Merge branch 'beta'

Author: Benjamin Pick

README.md

@@ -121,6 +121,10 @@ See [Documentation](https://github.com/yellowtree/geoip-detect/wiki) for more in
 1. Lookup page (under Tools > Geolocation Lookup)
 2. Options page (under Preferences > Geolocation IP Detection)
 
+= 5.6.0 = 
+
+This update removes the deprecated shortcode [geoip_detect ...] (read the changelog for more details)
+
 = 5.5.0 =
 
 When using the default datasource "hostip.info", the region code (i.e. CA) is now correctly moved to the property `mostSpecificSubdivision` (previously, it was part of the property `city`)
@@ -131,6 +135,11 @@ If you are using AJAX mode, please read the changelog.
 
 ## Changelog ##
 
+= 5.6.0 =
+* FIX [!]: Remove deprecated shortcode [geoip_detect] (Security - CVE-2025-57993). If you are still using it, use [geoip_detect2 ...] instead, you might have to change the property name.
+* FIX: Compatibility with Wordpress 6.7 (Textdomain loading)
+* Library updates
+
 = 5.5.0 =
 * FIX [!]: In the datasource "hostip.info", the region code (i.e. CA) is now correctly moved to the property `mostSpecificSubdivision` (previously, it was part of the property `city`)
 * Library updates

SECURITY.md

@@ -0,0 +1,9 @@
+# Security Policy
+
+## Supported Versions
+
+Only the most recent version of the plugin is supported.
+
+## Reporting a Vulnerability
+
+Please send vulnerabilty reports to wp-geoip-detect ät posteo.de or use the Github "Report a vulnerability" and I will respond within a week.

admin-ui.php

@@ -195,7 +195,7 @@ function geoip_detect_option_page() {
 				break;
 
 			case 'choose':
-				$sourceId = sanitize_text_field($_POST['options']['source']);
+				$sourceId = sanitize_text_field(isset($_POST['options']['source']) ? $_POST['options']['source'] : '' );
 				$registry->setCurrentSource($sourceId);
 				break;
 
@@ -219,7 +219,7 @@ function geoip_detect_option_page() {
 					if (in_array($opt_name, $numeric_options))
 						$opt_value = isset($_POST['options'][$opt_name]) ? (int) $_POST['options'][$opt_name] : 0;
 					else {
-						$opt_value = geoip_detect_sanitize_option($opt_name, @$_POST['options'][$opt_name], $m);
+						$opt_value = geoip_detect_sanitize_option($opt_name, isset($_POST['options'][$opt_name]) ? $_POST['options'][$opt_name] : '', $m);
 					}
 					if ($m) {
 						$messages[] = $m;

ajax.php

@@ -49,7 +49,7 @@ function geoip_detect_ajax_get_info_from_current_ip() {
 
 	// Referer check
 
-    $referer = _geoip_detect_get_domain_name($_SERVER['HTTP_REFERER']);
+    $referer = _geoip_detect_get_domain_name(isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '');
     if (!$referer) {
         _geoip_detect_ajax_error('This AJAX call does not work when called directly. Do an AJAX call via JS instead.');
 	}
@@ -75,7 +75,7 @@ function geoip_detect_ajax_get_info_from_current_ip() {
 
 
 function _geoip_detect_get_domain_name($url) {
-	$result = parse_url($url);
+	$result = wp_parse_url($url);
 	return $result['host'];
 }
 

check_compatibility.php

@@ -96,11 +96,11 @@ function checkCompatible() {
             $line2 = __('These incompatible files have been found to be loaded from another plugin: ', 'geoip-detect') . $data;
             $line3 = __('Please test if looking up an IP adress works without an PHP Error. If it works, you can dismiss this notice. It will appear again when their libraries are changed.', 'geoip-detect');
 
-            $body = <<<BODY
+            $body = "
 <p><i>$line1</i></p>
 <p>$line2</p>
 <p>$line3</p>
-BODY;
+";
             $this->adminNotices[] = [
                 'id' => 'maxmind_vendor_old_' . md5($data),
                 'title' => __('Geolocation IP Detection: Warning: Old Maxmind Libraries detected.', 'geoip-detect'),

data-sources/auto.php

@@ -143,7 +143,7 @@ public function saveParameters($post) {
 
 	protected function download_url($url, $modified = 0) {
 		// Similar to wordpress download_url, but with custom UA
-		$url_filename = basename( parse_url( $url, PHP_URL_PATH ) );
+		$url_filename = basename( wp_parse_url( $url, PHP_URL_PATH ) );
 
 		$tmpfname = wp_tempnam( $url_filename );
 		if ( ! $tmpfname )
@@ -161,7 +161,7 @@ protected function download_url($url, $modified = 0) {
 			return new \WP_Error( 'http_304', __('It has not changed since the last update.', 'geoip-detect') );
 		}
 		if (is_wp_error( $response ) || 200 !=  $http_response_code) {
-			unlink($tmpfname);
+			wp_delete_file($tmpfname);
 			$body = wp_remote_retrieve_body($response);
 			return new \WP_Error( 'http_404', $http_response_code . ': ' . trim( wp_remote_retrieve_response_message( $response ) ) . ' ' . $body );
 		}
@@ -220,7 +220,7 @@ public function maxmindUpdate($forceUpdate = false)
 		}
 
 		update_option('geoip-detect-auto_downloaded_file', '');
-		unlink($tmpFile);
+		wp_delete_file($tmpFile);
 
 		return true;
 	}
@@ -252,7 +252,7 @@ protected function unpackArchive($downloadedFilename, $outFile) {
 			$phar->extractTo($outDir, null, true);
 		} catch(\Throwable $e) {
 			// Fallback method of unpacking?
-			unlink($downloadedFilename); // Do not try to unpack this file again, instead re-download
+			wp_delete_file($downloadedFilename); // Do not try to unpack this file again, instead re-download
 			return __('The downloaded file seems to be corrupt. Try again ...', 'geoip-detect');
 		}
 
@@ -309,7 +309,7 @@ public function set_cron_schedule()
 	public function schedule_next_cron_run() {
 		// Try to update every 1-2 weeks
 		$next = time() + WEEK_IN_SECONDS;
-		$next += mt_rand(1, WEEK_IN_SECONDS);
+		$next += \wp_rand(1, WEEK_IN_SECONDS);
 
 		wp_schedule_single_event($next, 'geoipdetectupdate');
 	}
@@ -329,7 +329,7 @@ public function uninstall() {
 		// Delete the automatically downloaded file, if it exists
 		$filename = $this->maxmindGetFilename();
 		if ($filename) {
-			unlink($filename);
+			wp_delete_file($filename);
 		}
 	}
 }

deprecated.php

@@ -20,32 +20,4 @@ function geoip_detect_get_abs_db_filename()
 	if (is_object($reader) && method_exists($source, 'maxmindGetFilename'))
 		return $source->maxmindGetFilename();
 	return '';
-}
-
-
-
-/**
- * @deprecated shortcode
- */
-function geoip_detect_shortcode($attr)
-{
-	$userInfo = geoip_detect_get_info_from_current_ip();
-
-	$defaultValue = isset($attr['default']) ? $attr['default'] : '';
-
-	if (!is_object($userInfo))
-		return $defaultValue . '<!-- Geolocation IP Detection: No info found for this IP. -->';
-
-	$propertyName = $attr['property'];
-
-
-	if (property_exists($userInfo, $propertyName)) {
-		if ($userInfo->$propertyName)
-			return $userInfo->$propertyName;
-		else
-			return $defaultValue;
-	}
-
-	return $defaultValue . '<!-- Geolocation IP Detection: Invalid property name. -->';
-}
-add_shortcode('geoip_detect', 'geoip_detect_shortcode');
+}

geoip-detect.php

@@ -5,18 +5,17 @@
 Description:     Provides geographic information detected by an IP adress.
 Author:          Yellow Tree (Benjamin Pick)
 Author URI:      http://www.yellowtree.de
-Version:         5.5.0
+Version:         5.6.0
 License:         GPLv3 or later
 License URI:     http://www.gnu.org/licenses/gpl-3.0.html
 Text Domain:     geoip-detect
-Domain Path:     /languages
 GitHub Plugin URI: https://github.com/yellowtree/geoip-detect
 GitHub Branch:   master
 Requires WP:     5.4
 Requires PHP:    7.2.5
 */
 
-define('GEOIP_DETECT_VERSION', '5.5.0');
+define('GEOIP_DETECT_VERSION', '5.6.0');
 
 /*
 Copyright 2013-2023 Yellow Tree, Siegen, Germany

init.php

@@ -36,12 +36,6 @@ function geoip_detect_check_ipv6_support() {
 	return @inet_pton('::1') !== false;
 }
 
-// Load Locales
-function geoip_detect_load_textdomain() {
-  load_plugin_textdomain( 'geoip-detect', false, GEOIP_PLUGIN_DIR . '/languages' );
-}
-add_action( 'plugins_loaded', 'geoip_detect_load_textdomain' );
-
 
 function geoip_detect_enqueue_admin_notices() {
 	// Nobody would see these notices them anyway.
@@ -89,15 +83,15 @@ function geoip_detect_admin_notice_template($id, $title, $body, $addButtonDismis
 ?>
 <div class="error notice is-dismissible">
 	<p style="float: right">
-		<a href="tools.php?page=<?php echo GEOIP_PLUGIN_BASENAME ?>&geoip_detect_dismiss_notice=<?php echo $id ?>"><?php _e('Dismiss notice', 'geoip-detect'); ?></a>
+		<a href="tools.php?page=<?php echo GEOIP_PLUGIN_BASENAME ?>&geoip_detect_dismiss_notice=<?php echo esc_attr($id) ?>"><?php _e('Dismiss notice', 'geoip-detect'); ?></a>
 	</p>
 
 	<h3><?php echo $title; ?></h3>
 
 	<?php echo $body; ?>
 	<?php if ($addButtonDismiss) : ?>
 	<p>
-		<a class="button button-secondary" href="?geoip_detect_dismiss_notice=<?= $id ?>">Hide this notice</a>
+		<a class="button button-secondary" href="?geoip_detect_dismiss_notice=<?php echo esc_attr($id) ?>">Hide this notice</a>
 	</p>
 	<?php endif; ?>
 </div>

lib/ccpa.php

@@ -288,7 +288,7 @@ public function schedule($forceReschedule = false) {
 
     protected function schedule_next_cron_run() {
         $next = time() + DAY_IN_SECONDS;
-        $next += mt_rand(1, HOUR_IN_SECONDS);
+        $next += wp_rand(1, HOUR_IN_SECONDS);
         wp_schedule_single_event($next, 'geoipdetectccpaupdate');
     }
 }