fix: Remove critical security and performance vulnerabilities

- Remove dangerous set_time_limit() calls in AJAX handlers to prevent resource exhaustion - Restrict debug logging GET parameter access to administrators only - Addresses remaining critical issues from security audit 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-06 13:49:42 -03:00 · 2025-08-06 13:49:42 -03:00 · 6a8ef29ad8
commit 6a8ef29ad8
parent 5ab2c58f68
2 changed files with 8 additions and 8 deletions
--- a/includes/class-hvac-geocoding-ajax.php
+++ b/includes/class-hvac-geocoding-ajax.php
@ -64,8 +64,8 @@ class HVAC_Geocoding_Ajax {
        }
        
        try {
-            // Set execution time limit
-            set_time_limit(300); // 5 minutes
+            // Note: Removed set_time_limit to prevent resource exhaustion  
+            // Large geocoding operations should use background processing instead
            
            $results = $this->execute_geocoding();
            
@ -132,8 +132,8 @@ class HVAC_Geocoding_Ajax {
        }
        
        try {
-            // Set execution time limit
-            set_time_limit(300); // 5 minutes
+            // Note: Removed set_time_limit to prevent resource exhaustion
+            // Large operations should use background processing instead
            
            $results = $this->execute_csv_remigration();
            
@ -185,8 +185,8 @@ class HVAC_Geocoding_Ajax {
        }
        
        try {
-            // Set execution time limit
-            set_time_limit(300); // 5 minutes
+            // Note: Removed set_time_limit to prevent resource exhaustion
+            // Large operations should use background processing instead
            
            // Include the enhanced CSV import class
            require_once plugin_dir_path(__FILE__) . 'enhanced-csv-import-from-file.php';
--- a/includes/class-hvac-logger.php
+++ b/includes/class-hvac-logger.php
@ -59,8 +59,8 @@ class HVAC_Logger {
 		// Check for plugin-specific debug option
 		$plugin_debug = get_option( 'hvac_ce_debug_mode', false );
 		
-		// Check for query parameter (for temporary debugging)
-		if ( isset( $_GET['hvac_debug'] ) && wp_verify_nonce( $_GET['hvac_debug'], 'hvac_debug_nonce' ) ) {
+		// Check for query parameter (for temporary debugging) - admin only
+		if ( isset( $_GET['hvac_debug'] ) && wp_verify_nonce( $_GET['hvac_debug'], 'hvac_debug_nonce' ) && current_user_can( 'manage_options' ) ) {
 			return true;
 		}