Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check security fixes applied to WC since 3.5.3 #341

Open
ghost opened this issue Sep 25, 2021 · 2 comments
Open

Check security fixes applied to WC since 3.5.3 #341

ghost opened this issue Sep 25, 2021 · 2 comments
Labels
help wanted Extra attention is needed question Further information is requested

Comments

@ghost
Copy link

ghost commented Sep 25, 2021
edited by ghost
Loading

@bahiirwa recently shared with me a link to the full changelog history for WC, with a view to going through to see if there is anything added in later versions that we may need to consider including or fixing in CC.

As I first step I have pulled out any line with the word "security". I am posting here to raise discussion about any security changes we feel may need to be addressed in CC. I have numbered the lines for easy reference.

ALREADY FIXED IN VERSION 1.0.4
Fix - Patched security vulnerability. https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/

Others:

  1. 5.2.0 (2021-04-13) * Enhancement - Make sure downloadable file paths are properly recognized for strengthened security. #28699 Prevent local relative downloadable products to be treated as "absolute" woocommerce/woocommerce#28699
  2. 4.2.1 (2020-06-22) * Security - Escape HTML in SelectWoo.
  3. 4.1.0 (2020-05-05) * Security - Fixed unescaped meta data while duplicating products. Reported by Slavco.
  4. 3.9.2 (2020-02-13) * Security - Show a notice when a logged-in customer pays for a guest order.
  5. 3.9.2 (2020-02-13) * Security - Disallow links in coupon error messages.
  6. 3.7.1 (2019-10-09) * Security - Add an exit after the redirect when checking author archive capabilities for customers.
  7. 3.7.1 (2019-10-09) * Security - Ensure 404 pages with single product urls cannot be exploited using Open Redirect.
  8. 3.6.5 (2019-07-02) * Security - Introduce file type check for tax rate importer.
  9. 3.6.5 (2019-07-02) * Security - Added nonce check to CSV importer actions.
  10. 3.6.2 (2019-04-24) * Fix - Fix security check on email template preview page. #23356
  11. 3.5.8 (2019-04-16) * Security - Added escaping for states on the user profile screen.
  12. 3.5.8 (2019-04-16) ~* Security - Added escaping for SelectWoo selected options.
  13. 3.5.7 (2019-03-19) * Security - Improved the way in which state fields are regenerated by JavaScript to ensure values are properly escaped.
  14. 3.5.5 (2019-02-20) * Security - Improved escaping for Photoswipe captions.
  15. 3.5.5 (2019-02-20) * Security - Improved escaping for JSON attributes and structured data.
@ghost ghost added help wanted Extra attention is needed question Further information is requested labels Sep 25, 2021
@ghost
Copy link
Author

ghost commented Sep 26, 2021

Most have these have already been incorporated. @timbocode added in a lot of them in May 2020.

@ClassyBot
Copy link

This issue has been mentioned on ClassicPress Forums. There might be relevant details there:

https://forums.classicpress.net/t/currently-active-projects/3630/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ClassyBot