From 25d37d17bc8036123a3747fe7dec56cdac76c87e Mon Sep 17 00:00:00 2001 From: Bas Schuiling Date: Wed, 13 Dec 2023 13:57:28 +0200 Subject: [PATCH 1/4] - esc_url added to form, fixing possible issues with xss - if debug not is numeric, then set it to info, nothing else --- build/shortpixel/log/src/ShortPixelLogger.php | 1 - classes/uihelper.php | 3 +-- views/screen.php | 3 +-- 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/build/shortpixel/log/src/ShortPixelLogger.php b/build/shortpixel/log/src/ShortPixelLogger.php index c849820..00676ad 100644 --- a/build/shortpixel/log/src/ShortPixelLogger.php +++ b/build/shortpixel/log/src/ShortPixelLogger.php @@ -82,7 +82,6 @@ public function __construct() { if (defined('SHORTPIXEL_LOG_OVERWRITE')) // if overwrite, do this on init once. file_put_contents($this->logPath,'-- Log Reset -- ' .PHP_EOL); - } if ($this->is_active) diff --git a/classes/uihelper.php b/classes/uihelper.php index 214d156..f831f6a 100644 --- a/classes/uihelper.php +++ b/classes/uihelper.php @@ -54,9 +54,8 @@ public function getFormUrl($attach_id, $action = null) if (is_numeric($spdebug)) $spdebug = intval($spdebug); else { - $spdebug = sanitize_text_field($spdebug); + $spdebug = 3; } - $url = add_query_arg('SHORTPIXEL_DEBUG', $spdebug, $url); } diff --git a/views/screen.php b/views/screen.php index f84ffb1..62723be 100644 --- a/views/screen.php +++ b/views/screen.php @@ -45,14 +45,13 @@ getFormUrl($attachment_id); - //$formurl = wp_nonce_url( $url, "media_replace_upload" ); if (FORCE_SSL_ADMIN) { $formurl = str_replace("http:", "https:", $formurl); } ?> -
+
From b88e6b0acc5967fe7ce334a5d71f001c9a80467a Mon Sep 17 00:00:00 2001 From: Bas Schuiling Date: Wed, 13 Dec 2023 14:10:31 +0200 Subject: [PATCH 2/4] Moved check on background feature to remote notice feature for disabling --- classes/emr-plugin.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/classes/emr-plugin.php b/classes/emr-plugin.php index 50cbd2c..9e4e256 100644 --- a/classes/emr-plugin.php +++ b/classes/emr-plugin.php @@ -56,6 +56,7 @@ public function adminInit() { $this->features['replace'] = true; // does nothing just for completeness $this->features['background'] = apply_filters('emr/feature/background', true); + $this->features['remote_notice'] = apply_filters('emr/feature/remote_notice', true); load_plugin_textdomain('enable-media-replace', false, basename(dirname(EMR_ROOT_FILE)) . '/languages'); @@ -86,6 +87,9 @@ public function useFeature($name) case 'background': $bool = $this->features['background']; break; + case 'remote_notice': + $bool = $this->features['remote_notice']; + break; default: $bool = false; break; @@ -190,9 +194,8 @@ public function setScreen() $screen = get_current_screen(); $notice_pages = array('attachment', 'media_page_enable-media-replace/enable-media-replace', 'upload' ); - if ( in_array($screen->id, $notice_pages) && true === emr()->useFeature('background')) + if ( in_array($screen->id, $notice_pages) && true === emr()->useFeature('remote_notice')) { - RemoteNoticeController::getInstance(); // check for remote stuff $notices = Notices::getInstance(); $notices->loadIcons(array( From 6c512872753ebc60c53adfad8cb2f2d933b60fcf Mon Sep 17 00:00:00 2001 From: Bas Schuiling Date: Wed, 13 Dec 2023 14:13:23 +0200 Subject: [PATCH 3/4] Also not sanitizetextfield on successredirect --- classes/uihelper.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/classes/uihelper.php b/classes/uihelper.php index f831f6a..e0134cc 100644 --- a/classes/uihelper.php +++ b/classes/uihelper.php @@ -74,9 +74,8 @@ public function getSuccesRedirect($attach_id) if (is_numeric($spdebug)) $spdebug = intval($spdebug); else { - $spdebug = sanitize_text_field($spdebug); + $spdebug = 3; } - $url = add_query_arg('SHORTPIXEL_DEBUG', $spdebug, $url); } From 22b198d89867feaf874965aeae2375f163278bd0 Mon Sep 17 00:00:00 2001 From: Pedro Dobrescu Date: Thu, 14 Dec 2023 16:42:02 +0200 Subject: [PATCH 4/4] Update the readme file and version numbers for the 4.1.5 release --- enable-media-replace.php | 4 ++-- readme.txt | 12 +++++++++++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/enable-media-replace.php b/enable-media-replace.php index 35074e1..5ad00d8 100644 --- a/enable-media-replace.php +++ b/enable-media-replace.php @@ -3,7 +3,7 @@ * Plugin Name: Enable Media Replace * Plugin URI: https://wordpress.org/plugins/enable-media-replace/ * Description: Enable replacing media files by uploading a new file in the "Edit Media" section of the WordPress Media Library. - * Version: 4.1.4 + * Version: 4.1.5 * Author: ShortPixel * Author URI: https://shortpixel.com * GitHub Plugin URI: https://github.com/short-pixel-optimizer/enable-media-replace @@ -25,7 +25,7 @@ * */ -define( 'EMR_VERSION', '4.1.4' ); +define( 'EMR_VERSION', '4.1.5' ); if ( ! defined( 'ABSPATH' ) ) { exit; // Exit if accessed directly. diff --git a/readme.txt b/readme.txt index a5b3480..6f1c0b7 100644 --- a/readme.txt +++ b/readme.txt @@ -5,7 +5,7 @@ Tags: replace, attachment, media, files, replace image, remove background, repla Requires at least: 4.9.7 Tested up to: 6.3 Requires PHP: 5.6 -Stable tag: 4.1.4 +Stable tag: 4.1.5 Easily replace any attached image/file by simply uploading a new file in the Media Library edit view - a real time saver! @@ -38,6 +38,10 @@ If you don't want to use the background removal feature, add this line to your t ```add_filter( 'emr/feature/background', '__return_false' );``` +A similar filter, for the remote notification system is: + +```add_filter( 'emr/feature/remote_notice', '__return_false' );``` + To shorten the wait time before redirecting to the media editing screen, use the following filter and specify the wait time in seconds (0 means that redirection is immediate, but may cause problems in certain configurations): ```add_filter('emr/success/timeout', function () { return 3; });``` @@ -69,6 +73,12 @@ If you want more control over the format in which the time is shown, you can use == Changelog == += 4.1.5 = + +Release date: December 14, 2023 +* Tweak: Added a filter to disable the remote notification system added in version 4.1.0; +* Fix: A potential "Reflected Cross-Site Scripting" vulnerability has been patched, responsibly disclosed by the Wordfence team. + = 4.1.4 = Release date: September 22, 2023