Improperly intercepting $_POST[‘offset’]

  • Resolved Matt Gibbs

    (@mgibbs189)


    1 year, 11 months ago

    Hello,

    When indexing posts with FacetWP, WebToffee is (improperly) intercepting $_POST['offset']

    The code in question lies at class-import-ajax.php:181:

    $offset=(isset($_POST['offset']) ? intval($_POST['offset']) : 0);
    $export_id=(isset($_POST['export_id']) ? intval($_POST['export_id']) : 0);

    There aren’t any checks in place (like $_POST['action']) to ensure that this offset stems from WebToffee itself.

    Or maybe to keep things simple, short circuit the export() call if $_POST['export_id'] is undefined, instead of giving it a default of 0?

    Thanks

Viewing 1 replies (of 1 total)
  • Plugin Support WebToffee Support

    (@webtoffeesupport)

    Hi @mgibbs189,

    Thanks for getting in touch with us.

    The export action is triggered from the file admin/modules/export/export.php #L250 and it’s wrapped with a nonce check of WebToffee import export plugin ID. This cannot be short-circuited as the initial batch of the export process will not have an export_id.

Viewing 1 replies (of 1 total)
  • The topic ‘Improperly intercepting $_POST[‘offset’]’ is closed to new replies.