Get WordPress

Plugin Directory

Changeset 2876110

Timestamp:
03/07/2023 07:50:50 PM (17 months ago)
Author:
cfinke
Message:

Don't use the API key as a URL parameter for the stats iframes.

Instead, exchange the API key on the server-side for a token that is only valid for stats requests. This prevents any disclosure of API keys to users who have access to the stats pages but shouldn't have knowledge of the API key.

This is likely a very uncommon scenario but still worth addressing.

Location:
akismet/trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed

  • akismet/trunk/akismet.php

    r2869672 r2876110  
    77Plugin URI: https://akismet.com/
    88Description: Used by millions, Akismet is quite possibly the best way in the world to <strong>protect your blog from spam</strong>. It keeps your site protected even while you sleep. To get started: activate the Akismet plugin and then go to your Akismet Settings page to set up your API key.
    9 Version: 5.1a1
     9Version: 5.1a
    1010Requires at least: 5.0
    1111Requires PHP: 5.2
     
    4040}
    4141
    42 define( 'AKISMET_VERSION', '5.1a1' );
     42define( 'AKISMET_VERSION', '5.1a' );
    4343define( 'AKISMET__MINIMUM_WP_VERSION', '5.0' );
    4444define( 'AKISMET__PLUGIN_DIR', plugin_dir_path( __FILE__ ) );

  • akismet/trunk/class.akismet.php

    r2869672 r2876110  
    8585    public static function get_api_key() {
    8686        return apply_filters( 'akismet_get_api_key', defined('WPCOM_API_KEY') ? constant('WPCOM_API_KEY') : get_option('wordpress_api_key') );
     87
     88
     89
     90
     91
     92
     93
     94
     95
     96
     97
     98
     99
     100
     101
     102
     103
    87104    }
    88105

  • akismet/trunk/readme.txt

    r2869672 r2876110  
    3636* Removed unnecessary limit notices from admin page.
    3737* Improved spam detection by including post taxonomies in the comment-check call.
     38
    3839
    3940= 5.0.2 =

  • akismet/trunk/views/config.php

    r2803607 r2876110  
    3838
    3939                <div class="akismet-new-snapshot">
    40                     <iframe allowtransparency="true" scrolling="no" frameborder="0" style="width: 100%; height: 220px; overflow: hidden;" src="<?php echo esc_url( sprintf( 'https://tools.akismet.com/1.0/snapshot.php?blog=%s&api_key=%s&height=200&locale=%s', urlencode( get_option( 'home' ) ), Akismet::get_api_key(), get_locale() ) ); ?>"></iframe>
     40                    <iframe allowtransparency="true" scrolling="no" frameborder="0" style="width: 100%; height: 220px; overflow: hidden;" src="<?php echo esc_url( sprintf( 'https://tools.akismet.com/1.0/snapshot.php?blog=%s&), get_locale() ) ); ?>"></iframe>
    4141                    <ul>
    4242                        <li>

  • akismet/trunk/views/stats.php

    r2709917 r2876110  
    88        </div>
    99    </div>
    10     <iframe src="<?php echo esc_url( sprintf( 'https://tools.akismet.com/1.0/user-stats.php?blog=%s&api_key=%s&locale=%s', urlencode( get_option( 'home' ) ), esc_attr( Akismet::get_api_key() ), esc_attr( get_locale() ) ) ); ?>" width="100%" height="2500px" frameborder="0"></iframe>
     10    <iframe src="<?php echo esc_url( sprintf( 'https://tools.akismet.com/1.0/user-stats.php?blog=%s&() ), esc_attr( get_locale() ) ) ); ?>" width="100%" height="2500px" frameborder="0"></iframe>
    1111</div>
Note: See TracChangeset for help on using the changeset viewer.