CVE-2023-2027: ALRSocialFacebook.php in zm-ajax-login-register/trunk/src/ALRSocial – WordPress Plugin Repository

1<?php23// Exit if accessed directly4if ( ! defined( ‘ABSPATH’ ) ) exit;567Class ALRSocialFacebook {89 /**10 * The prefix used for meta keys, CSS classes, html IDs, etc.11 *12 * @since 2.0.013 */14 public $prefix;151617 /**18 * An object containing additional helper functions19 *20 * @since 2.0.021 */22 public $_zm_alr_helpers;232425 /**26 * Adding of all hooks27 *28 * @since 2.0.029 *30 * @param31 * @return32 */33 public function __construct( ZM_Dependency_Container $di ){3435 $this->prefix = 'zm_alr_social_facebook’;36 $this->_zm_alr_helpers = $di->get_instance( 'helpers’, 'ALRHelpers’, null );3738 add_action( 'wp_ajax_facebook_login’, array( &$this, ‘facebook_login’ ) );39 add_action( 'wp_ajax_nopriv_facebook_login’, array( &$this, ‘facebook_login’) );40 add_action( 'wp_head’, array( &$this, ‘head’ ) );4142 add_filter( 'get_avatar’, array( &$this, ‘load_fb_avatar’ ) , 1, 5 );43 add_filter( 'zm_alr_login_above_fields’, array( &$this, ‘aboveLoginFields’ ) );44 add_filter( 'zm_alr_register_above_fields’, array( &$this, ‘aboveLoginFields’ ) );45 add_filter( 'zm_alr_social_settings_fields_tab’, array( &$this, ‘settings’ ) );4647 }484950 /**51 * Maps our FB response fields to the correct user fields as found in wp_update_user. Then52 * calls setUpNewFacebookUser, and passes the correct response via JSON to JS.53 *54 * @since 2.0.055 *56 * @return JSON A JSON object57 */58 public function facebook_login(){5960 check_ajax_referer( 'facebook-nonce’, ‘security’ );6162 $user = array(63 ‘username’ => $_POST[‘fb_response’][‘id’],64 ‘user_login’ => $_POST[‘fb_response’][‘id’],65 ‘first_name’ => $_POST[‘fb_response’][‘first_name’],66 ‘last_name’ => $_POST[‘fb_response’][‘last_name’],67 ‘email’ => $_POST[‘fb_response’][‘email’],68 ‘user_url’ => $_POST[‘fb_response’][‘link’],69 ‘fb_id’ => $_POST[‘fb_response’][‘id’]70 );7172 if ( empty( $user[‘username’] ) ){7374 $status = $this->_zm_alr_helpers->status(‘invalid_username’);75 $user_id = false;7677 } else {7879 $user_obj = get_user_by( ‘login’, $user[‘user_login’] );8081 if ( $user_obj == false ){8283 $user_obj = $this->setupNewFacebookUser( $user );8485 }8687 // A WP user account already exists that is NOT associated with a FB account88 if ( $user_obj == ‘existing_user_email’ ){8990 $status = $this->_zm_alr_helpers->status(‘username_exists’);9192 } elseif ( $user_obj ){9394 $user_id = $user_obj->ID;95 wp_set_auth_cookie( $user_id, true );96 $status = $this->_zm_alr_helpers->status(‘success_login’);9798 } else {99100 $status = $this->_zm_alr_helpers->status(‘invalid_username’);101102 }103 }104105 $status = array_merge( $status, $this->registerRedirect( $user[‘user_login’] ) );106107 wp_send_json( $status );108109 }110111112 /**113 * Setup a new Facebook User114 *115 * @since 1.0.9116 * @param $user (array) Containing the values as seen117 * in: http://codex.wordpress.org/Function_Reference/wp_insert_user118 * @return $user_obj (object) The user_obj as seen119 * in: http://codex.wordpress.org/Function_Reference/get_user_by120 */121 public function setupNewFacebookUser( $user=array() ){122123 $user_id = $this->_zm_alr_helpers->createUser( array_merge( $user, array(124 ‘user_pass’ => wp_generate_password()125 ) ), $this->prefix );126127128 if ( is_wp_error( $user_id ) ){129130 $user_obj = $user_id->get_error_code();131132 } else {133134 $user_obj = get_user_by( ‘id’, $user_id );135136 }137138 return $user_obj;139140 }141142143 /**144 * Replaces the default gravatar with the Facebook profile picture.145 *146 * @param string $avatar The default avatar147 * @param int $id_or_email The user id148 * @param int $size The size of the avatar149 * @param string $default The URL of the WordPress default avatar150 * @param string $alt Alternate text for the avatar.151 *152 * @return string $avatar The modified avatar153 */154 public function load_fb_avatar( $avatar, $id_or_email, $size, $default, $alt ) {155156 global $zm_alr_settings;157158 if ( empty( $zm_alr_settings[ $this->prefix . ‘_use_avatar’ ] )159 && $zm_alr_settings[ $this->prefix . ‘_use_avatar’ ] != 1 ){160161 return $avatar;162163 }164165 $user = false;166167 if ( is_numeric( $id_or_email ) ) {168169 $id = (int) $id_or_email;170 $user = get_user_by( ‘id’ , $id );171172 } elseif ( is_object( $id_or_email ) ) {173174 if ( ! empty( $id_or_email->user_id ) ) {175 $id = (int) $id_or_email->user_id;176 $user = get_user_by( ‘id’ , $id );177 }178179 } else {180 $user = get_user_by( ‘email’, $id_or_email );181 }182 if ( $user && is_object( $user ) ) {183 $user_id = $user->data->ID;184185 // We can use username as ID but checking the usermeta we are sure this is a facebook user186 if( $fb_id = get_user_meta( $user_id, ‘fb_id’, true ) ) {187 $fb_url = ‘https://graph.facebook.com/’ . $fb_id . ‘/picture?width=’. $size . ‘&height=’ . $size;188 $avatar = "<img alt=’facebook-profile-picture’ src=’{$fb_url}’ class=’avatar avatar-{$size} photo’ height=’{$size}’ width=’{$size}’ />";189190 }191192 }193 return $avatar;194195 }196197198 /**199 * Determine if the Facebook login setting is set.200 *201 * @since 2.0.0202 *203 * @return BOOL204 */205 public function isEnabled(){206207 global $zm_alr_settings;208209 if ( $zm_alr_settings[ $this->prefix . ‘_enabled’ ] == ‘off’ ){210 $enabled = false;211 } else {212 $enabled = true;213 }214215 return $enabled;216217 }218219220 /**221 * Filters the fields above the Login form and displays the FB button.222 *223 * @since 2.0.0224 *225 * @return The FB button226 */227 public function aboveLoginFields( $above_html ){228229 if ( ! $this->isEnabled() )230 return $above_html;231232 $container_classes = implode( " “, array(233 'fb-login-container’,234 ZM_ALR_NAMESPACE . '_login_container’,235 $this->prefix . '_login_container’236 ) );237238 global $zm_alr_settings;239240 if ( is_int( $zm_alr_settings[ $this->prefix . ‘_login_button’ ] ) ){241 $logo_class = null;242 $text = ‘<img src="’ . wp_get_attachment_url( $zm_alr_settings[ $this->prefix . ‘_login_button’ ] ) . '” />’;243 } else {244 $logo_class = 'fb-login-logo’;245 $text = __( 'Log in using Facebook’, ZM_ALR_TEXT_DOMAIN );246 }247248 $above_html .= sprintf( '<div class="%s"><a href="#" class="fb-login %s" data-zm_alr_facebook_security="%s">%s</a></div>’,249 $container_classes,250 $logo_class,251 wp_create_nonce( ‘facebook-nonce’ ),252 $text253 );254255 return $above_html;256257 }258259260 /**261 * Filters the default settings, adding the additional settings below.262 *263 * @since 2.0.0264 *265 * @param $current_settings The current global settings266 *267 * @return $settings The current global settings with the additional FB settings268 */269 public function settings( $current_settings ){270271 // Facebook272 $settings = array(273 array(274 ‘title’ => __( 'Facebook Settings’, ZM_ALR_TEXT_DOMAIN ),275 ‘type’ => 'header’276 ),277 array(278 ‘id’ => $this->prefix . '_enabled’,279 ‘type’ => 'checkbox’,280 ‘title’ => __( 'Enable’, ZM_ALR_TEXT_DOMAIN ),281 ‘std’ => 'off’,282 ‘desc’ => __( 'By enabling this setting visitors will be able to login with Facebook.’, ZM_ALR_TEXT_DOMAIN )283 ),284 array(285 ‘id’ => $this->prefix . '_login_button’,286 ‘type’ => 'upload’,287 ‘title’ => __( 'Login Button’, ZM_ALR_TEXT_DOMAIN ),288 ‘std’ => ZM_ALR_URL . 'assets/images/facebook-screen-grab.png’,289 ‘desc’ => __( 'Upload a custom image to be displayed as the Facebook login button.’, ZM_ALR_TEXT_DOMAIN )290 ),291 array(292 ‘id’ => $this->prefix . '_app_id’,293 ‘type’ => 'fancyText’,294 ‘title’ => __( 'App ID’, ZM_ALR_TEXT_DOMAIN ),295 ‘desc’ => __( 'This is the App ID as seen in your <a href="https://developers.facebook.com/">Facebook Developer</a> App Dashboard. For detailed instructions visit the <a href="http://zanematthew.com/ajax-login-register-help-videos/" target="_blank">How To add Facebook Settings to AJAX Login & Register</a>.’, ZM_ALR_TEXT_DOMAIN )296297 ),298 array(299 ‘id’ => $this->prefix . '_use_avatar’,300 ‘type’ => 'checkbox’,301 ‘std’ => 'off’,302 ‘title’ => __( 'Use Facebook Avatar’, ZM_ALR_TEXT_DOMAIN ),303 ‘desc’ => __( 'Checking this box will make Facebook profile picture show as avatar when possible ', ZM_ALR_TEXT_DOMAIN )304 )305 );306307308 $current_settings = array_merge( $current_settings, $settings );309310 return $current_settings;311312 }313314315316 /**317 * Adds our meta and FB script to the HTML head via wp_head318 *319 * @since 2.0.0320 *321 * @return Adds the needed meta fields for FB.322 */323 public function head(){324325 if ( ! $this->isEnabled() )326 return;327328 global $zm_alr_settings;329330 $app_id = esc_attr( $zm_alr_settings[ $this->prefix . ‘_app_id’ ] );331332 ?>333334 <!-- Start: <?php echo ZM_ALR_NAMESPACE; ?> Facebook meta property -->335 <meta property="fb:<?php echo $app_id; ?>" content="<?php echo $app_id; ?>"/>336 <!-- End: <?php echo ZM_ALR_NAMESPACE; ?> Facebook meta property -->337338 <!-- Start: <?php echo ZM_ALR_NAMESPACE; ?> Facebook script -->339 <script type="text/javascript">340 window.fbAsyncInit = function() {341 FB.init({342 appId : "<?php echo $app_id; ?>", // App ID343 cookie : true, // enable cookies to allow the server to access the session344 xfbml : true, // parse XFBML345 version : ‘v2.3’ // use version 2.3346 });347 };348 // Load the SDK asynchronously349 // This is updated as the old version went to all.js350 (function(d, s, id) {351 var js, fjs = d.getElementsByTagName(s)[0];352 if (d.getElementById(id)) return;353 js = d.createElement(s); js.id = id;354 js.src = "//connect.facebook.net/<?php echo get_locale(); ?>/sdk.js";355 fjs.parentNode.insertBefore(js, fjs);356 }(document, 'script’, ‘facebook-jssdk’));357 </script>358 <!-- End: <?php echo ZM_ALR_NAMESPACE; ?> Facebook script -->359360 <?php }361362363 public function registerRedirect( $user_login=null, $status=null ){364 // Since this is handled via an AJAX request $wp->request is always empty365 // @todo Submit to core366 // global $wp;367 // $tmp = trailingslashit( add_query_arg( '’, '’, site_url( $wp->request ) ) );368 $current_url = empty( $_SERVER[‘HTTP_REFERER’] ) ? site_url( $_SERVER[‘REQUEST_URI’] ) : $_SERVER[‘HTTP_REFERER’];369 $redirect[‘redirect_url’] = apply_filters( $this->prefix . '_redirect_url’, $current_url, $user_login, $status );370371 return $redirect;372 }373374}