OMGF | GDPR/DSVGO Compliant, Faster Google Fonts. Easy.

Version Description

| November 27th, 2021 = * Sec: Prevent path traversal when cache directory setting is changed. (Thanks, @jsgm!)

Release Info

Developer	DaanvandenBergh
Plugin	OMGF \| GDPR/DSVGO Compliant, Faster Google Fonts. Easy.
Version	4.5.12
Comparing to
See all releases

Code changes from version 4.5.11 to 4.5.12

Files changed (4) hide show

host-webfonts-local.php +1 -1
includes/admin/class-notice.php +1 -1
includes/class-admin.php +37 -0
readme.txt +4 -1

host-webfonts-local.php CHANGED Viewed

	@@ -4,7 +4,7 @@
4	* Plugin Name: OMGF
5	* Plugin URI: https://daan.dev/wordpress-plugins/host-google-fonts-locally
6	* Description: Minimize DNS requests, leverage browser cache and speed up WordPress by saving Google Fonts to your server and removing external Google Fonts requests.
7	- * Version: 4.5.11
8	* Author: Daan from FFW.Press
9	* Author URI: https://ffw.press
10	* License: GPL2v2 or later


4	* Plugin Name: OMGF
5	* Plugin URI: https://daan.dev/wordpress-plugins/host-google-fonts-locally
6	* Description: Minimize DNS requests, leverage browser cache and speed up WordPress by saving Google Fonts to your server and removing external Google Fonts requests.
7	+ * Version: 4.5.12
8	* Author: Daan from FFW.Press
9	* Author URI: https://ffw.press
10	* License: GPL2v2 or later

includes/admin/class-notice.php CHANGED Viewed

	@@ -93,7 +93,7 @@ class OMGF_Admin_Notice
93	?>
94	<div id="message" class="notice notice-<?php echo $type; ?> is-dismissible">
95	<?php foreach ($message as $line) : ?>
96	- <p><?= $line; ?></p>
97	<?php endforeach; ?>
98	</div>
99	<?php


93	?>
94	<div id="message" class="notice notice-<?php echo $type; ?> is-dismissible">
95	<?php foreach ($message as $line) : ?>
96	+ <p><strong><?= $line; ?></strong></p>
97	<?php endforeach; ?>
98	</div>
99	<?php

includes/class-admin.php CHANGED Viewed

@@ -56,6 +56,7 @@ class OMGF_Admin
             		// This used to fix a bug, but now it breaks stuff. Leave it here for the time being.
             		// add_filter('pre_update_option_omgf_optimized_fonts', [$this, 'update_optimized_fonts'], 10, 2);
             		add_filter('pre_update_option_omgf_cache_keys', [$this, 'clean_up_cache'], 10, 3);
             		add_filter('pre_update_option', [$this, 'settings_changed'], 10, 3);
+            	}
@@ -181,6 +182,42 @@ class OMGF_Admin
             		return $value;
+            	}
             	/**
             	 * Shows notice if $option_name is in $show_notice array.
+            	 *


56	// This used to fix a bug, but now it breaks stuff. Leave it here for the time being.
57	// add_filter('pre_update_option_omgf_optimized_fonts', [$this, 'update_optimized_fonts'], 10, 2);
58	add_filter('pre_update_option_omgf_cache_keys', [$this, 'clean_up_cache'], 10, 3);
59	+ add_action('pre_update_option_omgf_cache_dir', [$this, 'validate_cache_dir'], 10, 2);
60	add_filter('pre_update_option', [$this, 'settings_changed'], 10, 3);
61	}
62

182	return $value;
183	}
184
185	+ /**
186	+ * Perform a few checks before saving the Cache Directory value to the database.
187	+ *
188	+ * @param mixed $new_dir
189	+ * @param mixed $old_dir
190	+ * @return mixed
191	+ */
192	+ public function validate_cache_dir($new_dir, $old_dir)
193	+ {
194	+ $allowed_path = WP_CONTENT_DIR . $new_dir;
195	+ $mkdir = true;
196	+
197	+ if (!file_exists($allowed_path)) {
198	+ /**
199	+ * wp_mkdir_p() already does some simple checks for path traversal, but we check it again using realpath() later on anyway.
200	+ */
201	+ $mkdir = wp_mkdir_p($allowed_path);
202	+ }
203	+
204	+ if (!$mkdir) {
205	+ OMGF_Admin_Notice::set_notice(sprintf(__('Something went wrong while trying to create OMGF\'s Cache Directory: %s. Setting wasn\'t updated.', $this->plugin_text_domain), $new_dir), 'omgf-create-cache-dir-failed', false, 'error');
206	+
207	+ return $old_dir;
208	+ }
209	+
210	+ $real_path = realpath($allowed_path);
211	+
212	+ if ($real_path != rtrim($allowed_path, '/')) {
213	+ OMGF_Admin_Notice::set_notice(__('OMGF\'s Cache Directory wasn\'t changed. Attempted path traversal.', $this->plugin_text_domain), 'omgf-attempted-path-traversal', false, 'error');
214	+
215	+ return $old_dir;
216	+ }
217	+
218	+ return $new_dir;
219	+ }
220	+
221	/**
222	* Shows notice if $option_name is in $show_notice array.
223	*

readme.txt CHANGED Viewed

	@@ -3,7 +3,7 @@ Contributors: DaanvandenBergh
3	Tags: google, fonts, gdpr, cache, speed, preload, font-display, webfonts, subsets, remove, minimize, external, requests
4	Requires at least: 4.6
5	Tested up to: 5.8
6	- Stable tag: 4.5.11
7	Requires PHP: 7.0
8	License: GPLv2 or later
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html
	@@ -83,6 +83,9 @@ For the FAQ, [click here](https://docs.ffw.press/category/76-omgf-pro---faq).
83
84	== Changelog ==
85



86	= 4.5.11 \| November 17th, 2021 =
87	* Doc: Updated links to fancy new documentation hub: docs.ffw.press
88	* Dev: Added $font_family to omgf_alternate_api_url filter.


3	Tags: google, fonts, gdpr, cache, speed, preload, font-display, webfonts, subsets, remove, minimize, external, requests
4	Requires at least: 4.6
5	Tested up to: 5.8
6	+ Stable tag: 4.5.12
7	Requires PHP: 7.0
8	License: GPLv2 or later
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html

83
84	== Changelog ==
85
86	+ = 4.5.12 \| November 27th, 2021 =
87	+ * Sec: Prevent path traversal when cache directory setting is changed. (Thanks, @jsgm!)
88	+
89	= 4.5.11 \| November 17th, 2021 =
90	* Doc: Updated links to fancy new documentation hub: docs.ffw.press
91	* Dev: Added $font_family to omgf_alternate_api_url filter.

OMGF | GDPR/DSVGO Compliant, Faster Google Fonts. Easy. - Version 4.5.12

Version Description

Release Info

Code changes from version 4.5.11 to 4.5.12