search

ClassicPress / classic-commerce

A simple but powerful e-commerce platform built for ClassicPress. Forked from WooCommerce and compatible with many Woo extensions.
https://classiccommerce.cc/
GNU General Public License v3.0
50 stars 15 forks source link

Check security fixes applied to WC since 3.5.3 #341

Open ghost opened 2 years ago

ghost commented 2 years ago

@bahiirwa recently shared with me a link to the full changelog history for WC, with a view to going through to see if there is anything added in later versions that we may need to consider including or fixing in CC.

As I first step I have pulled out any line with the word "security". I am posting here to raise discussion about any security changes we feel may need to be addressed in CC. I have numbered the lines for easy reference.

ALREADY FIXED IN VERSION 1.0.4 Fix - Patched security vulnerability. https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/

Others:

  1. 5.2.0 (2021-04-13) * Enhancement - Make sure downloadable file paths are properly recognized for strengthened security. #28699 https://github.com/woocommerce/woocommerce/pull/28699
  2. 4.2.1 (2020-06-22) * ~Security - Escape HTML in SelectWoo.~
  3. 4.1.0 (2020-05-05) * Security - Fixed unescaped meta data while duplicating products. Reported by Slavco.
  4. 3.9.2 (2020-02-13) * Security - Show a notice when a logged-in customer pays for a guest order.
  5. 3.9.2 (2020-02-13) * Security - Disallow links in coupon error messages.
  6. 3.7.1 (2019-10-09) ~* Security - Add an exit after the redirect when checking author archive capabilities for customers.~
  7. 3.7.1 (2019-10-09) ~* Security - Ensure 404 pages with single product urls cannot be exploited using Open Redirect.~
  8. 3.6.5 (2019-07-02) ~* Security - Introduce file type check for tax rate importer.~
  9. 3.6.5 (2019-07-02) ~* Security - Added nonce check to CSV importer actions.~
  10. 3.6.2 (2019-04-24) ~* Fix - Fix security check on email template preview page. #23356~
  11. 3.5.8 (2019-04-16) ~* Security - Added escaping for states on the user profile screen.~
  12. 3.5.8 (2019-04-16) ~* ~Security - Added escaping for SelectWoo selected options.~
  13. 3.5.7 (2019-03-19) ~* Security - Improved the way in which state fields are regenerated by JavaScript to ensure values are properly escaped.~
  14. 3.5.5 (2019-02-20) * Security - ~Improved escaping for Photoswipe captions.~
  15. 3.5.5 (2019-02-20) * Security - ~Improved escaping for JSON attributes and structured data.~
ghost commented 2 years ago

Most have these have already been incorporated. @timbocode added in a lot of them in May 2020.

ClassyBot commented 2 years ago

This issue has been mentioned on ClassicPress Forums. There might be relevant details there:

https://forums.classicpress.net/t/currently-active-projects/3630/1