ben/upskill-event-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

fix: Remove critical security and performance vulnerabilities

Browse source 
- Remove dangerous set_time_limit() calls in AJAX handlers to prevent resource exhaustion
- Restrict debug logging GET parameter access to administrators only
- Addresses remaining critical issues from security audit

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
bengizmo 2025-08-06 13:49:42 -03:00
parent 5ab2c58f68
commit 6a8ef29ad8
2 changed files with 8 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
includes/class-hvac-geocoding-ajax.php
View file

@ -64,8 +64,8 @@ class HVAC_Geocoding_Ajax {
} }
try { try {
// Set execution time limit // Note: Removed set_time_limit to prevent resource exhaustion
set_time_limit(300); // 5 minutes // Large geocoding operations should use background processing instead
$results = $this->execute_geocoding(); $results = $this->execute_geocoding();
@ -132,8 +132,8 @@ class HVAC_Geocoding_Ajax {
} }
try { try {
// Set execution time limit // Note: Removed set_time_limit to prevent resource exhaustion
set_time_limit(300); // 5 minutes // Large operations should use background processing instead
$results = $this->execute_csv_remigration(); $results = $this->execute_csv_remigration();
@ -185,8 +185,8 @@ class HVAC_Geocoding_Ajax {
} }
try { try {
// Set execution time limit // Note: Removed set_time_limit to prevent resource exhaustion
set_time_limit(300); // 5 minutes // Large operations should use background processing instead
// Include the enhanced CSV import class // Include the enhanced CSV import class
require_once plugin_dir_path(__FILE__) . 'enhanced-csv-import-from-file.php'; require_once plugin_dir_path(__FILE__) . 'enhanced-csv-import-from-file.php';

4
includes/class-hvac-logger.php
View file

@ -59,8 +59,8 @@ class HVAC_Logger {
// Check for plugin-specific debug option // Check for plugin-specific debug option
$plugin_debug = get_option( 'hvac_ce_debug_mode', false ); $plugin_debug = get_option( 'hvac_ce_debug_mode', false );
// Check for query parameter (for temporary debugging) // Check for query parameter (for temporary debugging) - admin only
if ( isset( $_GET['hvac_debug'] ) && wp_verify_nonce( $_GET['hvac_debug'], 'hvac_debug_nonce' ) ) { if ( isset( $_GET['hvac_debug'] ) && wp_verify_nonce( $_GET['hvac_debug'], 'hvac_debug_nonce' ) && current_user_can( 'manage_options' ) ) {
return true; return true;
} }