From 11b043ada8d89c1b7d09128c1c9e733f3939b65f Mon Sep 17 00:00:00 2001
From: Nguyen Huu Minh <minhnh6fpt@gmail.com>
Date: Sat, 10 Aug 2024 16:24:12 +0700
Subject: [PATCH] Ted sync code with version 242 from wordpress

---
 lib/admin/controllers/gallery/edit.php | 24 ++++++++++++++++++++++++
 lib/admin/menu.php                     | 17 +++++++++++++++++
 readme.txt                             |  6 +++++-
 vimeography.php                        |  2 +-
 4 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/lib/admin/controllers/gallery/edit.php b/lib/admin/controllers/gallery/edit.php
index 7c12526f..363bec65 100644
--- a/lib/admin/controllers/gallery/edit.php
+++ b/lib/admin/controllers/gallery/edit.php
@@ -170,6 +170,7 @@ private static function _set_active_theme($theme_name)
    */
   public function vimeography_refresh_gallery_cache()
   {
+    $this->nonceSecurityCheck("nonce_refresh_gallery_cache");
     if ($this->_cache->exists()) {
       $this->_cache->delete();
     }
@@ -180,6 +181,27 @@ public function vimeography_refresh_gallery_cache()
       'message' => __('Your videos have been refreshed.', 'vimeography')
     );
   }
+  
+  /**
+   * nonceSecurityCheck
+   * Check nonce value in the session.
+   *
+   * @param  mixed $nonceKey
+   * @return void
+   */
+  private function nonceSecurityCheck($nonceKey){
+        // Vérifier que le nonce existe dans la session
+        if (!isset($_SESSION[$nonceKey])) {
+          wp_die(__('Security check failed.', 'vimeography'));
+      }
+  
+      // Vérifier le nonce avec wp_verify_nonce pour plus de sécurité
+      if (!wp_verify_nonce($_SESSION[$nonceKey], $nonceKey)) {
+          wp_die(__('Security check failed.', 'vimeography'));
+      }
+  
+      unset($_SESSION[$nonceKey]);
+  }
 
   /**
    * Removes the custom CSS file associated with
@@ -189,6 +211,7 @@ public function vimeography_refresh_gallery_cache()
    */
   public function vimeography_refresh_gallery_appearance()
   {
+    $this->nonceSecurityCheck("nonce_refresh_gallery_appearance");
     if (
       file_exists(
         VIMEOGRAPHY_CUSTOMIZATIONS_PATH .
@@ -231,6 +254,7 @@ public function gallery()
    */
   public function vimeography_set_gallery_theme($input)
   {
+    $this->nonceSecurityCheck("nonce_set_gallery_theme");
     // if this fails, check_admin_referer() will automatically print a "failed" page and die.
     if (
       check_admin_referer(
diff --git a/lib/admin/menu.php b/lib/admin/menu.php
index c4d9931f..585dbe84 100644
--- a/lib/admin/menu.php
+++ b/lib/admin/menu.php
@@ -266,14 +266,31 @@ public function vimeography_render_template()
    */
   public static function vimeography_process_actions()
   {
+    
     if (isset($_POST['vimeography-action'])) {
+      self::setActionNonce($_POST['vimeography-action']);
       do_action('vimeography_action_' . $_POST['vimeography-action'], $_POST);
     }
 
     if (isset($_GET['vimeography-action'])) {
+      self::setActionNonce($_GET['vimeography-action']);
       do_action('vimeography_action_' . $_GET['vimeography-action'], $_GET);
     }
   }
+  
+  /**
+   * setActionNonce create and save nonce in the session
+   *
+   * @param  mixed $key
+   * @return void
+   */
+  private static function setActionNonce($key){
+    $key = "nonce_$key";
+    // Générer le nonce
+    $nonce = wp_create_nonce($key);
+    // Stocker le nonce dans la session
+    $_SESSION[$key] = $nonce;
+  }
 
   /**
    * Sets the galleries per page in the screen options on the gallery list page.
diff --git a/readme.txt b/readme.txt
index aa6242f4..a49cc9c7 100644
--- a/readme.txt
+++ b/readme.txt
@@ -3,7 +3,7 @@ Contributors: iamdavekiss, videogallery
 Tags: video gallery, gallery, video, vimeo, vimeo gallery
 Requires at least: 4.7
 Tested up to: 6.4
-Stable tag: 2.4.1
+Stable tag: 2.4.2
 License: GPL-3.0
 
 The easiest way to create beautiful Vimeo video galleries on your WordPress site.
@@ -139,6 +139,10 @@ Vimeography will load your template for the defined module instead of the defaul
 
 == Changelog ==
 
+= 2.4.2
+* [Fix] Vulnerability issue: Fix vulnerability to Cross Site Request Forgery (CSRF). 
+* [Update] Adding Nonce Verification in vimeography_action_ Hooks
+
 = 2.4.1
 * [Fix] Vulnerability issue: Fix the vulnerability in lodash. 
 * [Update] Installation of Patched versions version ^4.17.21 and regeneration of directories located in vimeography-harvestone/.
diff --git a/vimeography.php b/vimeography.php
index 040b5741..dae96422 100644
--- a/vimeography.php
+++ b/vimeography.php
@@ -3,7 +3,7 @@
 Plugin Name: Vimeography
 Plugin URI: https://vimeography.com
 Description: Vimeography is the easiest way to set up a custom Vimeo gallery on your site.
-Version: 2.4.1
+Version: 2.4.2
 Requires PHP: 5.3
 Author: Dave Kiss
 Author URI: https://davekiss.com