Fix MEDIUM security issues: SQL file-system clauses and CDN disclosure

Andrew Baker · claude · Andrew Baker · commit e2189aa5aa4b · 2026-03-19T09:10:08.000+02:00
- is_safe_query(): block INTO OUTFILE, INTO DUMPFILE, LOAD_FILE clauses
- readme.txt: add == External services == section disclosing cdnjs CDN dependency

Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/cs-code-block.php b/cs-code-block.php
@@ -926,6 +926,10 @@ private static function is_safe_query( string $sql ): bool {
         if ( strpos( $clean, ';' ) !== false ) {
             return false;
         }
+        // Reject file-system abuse clauses regardless of SELECT keyword.
+        if ( preg_match( '/\b(INTO\s+OUTFILE|INTO\s+DUMPFILE|LOAD_FILE)\b/i', $clean ) ) {
+            return false;
+        }
         if ( preg_match( '/^(\w+)/i', $clean, $m ) ) {
             $first = strtoupper( $m[1] );
             return in_array( $first, [ 'SELECT', 'SHOW', 'DESCRIBE', 'DESC', 'EXPLAIN' ], true );
diff --git a/readme.txt b/readme.txt
@@ -149,6 +149,17 @@ Yes. Press Enter to run the query. Use Shift+Enter to insert a newline. Ctrl+Ent
 = 1.0.0 =
 * Initial release
 
+== External services ==
+
+This plugin loads syntax highlighting scripts and stylesheets from the cdnjs CDN operated by Cloudflare, Inc.
+
+* Service: cdnjs (https://cdnjs.cloudflare.com/)
+* When: On every page that contains a code block (frontend and block editor).
+* What is sent: Standard HTTP request headers including visitor IP address and user agent, as required by any CDN request. No site content or user data is transmitted by the plugin itself.
+* Why: To serve the highlight.js library and theme stylesheets without bundling them locally.
+* Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/
+* Cloudflare Terms of Service: https://www.cloudflare.com/terms/
+
 == Upgrade Notice ==
 
 = 1.7.3 =
