From 6a8ef29ad807ee85f381ca6ee27b675163421d4c Mon Sep 17 00:00:00 2001
From: bengizmo <benreed1987@gmail.com>
Date: Wed, 6 Aug 2025 13:49:42 -0300
Subject: [PATCH] fix: Remove critical security and performance vulnerabilities
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Remove dangerous set_time_limit() calls in AJAX handlers to prevent resource exhaustion
- Restrict debug logging GET parameter access to administrators only
- Addresses remaining critical issues from security audit

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 includes/class-hvac-geocoding-ajax.php | 12 ++++++------
 includes/class-hvac-logger.php         |  4 ++--
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/includes/class-hvac-geocoding-ajax.php b/includes/class-hvac-geocoding-ajax.php
index 6dc6061a..952a0924 100644
--- a/includes/class-hvac-geocoding-ajax.php
+++ b/includes/class-hvac-geocoding-ajax.php
@@ -64,8 +64,8 @@ class HVAC_Geocoding_Ajax {
         }
         
         try {
-            // Set execution time limit
-            set_time_limit(300); // 5 minutes
+            // Note: Removed set_time_limit to prevent resource exhaustion  
+            // Large geocoding operations should use background processing instead
             
             $results = $this->execute_geocoding();
             
@@ -132,8 +132,8 @@ class HVAC_Geocoding_Ajax {
         }
         
         try {
-            // Set execution time limit
-            set_time_limit(300); // 5 minutes
+            // Note: Removed set_time_limit to prevent resource exhaustion
+            // Large operations should use background processing instead
             
             $results = $this->execute_csv_remigration();
             
@@ -185,8 +185,8 @@ class HVAC_Geocoding_Ajax {
         }
         
         try {
-            // Set execution time limit
-            set_time_limit(300); // 5 minutes
+            // Note: Removed set_time_limit to prevent resource exhaustion
+            // Large operations should use background processing instead
             
             // Include the enhanced CSV import class
             require_once plugin_dir_path(__FILE__) . 'enhanced-csv-import-from-file.php';
diff --git a/includes/class-hvac-logger.php b/includes/class-hvac-logger.php
index fa5bcd68..647d184c 100644
--- a/includes/class-hvac-logger.php
+++ b/includes/class-hvac-logger.php
@@ -59,8 +59,8 @@ class HVAC_Logger {
 		// Check for plugin-specific debug option
 		$plugin_debug = get_option( 'hvac_ce_debug_mode', false );
 		
-		// Check for query parameter (for temporary debugging)
-		if ( isset( $_GET['hvac_debug'] ) && wp_verify_nonce( $_GET['hvac_debug'], 'hvac_debug_nonce' ) ) {
+		// Check for query parameter (for temporary debugging) - admin only
+		if ( isset( $_GET['hvac_debug'] ) && wp_verify_nonce( $_GET['hvac_debug'], 'hvac_debug_nonce' ) && current_user_can( 'manage_options' ) ) {
 			return true;
 		}