduled live videos (adds a quota unit cost of 100)</option>221 <option value="completed" <?php selected( esc_attr( $options[‘fallback_behavior’] ), ‘completed’ ); ?>>Show last completed live video (adds a quota unit cost of 100)</option>222 <option value="channel" <?php selected( esc_attr( $options[‘fallback_behavior’] ), ‘channel’ ); ?>>Show recent videos from my channel (adds a quota unit cost of at least 3)</option>223 <option value="playlist" <?php selected( esc_attr( $options[‘fallback_behavior’] ), ‘playlist’ ); ?>>Show a specified playlist (adds a quota unit cost of at least 3)</option>224 <option value="video" <?php selected( esc_attr( $options[‘fallback_behavior’] ), ‘video’ ); ?>>Show a specified video (no additional quota cost)</option>225 <option value="no_message" <?php selected( esc_attr( $options[‘fallback_behavior’] ), ‘no_message’ ); ?>>Show nothing at all (no additional quota cost)</option>226 </select>227 </p>228229 <p class="fallback message">230 <label for="youtube_live_settings[fallback_message]“>Custom HTML message:</label><br/>231 <textarea cols="50” rows="8" name="youtube_live_settings[fallback_message]" placeholder="<p>Sorry, there’s no live stream at the moment. Please check back later or take a look at <a target=’_blank’ href=’<?php echo esc_url( ‘https://youtube.com/channel/’ . $options[‘youtube_live_channel_id’] ); ?>’>all of our videos</a>.</p>232 <p><button type=’button’ class=’button’ id=’check-again’>Check again</button><span class=’spinner’ style=’display:none;’></span></p>."><?php echo wp_kses_post( $options[‘fallback_message’] ); ?></textarea>233 </p>234235 <div class="fallback upcoming">236 <p>This option will fetch all your upcoming scheduled live videos from the YouTube API and cache them for 24 hours or until the first video is scheduled to begin, whichever is soonest. If you schedule more live videos, press the button below to manually flush the server’s cache. <strong>Note:</strong> if you have no upcoming scheduled videos, the last scheduled video will be shown instead.</p>237238 <?php239 $upcoming_cache = get_transient( ‘youtube-live-upcoming-videos’ );240 if ( false === $upcoming_cache ) {241 $upcoming_cache = json_decode( refresh_youtube_live_upcoming_cache( 'updatewpYTUpcomingCache’, wp_create_nonce( ‘wpYTcache_nonce’ ) ) );242 }243 ?>244245 <div class="wp-youtube-live-upcoming-cache"><?php echo wp_kses_post( format_upcoming_videos( $upcoming_cache ) ); ?></div>246247 <p>248 <button type="button" class="button-primary" id="updatewpYTUpcomingCache" data-action="updatewpYTUpcomingCache" data-nonce="<?php echo esc_attr( wp_create_nonce( ‘wpYTcache_nonce’ ) ); ?>">Clear Cached Upcoming Videos</button> (costs 100 quota units each time)<span class="spinner" style="visibility: hidden;float: none;"></span>249 </p>250 <!-- TODO: add secondary fallback if no upcoming videos are scheduled -->251 </div>252253 <p class="fallback playlist">254 <label for="youtube_live_settings[fallback_playlist]“>Fallback Playlist URL:</label><br/>255 <input type="text” name="youtube_live_settings[fallback_playlist]" size="45" placeholder="https://www.youtube.com/watch?v=abc123…&list=PLABC123…" value="<?php echo esc_attr( $options[‘fallback_playlist’] ); ?>" />256 </p>257258 <p class="fallback video">259 <label for="youtube_live_settings[fallback_video]“>Fallback Video URL:</label><br/>260 <input type="text” name="youtube_live_settings[fallback_video]" size="45" placeholder="https://youtu.be/dQw4w9WgXcQ" value="<?php echo esc_attr( $options[‘fallback_video’] ); ?>" />261 </p>262263 <p>For more information on quota usage, read the <a href="https://github.com/macbookandrew/wp-youtube-live#quota-units">plugin documentation</a> as well as the <a href="https://developers.google.com/youtube/v3/getting-started#quota" target="_blank">YouTube API documentation</a>.</p>264 <?php265}266267/**268 * Print auto-refresh field269 */270function youtube_live_auto_refresh_render() {271 $options = get_option( ‘youtube_live_settings’ );272 if ( ! array_key_exists( 'auto_refresh’, $options ) ) {273 $options[‘auto_refresh’] = false;274 }275 ?>276 Should the player page automatically check every 30 seconds until a live video is available? <label><input type="radio" name="youtube_live_settings[auto_refresh]" value="true" <?php checked( $options[‘auto_refresh’], ‘true’ ); ?>> Yes</label> <label><input type="radio" name="youtube_live_settings[auto_refresh]" value="false" <?php checked( $options[‘auto_refresh’], ‘false’ ); ?>> No</label>277 <p><strong>Warning:</strong> depending on how many users are on the page, this may overload your server with requests.</p>278 <?php279}280281/**282 * Print transient timeout field283 */284function youtube_live_transient_timeout_render() {285 $options = get_option( ‘youtube_live_settings’ );286 if ( ! array_key_exists( 'transient_timeout’, $options ) ) {287 $options[‘transient_timeout’] = 900;288 }289 ?>290 <p id="transient-timeout"><label><input type="number" name="youtube_live_settings[transient_timeout]" placeholder="900" value="<?php echo esc_attr( $options[‘transient_timeout’] ); ?>"> seconds</label></p>291 <p>YouTube enforces a daily limit on API usage. To stay within this limit, the plugin caches the YouTube response for this many seconds.</p>292 <p>A value of 900 (15 minutes) should stay pretty close to the default daily quota. If you have low or no traffic during “off hours” (when you’re not likely to be broadcasting a live event), you may want to experiment and set this lower, since the quota won’t be consumed as much during the off hours.</p>293 <p>To see your actual quota usage in real time, visit the <a href="https://console.developers.google.com/apis/api/youtube/usage">API Usage page</a>.</p>294 <p>For more information on quota usage, read the <a href="https://github.com/macbookandrew/wp-youtube-live#quota-units">plugin documentation</a> as well as the <a href="https://developers.google.com/youtube/v3/getting-started#quota" target="_blank">YouTube API documentation</a>.</p>295 <?php296}297298/**299 * Print debugging field300 */301function youtube_live_debugging_render() {302 $options = get_option( ‘youtube_live_settings’ );303 if ( ! array_key_exists( 'debugging’, $options ) ) {304 $options[‘debugging’] = false;305 }306 ?>307 Show debugging information in an HTML comment for logged-in users? <label><input type="radio" name="youtube_live_settings[debugging]" value="true" <?php checked( $options[‘debugging’], ‘true’ ); ?>> Yes</label> <label><input type="radio" name="youtube_live_settings[debugging]" value="false" <?php checked( $options[‘debugging’], ‘false’ ); ?>> No</label>308 <?php309}310311/**312 * Print API settings field313 */314function youtube_live_api_settings_section_callback() {315 echo wp_kses_post( __( 'Enter your YouTube details below. Once you’ve entered the required details below, add the shortcode <code>[youtube_live]</code> to any post/page to display the live player.’, ‘youtube_live’ ) );316}317318/**319 * Print settings form320 */321function youtube_live_options_page() {322 ?>323 <div class="wrap">324 <form action="options.php" method="post">325 <?php326 settings_fields( ‘youtube_live_options’ );327 do_settings_sections( ‘youtube_live_options’ );328 submit_button();329 ?>330 </form>331 </div>332 <?php333}334335/**336 * Manually clear upcoming video cache337 *338 * @param string $action action to perform.339 * @param string $nonce security nonce.340 * @return string|void JSON string of upcoming videos341 */342function refresh_youtube_live_upcoming_cache( $action = null, $nonce = null ) {343344 if ( ! $action && isset( $_POST[‘action’] ) ) {345 $action = sanitize_key( wp_unslash( $_POST[‘action’] ) );346 }347348 if ( ! $nonce && isset( $_POST[‘nonce’] ) ) {349 $nonce = sanitize_key( wp_unslash( $_POST[‘nonce’] ) );350 }351352 if ( ! wp_verify_nonce( $nonce, ‘wpYTcache_nonce’ ) ) {353 die( ‘Invalid nonce.’ );354 }355356 $youtube_options = get_option( ‘youtube_live_settings’ );357 $youtube_live = new EmbedYoutubeLiveStreaming( $youtube_options[‘youtube_live_channel_id’], $youtube_options[‘youtube_live_api_key’] );358359 if ( ‘updatewpytupcomingcache’ === $action ) { // sanitize_key converts to lower-case.360 if ( $youtube_live->clearUpcomingVideoInfo() ) {361 $output = wp_json_encode( format_upcoming_videos( get_transient( ‘youtube-live-upcoming-videos’ ) ) );362 if ( $_POST ) {363 echo wp_kses_post( $output );364 die();365 } else {366 return $output;367 }368 }369 }370}371add_action( 'wp_ajax_updatewpYTUpcomingCache’, ‘refresh_youtube_live_upcoming_cache’ );372373/**374 * Return list of video IDs and start times375 *376 * @param array $input possibly serialized array of $id => $start_time values.377 * @return string HTML output378 */379function format_upcoming_videos( $input ) {380 if ( $input ) {381 $video_array = maybe_unserialize( $input );382 }383384 global $wpdb;385 $transient_expire_time = $wpdb->get_col( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching – no functions exist to get the transient expiration time, and caching would defeat the purpose of determining the expiration time.386 $wpdb->prepare(387 'SELECT option_value FROM ' . $wpdb->options . ' WHERE option_name = “%1$s";’,388 '_transient_timeout_youtube-live-upcoming-videos’389 ),390 0391 );392393 $upcoming_list = '<h3>Cache Contents</h3>394 <p>Cache valid until ' . date_i18n( get_option( ‘date_format’ ) . ' ' . get_option( ‘time_format’ ), $transient_expire_time[0] ) . '.</p>395 <ul>’;396 if ( is_array( $video_array ) && count( $video_array ) > 0 ) {397 foreach ( $video_array as $id => $start_time ) {398 $upcoming_list .= ‘<li>Video ID <code>’ . esc_attr( $id ) . '</code> starting ' . date_i18n( get_option( ‘date_format’ ) . ' ' . get_option( ‘time_format’ ), esc_attr( $start_time ) ) . '</li>’;399 }400 } else {401 $upcoming_list .= '<li>Cache is currently empty. Make sure you have some videos scheduled, then press the button below to manually update the cache.</li>’;402 }403 $upcoming_list .= '</ul>’;404405 return $upcoming_list;406}407408/**409 * Render tools button.410 *411 * @return void412 */413function youtube_live_tools_render() {414 ?>415 <p><a class="btn primary” target="_blank" href="<?php echo esc_url( admin_url( ‘admin-ajax.php?action=youtube_live_flush_cache’ ) ); ?>">Flush Cache</a></p>416 <?php417}418419/**420 * Render terms.421 *422 * @return void423 */424function youtube_live_terms_render() {425 ?>426 <p>This plugin stores your channel ID and API token in your WordPress options table, but does not store or collect any other information.</p>427428 <p>Because this plugin helps you use the YouTube service, you should refer to these documents as well:</p>429430 <ul>431 <li><a href="https://www.youtube.com/t/terms" target="_blank">YouTube Terms of Service</a></li>432 <li><a href="https://policies.google.com/privacy" target="_blank">Google Privacy Policy</a></li>433 </ul>434435 <?php436}437438/**439 * Admin notices.440 */441if ( is_admin() && get_option( 'wp-youtube-live-1714-notice-dismissed’, true ) === false ) {442 add_action( 'admin_notices’, ‘wp_youtube_live_admin_notices_1714’ );443 add_action( 'wp_ajax_wp_youtube_live_dismiss_notice_1714’, ‘wp_youtube_live_dismiss_notice_1714’ );444}445446447/**448 * Add admin notice about quota and checking frequency changes.449 *450 * @since 1.7.14451 */452function wp_youtube_live_admin_notices_1714() {453 ?>454 <div class="notice notice-error wp-youtube-live-notice is-dismissible" data-version="1714">455 <h2>YouTube Live Notice</h2>456 <p>Due to YouTube Data API changes, this plugin now checks for new live videos every <strong>15 minutes</strong> rather than every 30 seconds.</p>457 <p>You can change this setting on the <a href="<?php echo esc_url( admin_url( ‘options-general.php?page=youtube-live#transient-timeout’ ) ); ?>">plugin settings page</a>.</p>458 </div>459 <?php460}461462/**463 * Update option for WP YouTube Live 1.7.14 notes.464 *465 * @since 1.8.0466 */467function wp_youtube_live_dismiss_notice_1714() {468 update_option( 'wp-youtube-live-1714-notice-dismissed’, true, false );469}470