Version Description
| August 18th, 2021 = * Security: Access to the Download API now requires a valid nonce to prevent CSRF. * Security: Added authentication to Empty Cache Directory AJAX-call.
Download this release
Release Info
| Developer | DaanvandenBergh |
| Plugin |  OMGF | GDPR/DSVGO Compliant, Faster Google Fonts. Easy. |
| Version | 4.5.4 |
| Comparing to | |
| See all releases | |
Code changes from version 4.5.3 to 4.5.4
- host-webfonts-local.php +1 -1
- includes/api/class-download.php +9 -1
- includes/class-ajax.php +4 -0
- includes/frontend/class-functions.php +7 -1
- readme.txt +6 -1
host-webfonts-local.php
CHANGED
|
@@ -4,7 +4,7 @@
|
|
| 4 |
* Plugin Name: OMGF
|
| 5 |
* Plugin URI: https://daan.dev/wordpress-plugins/host-google-fonts-locally
|
| 6 |
* Description: Minimize DNS requests, leverage browser cache and speed up WordPress by saving Google Fonts to your server and removing external Google Fonts requests.
|
| 7 |
-
* Version: 4.5.
|
| 8 |
* Author: Daan from FFW.Press
|
| 9 |
* Author URI: https://ffw.press
|
| 10 |
* License: GPL2v2 or later
|
| 4 |
* Plugin Name: OMGF
|
| 5 |
* Plugin URI: https://daan.dev/wordpress-plugins/host-google-fonts-locally
|
| 6 |
* Description: Minimize DNS requests, leverage browser cache and speed up WordPress by saving Google Fonts to your server and removing external Google Fonts requests.
|
| 7 |
+
* Version: 4.5.4
|
| 8 |
* Author: Daan from FFW.Press
|
| 9 |
* Author URI: https://ffw.press
|
| 10 |
* License: GPL2v2 or later
|
includes/api/class-download.php
CHANGED
|
@@ -69,11 +69,19 @@ class OMGF_API_Download extends WP_REST_Controller
|
|
| 69 |
}
|
| 70 |
|
| 71 |
/**
|
|
|
|
|
|
|
|
|
|
|
|
|
| 72 |
* @return bool
|
| 73 |
*/
|
| 74 |
public function permissions_check()
|
| 75 |
{
|
| 76 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
| 77 |
}
|
| 78 |
|
| 79 |
/**
|
| 69 |
}
|
| 70 |
|
| 71 |
/**
|
| 72 |
+
* Prevent CSRF.
|
| 73 |
+
*
|
| 74 |
+
* @since v4.5.4
|
| 75 |
+
*
|
| 76 |
* @return bool
|
| 77 |
*/
|
| 78 |
public function permissions_check()
|
| 79 |
{
|
| 80 |
+
if (!isset($_REQUEST['_wpnonce'])) {
|
| 81 |
+
return false;
|
| 82 |
+
}
|
| 83 |
+
|
| 84 |
+
return wp_verify_nonce($_REQUEST['_wpnonce'], 'wp_rest') > 0;
|
| 85 |
}
|
| 86 |
|
| 87 |
/**
|
includes/class-ajax.php
CHANGED
|
@@ -26,6 +26,10 @@ class OMGF_AJAX
|
|
| 26 |
*/
|
| 27 |
public function __construct()
|
| 28 |
{
|
|
|
|
|
|
|
|
|
|
|
|
|
| 29 |
add_action('wp_ajax_omgf_ajax_empty_dir', [$this, 'empty_directory']);
|
| 30 |
}
|
| 31 |
|
| 26 |
*/
|
| 27 |
public function __construct()
|
| 28 |
{
|
| 29 |
+
if (!current_user_can('manage_options')) {
|
| 30 |
+
wp_die(__("You're not cool enough to access this page.", $this->plugin_text_domain));
|
| 31 |
+
}
|
| 32 |
+
|
| 33 |
add_action('wp_ajax_omgf_ajax_empty_dir', [$this, 'empty_directory']);
|
| 34 |
}
|
| 35 |
|
includes/frontend/class-functions.php
CHANGED
|
@@ -191,7 +191,13 @@ class OMGF_Frontend_Functions
|
|
| 191 |
$protocol = 'https:';
|
| 192 |
}
|
| 193 |
|
| 194 |
-
$
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 195 |
}
|
| 196 |
}
|
| 197 |
}
|
| 191 |
$protocol = 'https:';
|
| 192 |
}
|
| 193 |
|
| 194 |
+
$params = http_build_query([
|
| 195 |
+
'handle' => $updated_handle,
|
| 196 |
+
'original_handle' => $handle,
|
| 197 |
+
'_wpnonce' => wp_create_nonce('wp_rest')
|
| 198 |
+
]);
|
| 199 |
+
|
| 200 |
+
$wp_styles->registered[$handle]->src = $protocol . str_replace('//fonts.googleapis.com/', $api_url, $font->src) . '&' . $params;
|
| 201 |
}
|
| 202 |
}
|
| 203 |
}
|
readme.txt
CHANGED
|
@@ -3,7 +3,7 @@ Contributors: DaanvandenBergh
|
|
| 3 |
Tags: google, fonts, gdpr, cache, speed, preload, font-display, webfonts, subsets, remove, minimize, external, requests
|
| 4 |
Requires at least: 4.6
|
| 5 |
Tested up to: 5.8
|
| 6 |
-
Stable tag: 4.5.
|
| 7 |
Requires PHP: 7.0
|
| 8 |
License: GPLv2 or later
|
| 9 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
|
@@ -132,8 +132,13 @@ No, not yet. But I will definitely try to make it compatible in the future!
|
|
| 132 |
|
| 133 |
== Changelog ==
|
| 134 |
|
|
|
|
|
|
|
|
|
|
|
|
|
| 135 |
= 4.5.3 | August 17th, 2021 =
|
| 136 |
* Fix: "Too few arguments to function OmgfPro_Frontend_AutoReplace::passthru_handle()" would occur if OMGF Pro was updated to v2.5.1 before OMGF was updated to v4.5.2.
|
|
|
|
| 137 |
|
| 138 |
= 4.5.2 | August 16th, 2021 =
|
| 139 |
* Pro Feature: Added promo material for @font-face detection in local stylesheets.
|
| 3 |
Tags: google, fonts, gdpr, cache, speed, preload, font-display, webfonts, subsets, remove, minimize, external, requests
|
| 4 |
Requires at least: 4.6
|
| 5 |
Tested up to: 5.8
|
| 6 |
+
Stable tag: 4.5.4
|
| 7 |
Requires PHP: 7.0
|
| 8 |
License: GPLv2 or later
|
| 9 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
| 132 |
|
| 133 |
== Changelog ==
|
| 134 |
|
| 135 |
+
= 4.5.4 | August 18th, 2021 =
|
| 136 |
+
* Security: Access to the Download API now requires a valid nonce to prevent CSRF.
|
| 137 |
+
* Security: Added authentication to Empty Cache Directory AJAX-call.
|
| 138 |
+
|
| 139 |
= 4.5.3 | August 17th, 2021 =
|
| 140 |
* Fix: "Too few arguments to function OmgfPro_Frontend_AutoReplace::passthru_handle()" would occur if OMGF Pro was updated to v2.5.1 before OMGF was updated to v4.5.2.
|
| 141 |
+
* Security: Added checks to prevent path traversal and CSRF in Empty Cache Directory AJAX call.
|
| 142 |
|
| 143 |
= 4.5.2 | August 16th, 2021 =
|
| 144 |
* Pro Feature: Added promo material for @font-face detection in local stylesheets.
|
