PowerPress Podcasting plugin by Blubrry - Version 8.3.8

Version Description

  • Released 10/08/2020
  • Fixed a security vulnerability concerning image uploads
  • Small bugfix so that welcome tab of settings page shows the correct feed info
Download this release

Release Info

Developer benbeecroft
Plugin Icon 128x128 PowerPress Podcasting plugin by Blubrry
Version 8.3.8
Comparing to
See all releases

Code changes from version 8.3.7 to 8.3.8

Files changed (5) hide show
  1. powerpress.php +2 -2
  2. powerpressadmin-basic.php +15 -50
  3. powerpressadmin.php +172 -316
  4. readme.txt +6 -1
  5. views/onboarding/show_basics.php +21 -31
powerpress.php CHANGED
@@ -3,7 +3,7 @@
3
  Plugin Name: Blubrry PowerPress
4
  Plugin URI: http://create.blubrry.com/resources/powerpress/
5
  Description: <a href="https://create.blubrry.com/resources/powerpress/" target="_blank">Blubrry PowerPress</a> is the No. 1 Podcasting plugin for WordPress. Developed by podcasters for podcasters; features include Simple and Advanced modes, multiple audio/video player options, subscribe to podcast tools, podcast SEO features, and more! Fully supports Apple Podcasts (previously iTunes), Google Podcasts, Spotify, Stitcher, and Blubrry Podcasting directories, as well as all podcast applications and clients.
6
- Version: 8.3.7
7
  Author: Blubrry
8
  Author URI: https://blubrry.com/
9
  Requires at least: 3.6
@@ -36,7 +36,7 @@ if( !function_exists('add_action') ) {
36
 
37
  // WP_PLUGIN_DIR (REMEMBER TO USE THIS DEFINE IF NEEDED)
38
 
39
- define('POWERPRESS_VERSION', '8.3.7' );
40
 
41
  // Translation support:
42
  if ( !defined('POWERPRESS_ABSPATH') )
3
  Plugin Name: Blubrry PowerPress
4
  Plugin URI: http://create.blubrry.com/resources/powerpress/
5
  Description: <a href="https://create.blubrry.com/resources/powerpress/" target="_blank">Blubrry PowerPress</a> is the No. 1 Podcasting plugin for WordPress. Developed by podcasters for podcasters; features include Simple and Advanced modes, multiple audio/video player options, subscribe to podcast tools, podcast SEO features, and more! Fully supports Apple Podcasts (previously iTunes), Google Podcasts, Spotify, Stitcher, and Blubrry Podcasting directories, as well as all podcast applications and clients.
6
+ Version: 8.3.8
7
  Author: Blubrry
8
  Author URI: https://blubrry.com/
9
  Requires at least: 3.6
36
 
37
  // WP_PLUGIN_DIR (REMEMBER TO USE THIS DEFINE IF NEEDED)
38
 
39
+ define('POWERPRESS_VERSION', '8.3.8' );
40
 
41
  // Translation support:
42
  if ( !defined('POWERPRESS_ABSPATH') )
powerpressadmin-basic.php CHANGED
@@ -906,61 +906,26 @@ function powerpress_settings_tab_footer()
906
  }
907
  function powerpressadmin_welcome($GeneralSettings, $FeedSettings)
908
  {
909
- $numPosts = wp_count_posts();
910
- if ($numPosts->publish < 1000) {
911
- $posts = get_posts(array('numberposts' => -1));
912
- $tooMany = false;
913
  } else {
914
- $posts = get_posts(array('numberposts' => 100));
915
- $tooMany = true;
916
  }
917
- $numEp = 0;
918
- $foundEp = false;
919
- $mostRecentEp = array();
920
- foreach ($posts as $idx => $post) {
921
- $enclosureArray = get_post_meta($post->ID, 'enclosure', true);
922
- if (!empty($enclosureArray)) {
923
- $numEp += 1;
924
- if (!$foundEp) {
925
- $EnclosureURL = '';
926
- $EnclosureLength = '';
927
- $EnclosureType = '';
928
- $EnclosureSerialized = false;
929
- if ($enclosureArray) {
930
- // list($EnclosureURL, $EnclosureLength, $EnclosureType, $EnclosureSerialized) = explode("\n", $enclosureArray, 4);
931
- $MetaParts = explode("\n", $enclosureArray, 4);
932
- if (count($MetaParts) > 0) {
933
- $EnclosureURL = $MetaParts[0];
934
- }
935
- if (count($MetaParts) > 3) {
936
- $EnclosureSerialized = $MetaParts[3];
937
- }
938
-
939
- if ($EnclosureSerialized && $EnclosureURL) {
940
- $mostRecentEp = @unserialize($EnclosureSerialized);
941
- $mostRecentEp['media_url'] = $EnclosureURL;
942
- $mostRecentEp['post_data'] = $post;
943
- }
944
- }
945
-
946
- if (!empty($mostRecentEp)) {
947
- $foundEp = true;
948
- }
949
- }
950
- }
951
- }
952
-
953
- if ($tooMany) {
954
- $numEp = "N/A";
955
- }
956
-
957
- if (isset($mostRecentEp['itunes_image'])) {
958
- $image = $mostRecentEp['itunes_image'];
959
- } elseif (isset($FeedSettings['itunes_image'])) {
960
  $image = $FeedSettings['itunes_image'];
961
  } else {
962
  $image = powerpress_get_root_url() . 'images/pts_cover.jpg';
963
  }
 
 
 
 
 
 
 
 
 
 
964
  ?>
965
  <script>
966
  function goToArtworkSettings() {
@@ -983,7 +948,7 @@ function powerpressadmin_welcome($GeneralSettings, $FeedSettings)
983
  <img id="welcome-preview-image" src="<?php echo $image; ?>" alt="Feed Image" />
984
  <div class="pp-settings-welcome-text">
985
  <p class="pp-settings-text-no-margin" style="margin-bottom: 2ch;"><?php echo __('By', 'powerpress'); ?> <?php echo isset($FeedSettings['itunes_talent_name']) ? $FeedSettings['itunes_talent_name'] : ''; ?></p>
986
- <p class="pp-settings-text-no-margin"><?php echo isset($mostRecentEp['post_data']) && isset($mostRecentEp['post_data']->post_content) ? $mostRecentEp['post_data']->post_content : ''; ?></p>
987
  </div>
988
  </div>
989
  <div class="pp-settings-num-episodes">
906
  }
907
  function powerpressadmin_welcome($GeneralSettings, $FeedSettings)
908
  {
909
+ if (isset($_GET['feed_slug'])) {
910
+ $feed_slug = $_GET['feed_slug'];
 
 
911
  } else {
912
+ $feed_slug = 'podcast';
 
913
  }
914
+ if (isset($FeedSettings['itunes_image']) && !empty($FeedSettings['itunes_image'])) {
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
915
  $image = $FeedSettings['itunes_image'];
916
  } else {
917
  $image = powerpress_get_root_url() . 'images/pts_cover.jpg';
918
  }
919
+ if (isset($FeedSettings['itunes_summary'])) {
920
+ $description = $FeedSettings['itunes_summary'];
921
+ } elseif (isset($FeedSettings['itunes_subtitle'])) {
922
+ $description = $FeedSettings['itunes_subtitle'];
923
+ } elseif (isset($FeedSettings['description'])) {
924
+ $description = $FeedSettings['description'];
925
+ } else {
926
+ $description = '';
927
+ }
928
+ $numEp = powerpress_admin_episodes_per_feed($feed_slug);
929
  ?>
930
  <script>
931
  function goToArtworkSettings() {
948
  <img id="welcome-preview-image" src="<?php echo $image; ?>" alt="Feed Image" />
949
  <div class="pp-settings-welcome-text">
950
  <p class="pp-settings-text-no-margin" style="margin-bottom: 2ch;"><?php echo __('By', 'powerpress'); ?> <?php echo isset($FeedSettings['itunes_talent_name']) ? $FeedSettings['itunes_talent_name'] : ''; ?></p>
951
+ <p class="pp-settings-text-no-margin"><?php echo $description; ?></p>
952
  </div>
953
  </div>
954
  <div class="pp-settings-num-episodes">
powerpressadmin.php CHANGED
@@ -115,16 +115,7 @@ function powerpress_admin_init()
115
  if( isset($_POST[ 'Feed' ]) || isset($_POST[ 'General' ]) )
116
  {
117
  check_admin_referer('powerpress-edit');
118
-
119
- $upload_path = false;
120
- $upload_url = false;
121
- $UploadArray = wp_upload_dir();
122
- if( false === $UploadArray['error'] )
123
- {
124
- $upload_path = $UploadArray['basedir'].'/powerpress/';
125
- $upload_url = $UploadArray['baseurl'].'/powerpress/';
126
- }
127
-
128
  // Save the posted value in the database
129
  $Feed = (isset($_POST['Feed'])?$_POST['Feed']:false);
130
  $General = (isset($_POST['General'])?$_POST['General']:false);
@@ -132,346 +123,211 @@ function powerpress_admin_init()
132
  $Category = (isset($_POST['cat'])?intval($_POST['cat']):false);
133
  $term_taxonomy_id = (isset($_POST['ttid'])?intval($_POST['ttid']):false);
134
  $podcast_post_type = (isset($_POST['podcast_post_type'])?esc_attr($_POST['podcast_post_type']):false);
135
-
 
136
  // New iTunes image
137
  if( !empty($_POST['itunes_image_checkbox']) )
138
  {
139
- $filename = str_replace(" ", "_", basename($_FILES['itunes_image_file']['name']) );
140
  $temp = $_FILES['itunes_image_file']['tmp_name'];
141
-
142
- if( file_exists($upload_path . $filename ) )
143
- {
144
- $filenameParts = pathinfo($filename);
145
- if( !empty($filenameParts['extension']) ) {
146
- do {
147
- $filename_no_ext = substr($filenameParts['basename'], 0, (strlen($filenameParts['extension'])+1) * -1 );
148
- $filename = sprintf('%s-%03d.%s', $filename_no_ext, rand(0, 999), $filenameParts['extension'] );
149
- } while( file_exists($upload_path . $filename ) );
150
- }
151
- }
152
-
153
- // Check the image...
154
- if( file_exists($temp) )
155
- {
156
- $ImageData = @getimagesize($temp);
157
-
158
- $rgb = true; // We assume it is RGB
159
- if( defined('POWERPRESS_IMAGICK') && POWERPRESS_IMAGICK )
160
- {
161
- if( $ImageData[2] == IMAGETYPE_PNG && extension_loaded('imagick') )
162
- {
163
- $image = new Imagick( $temp );
164
- if( $image->getImageColorspace() != imagick::COLORSPACE_RGB )
165
- {
166
- $rgb = false;
167
- }
168
- }
169
- }
170
-
171
- if( empty($ImageData['channels']) )
172
- $ImageData['channels'] = 3; // Assume it's ok if we cannot detect it.
173
-
174
- if( $ImageData )
175
- {
176
- if( $rgb && ( $ImageData[2] == IMAGETYPE_JPEG || $ImageData[2] == IMAGETYPE_PNG ) && $ImageData[0] == $ImageData[1] && $ImageData[0] >= 1400 && $ImageData[0] <= 3000 && $ImageData['channels'] == 3 ) // Just check that it is an image, the correct image type and that the image is square
177
- {
178
- if( !move_uploaded_file($temp, $upload_path . $filename) )
179
- {
180
- powerpress_page_message_add_error( __('Error saving image', 'powerpress') .': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) .' - '. __('An error occurred saving the iTunes image on the server.', 'powerpress'). ' '. sprintf(__('Local folder: %s; File name: %s', 'powerpress'), $upload_path, $filename) );
181
- }
182
- else
183
- {
184
- $Feed['itunes_image'] = $upload_url . $filename;
185
- if( !empty($_POST['itunes_image_checkbox_as_rss']) )
186
- {
187
- $Feed['rss2_image'] = $upload_url . $filename;
188
- }
189
-
190
- //if( $ImageData[0] < 1400 || $ImageData[1] < 1400 )
191
- //{
192
- // powerpress_page_message_add_error( __('iTunes image warning', 'powerpress') .': '. htmlspecialchars($_FILES['itunes_image_file']['name']) . __(' is', 'powerpress') .' '. $ImageData[0] .' x '.$ImageData[0] .' - '. __('Image must be square 1400 x 1400 pixels or larger.', 'powerpress') );
193
- //}
194
- }
195
- }
196
- else if( $ImageData['channels'] != 3 || $rgb == false )
197
- {
198
- powerpress_page_message_add_error( __('Invalid image', 'powerpress') .': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) .' - '. __('Image must be in RGB color space (CMYK is not supported).', 'powerpress') );
199
- }
200
- else if( $ImageData[0] != $ImageData[1] )
201
- {
202
- powerpress_page_message_add_error( __('Invalid image', 'powerpress') .': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) .' - '. __('Image must be square, 1400 x 1400 is the required minimum size.', 'powerpress') );
203
- }
204
- else if( $ImageData[0] != $ImageData[1] || $ImageData[0] < 1400 )
205
- {
206
- powerpress_page_message_add_error( __('Invalid image', 'powerpress') .': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) .' - '. __('Image is too small, 1400 x 1400 is the required minimum size.', 'powerpress') );
207
- }
208
- else if( $ImageData[0] != $ImageData[1] || $ImageData[0] > 3000 )
209
- {
210
- powerpress_page_message_add_error( __('Invalid image', 'powerpress') .': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) .' - '. __('Image is too large, 3000 x 3000 is the maximum size allowed.', 'powerpress') );
211
- }
212
- else
213
- {
214
- powerpress_page_message_add_error( __('Invalid image', 'powerpress') .': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) );
215
- }
216
- }
217
- else
218
- {
219
- powerpress_page_message_add_error( __('Invalid image', 'powerpress') .': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) );
220
- }
221
- }
222
  }
223
 
224
  // New RSS2 image
225
  if( !empty($_POST['rss2_image_checkbox']) )
226
  {
227
- $filename = str_replace(" ", "_", basename($_FILES['rss2_image_file']['name']) );
228
  $temp = $_FILES['rss2_image_file']['tmp_name'];
229
-
230
- if( file_exists($upload_path . $filename ) )
231
- {
232
- $filenameParts = pathinfo($filename);
233
- if( !empty($filenameParts['basename']) && !empty($filenameParts['extension']) )
234
- {
235
- do {
236
- $filename_no_ext = substr($filenameParts['basename'], 0, (strlen($filenameParts['extension'])+1) * -1 );
237
- $filename = sprintf('%s-%03d.%s', $filename_no_ext, rand(0, 999), $filenameParts['extension'] );
238
- } while( file_exists($upload_path . $filename ) );
239
- }
240
- }
241
-
242
- if( @getimagesize($temp) ) // Just check that it is an image, we may add more to this later
243
- {
244
- if( !move_uploaded_file($temp, $upload_path . $filename) )
245
- {
246
- powerpress_page_message_add_error( __('Error saving RSS image', 'powerpress') .': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) .' - '. __('An error occurred saving the RSS image on the server.', 'powerpress'). ' '. sprintf(__('Local folder: %s; File name: %s', 'powerpress'), $upload_path, $filename) );
247
- }
248
- else
249
- {
250
- $Feed['rss2_image'] = $upload_url . $filename;
251
- }
252
- }
253
- else
254
- {
255
- powerpress_page_message_add_error( __('Invalid RSS image', 'powerpress') .': '. htmlspecialchars($_FILES['rss2_image_file']['name']) );
256
- }
257
- }
258
-
259
- // New Google Play image
260
- if( !empty($_POST['googleplay_image_checkbox']) )
261
- {
262
- $filename = str_replace(" ", "_", basename($_FILES['googleplay_image_file']['name']) );
263
- $temp = $_FILES['googleplay_image_file']['tmp_name'];
264
-
265
- if( file_exists($upload_path . $filename ) )
266
- {
267
- $filenameParts = pathinfo($filename);
268
- if( !empty($filenameParts['extension']) ) {
269
- do {
270
- $filename_no_ext = substr($filenameParts['basename'], 0, (strlen($filenameParts['extension'])+1) * -1 );
271
- $filename = sprintf('%s-%03d.%s', $filename_no_ext, rand(0, 999), $filenameParts['extension'] );
272
- } while( file_exists($upload_path . $filename ) );
273
- }
274
- }
275
-
276
- // Check the image...
277
- if( file_exists($temp) )
278
- {
279
- $ImageData = @getimagesize($temp);
280
-
281
- $rgb = true; // We assume it is RGB
282
- if( defined('POWERPRESS_IMAGICK') && POWERPRESS_IMAGICK )
283
- {
284
- if( $ImageData[2] == IMAGETYPE_PNG && extension_loaded('imagick') )
285
- {
286
- $image = new Imagick( $temp );
287
- if( $image->getImageColorspace() != imagick::COLORSPACE_RGB )
288
- {
289
- $rgb = false;
290
- }
291
- }
292
- }
293
-
294
- if( empty($ImageData['channels']) )
295
- $ImageData['channels'] = 3; // Assume it's ok if we cannot detect it.
296
-
297
- if( $ImageData )
298
- {
299
- if( $rgb && ( $ImageData[2] == IMAGETYPE_JPEG || $ImageData[2] == IMAGETYPE_PNG ) && $ImageData[0] == $ImageData[1] && $ImageData[0] >= 1200 && $ImageData[0] <= 7000 && $ImageData['channels'] == 3 ) // Just check that it is an image, the correct image type and that the image is square
300
- {
301
- if( !move_uploaded_file($temp, $upload_path . $filename) )
302
- {
303
- powerpress_page_message_add_error( __('Error saving Google Play Music image', 'powerpress') .': ' . htmlspecialchars($_FILES['googleplay_image_file']['name']) .' - '. __('An error occurred saving the Google Play Music image on the server.', 'powerpress'). ' '. sprintf(__('Local folder: %s; File name: %s', 'powerpress'), $upload_path, $filename) );
304
- }
305
- else
306
- {
307
- $Feed['googleplay_image'] = $upload_url . $filename;
308
- if( $ImageData[0] < 1200 || $ImageData[1] < 1200 )
309
- {
310
- powerpress_page_message_add_error( __('Google Play Music image warning', 'powerpress') .': '. htmlspecialchars($_FILES['googleplay_image_file']['name']) . __(' is', 'powerpress') .' '. $ImageData[0] .' x '.$ImageData[0] .' - '. __('Image must be square 1200 x 1200 pixels or larger to be eligible for featuring.', 'powerpress') );
311
- }
312
- }
313
- }
314
- else if( $ImageData['channels'] != 3 || $rgb == false )
315
- {
316
- powerpress_page_message_add_error( __('Invalid Google Play Music image', 'powerpress') .': ' . htmlspecialchars($_FILES['googleplay_image_file']['name']) .' - '. __('Image must be in RGB color space (CMYK is not supported).', 'powerpress') );
317
- }
318
- else if( $ImageData[0] != $ImageData[1] )
319
- {
320
- powerpress_page_message_add_error( __('Invalid Google Play Music image', 'powerpress') .': ' . htmlspecialchars($_FILES['googleplay_image_file']['name']) .' - '. __('Image must be square, 1200 x 1200 is the required minimum size to be eligible for featuring.', 'powerpress') );
321
- }
322
- else if( $ImageData[0] != $ImageData[1] || $ImageData[0] < 600 )
323
- {
324
- powerpress_page_message_add_error( __('Invalid Google Play Music image', 'powerpress') .': ' . htmlspecialchars($_FILES['googleplay_image_file']['name']) .' - '. __('Image is too small, 1200 x 1200 is the required minimum size to be eligible for featuring.', 'powerpress') );
325
- }
326
- else if( $ImageData[0] != $ImageData[1] || $ImageData[0] > 7000 )
327
- {
328
- powerpress_page_message_add_error( __('Invalid Google Play Music image', 'powerpress') .': ' . htmlspecialchars($_FILES['googleplay_image_file']['name']) .' - '. __('Image is too large, 7000 x 7000 is the maximum size allowed.', 'powerpress') );
329
- }
330
- else
331
- {
332
- powerpress_page_message_add_error( __('Invalid Google Play Music image', 'powerpress') .': ' . htmlspecialchars($_FILES['googleplay_image_file']['name']) );
333
- }
334
- }
335
- else
336
- {
337
- powerpress_page_message_add_error( __('Invalid Google Play Music image', 'powerpress') .': ' . htmlspecialchars($_FILES['googleplay_image_file']['name']) );
338
- }
339
- }
340
  }
341
 
342
  // New mp3 coverart image
343
  if( !empty($_POST['coverart_image_checkbox']) )
344
  {
345
- $filename = str_replace(" ", "_", basename($_FILES['coverart_image_file']['name']) );
346
  $temp = $_FILES['coverart_image_file']['tmp_name'];
347
-
348
- if( file_exists($upload_path . $filename ) )
349
- {
350
- $filenameParts = pathinfo($filename);
351
- do {
352
- $filename_no_ext = substr($filenameParts['basename'], 0, (strlen($filenameParts['extension'])+1) * -1 );
353
- $filename = sprintf('%s-%03d.%s', $filename_no_ext, rand(0, 999), $filenameParts['extension'] );
354
- } while( file_exists($upload_path . $filename ) );
355
- }
356
-
357
- if( @getimagesize($temp) ) // Just check that it is an image, we may add more to this later
358
- {
359
- if( !move_uploaded_file($temp, $upload_path . $filename) )
360
- {
361
- powerpress_page_message_add_error( __('Error saving Coverart image', 'powerpress') .': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) .' - '. __('An error occurred saving the coverart image on the server.', 'powerpress'). ' '. sprintf(__('Local folder: %s; File name: %s', 'powerpress'), $upload_path, $filename) );
362
- }
363
- else
364
- {
365
- $_POST['TagValues']['tag_coverart'] = $upload_url . $filename;
366
- $General['tag_coverart'] = $upload_url . $filename;
367
- }
368
- }
369
- else
370
- {
371
- powerpress_page_message_add_error( __('Invalid Coverat image', 'powerpress') .': ' . htmlspecialchars($_FILES['coverart_image_file']['name']) );
372
- }
373
  }
374
 
375
  // New poster image
376
  if( !empty($_POST['poster_image_checkbox']) )
377
  {
378
- $filename = str_replace(" ", "_", basename($_FILES['poster_image_file']['name']) );
379
  $temp = $_FILES['poster_image_file']['tmp_name'];
380
-
381
- if( file_exists($upload_path . $filename ) )
382
- {
383
- $filenameParts = pathinfo($filename);
384
- do {
385
- $filename_no_ext = substr($filenameParts['basename'], 0, (strlen($filenameParts['extension'])+1) * -1 );
386
- $filename = sprintf('%s-%03d.%s', $filename_no_ext, rand(0, 999), $filenameParts['extension'] );
387
- } while( file_exists($upload_path . $filename ) );
388
- }
389
-
390
- if( @getimagesize($temp) ) // Just check that it is an image, we may add more to this later
391
- {
392
- if( !move_uploaded_file($temp, $upload_path . $filename) )
393
- {
394
- powerpress_page_message_add_error( __('Error saving Poster image', 'powerpress') .': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) .' - '. __('An error occurred saving the poster image on the server.', 'powerpress'). ' '. sprintf(__('Local folder: %s; File name: %s', 'powerpress'), $upload_path, $filename) );
395
- }
396
- else
397
- {
398
- $General['poster_image'] = $upload_url . $filename;
399
- }
400
- }
401
- else
402
- {
403
- powerpress_page_message_add_error( __('Invalid poster image', 'powerpress') .': ' . htmlspecialchars($_FILES['poster_image_file']['name']) );
404
- }
405
  }
406
 
407
 
408
  // New audio play icon image
409
  if( !empty($_POST['audio_custom_play_button_checkbox']) )
410
  {
411
- $filename = str_replace(" ", "_", basename($_FILES['audio_custom_play_button_file']['name']) );
412
  $temp = $_FILES['audio_custom_play_button_file']['tmp_name'];
413
-
414
- if( file_exists($upload_path . $filename ) )
415
- {
416
- $filenameParts = pathinfo($filename);
417
- do {
418
- $filename_no_ext = substr($filenameParts['basename'], 0, (strlen($filenameParts['extension'])+1) * -1 );
419
- $filename = sprintf('%s-%03d.%s', $filename_no_ext, rand(0, 999), $filenameParts['extension'] );
420
- } while( file_exists($upload_path . $filename ) );
421
- }
422
-
423
- if( @getimagesize($temp) ) // Just check that it is an image, we may add more to this later
424
- {
425
- if( !move_uploaded_file($temp, $upload_path . $filename) )
426
- {
427
- powerpress_page_message_add_error( __('Error saving Play image', 'powerpress') .': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) .' - '. __('An error occurred saving the play image on the server.', 'powerpress'). ' '. sprintf(__('Local folder: %s; File name: %s', 'powerpress'), $upload_path, $filename) );
428
- }
429
- else
430
- {
431
- $General['audio_custom_play_button'] = $upload_url . $filename;
432
- }
433
- }
434
- else
435
- {
436
- powerpress_page_message_add_error( __('Invalid play icon image', 'powerpress') .': ' . htmlspecialchars($_FILES['audio_custom_play_button_file']['name']) );
437
- }
438
  }
439
 
440
- // New video play icon image
441
  if( !empty($_POST['video_custom_play_button_checkbox']) )
442
  {
443
- $filename = str_replace(" ", "_", basename($_FILES['video_custom_play_button_file']['name']) );
444
  $temp = $_FILES['video_custom_play_button_file']['tmp_name'];
445
-
446
- if( file_exists($upload_path . $filename ) )
447
- {
448
- $filenameParts = pathinfo($filename);
449
- do {
450
- $filename_no_ext = substr($filenameParts['basename'], 0, (strlen($filenameParts['extension'])+1) * -1 );
451
- $filename = sprintf('%s-%03d.%s', $filename_no_ext, rand(0, 999), $filenameParts['extension'] );
452
- } while( file_exists($upload_path . $filename ) );
453
- }
454
-
455
- $imageInfo = @getimagesize($temp);
456
- if( $imageInfo && $imageInfo[0] == $imageInfo[1] && $imageInfo[0] == 60 ) // Just check that it is an image, we may add more to this later
457
- {
458
- if( !move_uploaded_file($temp, $upload_path . $filename) )
459
- {
460
- powerpress_page_message_add_error( __('Error saving Video Play icon image', 'powerpress') .': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) .' - '. __('An error occurred saving the Video Play icon image on the server.', 'powerpress'). ' '. sprintf(__('Local folder: %s; File name: %s', 'powerpress'), $upload_path, $filename) );
461
- }
462
- else
463
- {
464
- $General['video_custom_play_button'] = $upload_url . $filename;
465
- }
466
- }
467
- else if( $imageInfo )
468
- {
469
- powerpress_page_message_add_error( __('Invalid play icon image size', 'powerpress') .': ' . htmlspecialchars($_FILES['video_custom_play_button_file']['name']) );
470
- }
471
- else
472
- {
473
- powerpress_page_message_add_error( __('Invalid play icon image', 'powerpress') .': ' . htmlspecialchars($_FILES['video_custom_play_button_file']['name']) );
474
- }
475
  }
476
 
477
  if( isset($_POST['UpdateDisablePlayer']) )
115
  if( isset($_POST[ 'Feed' ]) || isset($_POST[ 'General' ]) )
116
  {
117
  check_admin_referer('powerpress-edit');
118
+
 
 
 
 
 
 
 
 
 
119
  // Save the posted value in the database
120
  $Feed = (isset($_POST['Feed'])?$_POST['Feed']:false);
121
  $General = (isset($_POST['General'])?$_POST['General']:false);
123
  $Category = (isset($_POST['cat'])?intval($_POST['cat']):false);
124
  $term_taxonomy_id = (isset($_POST['ttid'])?intval($_POST['ttid']):false);
125
  $podcast_post_type = (isset($_POST['podcast_post_type'])?esc_attr($_POST['podcast_post_type']):false);
126
+ $acceptable_extensions = ['jpg', 'jpeg', 'png'];
127
+
128
  // New iTunes image
129
  if( !empty($_POST['itunes_image_checkbox']) )
130
  {
 
131
  $temp = $_FILES['itunes_image_file']['tmp_name'];
132
+
133
+ //Make sure the file extension is alright
134
+ $name = $_FILES['itunes_image_file']['name'];
135
+ $ext = substr($name, strrpos($name, '.') + 1);
136
+
137
+ if (!in_array(strtolower($ext), $acceptable_extensions)) {
138
+ powerpress_page_message_add_error(__('Apple Podcasts image has an invalid file type: ' . $ext, 'powerpress') );
139
+ } else {
140
+ // Check the image...
141
+ if (file_exists($temp)) {
142
+ $ImageData = @getimagesize($temp);
143
+
144
+ $rgb = true; // We assume it is RGB
145
+ if (defined('POWERPRESS_IMAGICK') && POWERPRESS_IMAGICK) {
146
+ if ($ImageData[2] == IMAGETYPE_PNG && extension_loaded('imagick')) {
147
+ $image = new Imagick($temp);
148
+ if ($image->getImageColorspace() != imagick::COLORSPACE_RGB) {
149
+ $rgb = false;
150
+ }
151
+ }
152
+ }
153
+
154
+ if (empty($ImageData['channels']))
155
+ $ImageData['channels'] = 3; // Assume it's ok if we cannot detect it.
156
+
157
+ if ($ImageData) {
158
+ if ($rgb && ($ImageData[2] == IMAGETYPE_JPEG || $ImageData[2] == IMAGETYPE_PNG) && $ImageData[0] == $ImageData[1] && $ImageData[0] >= 1400 && $ImageData[0] <= 3000 && $ImageData['channels'] == 3) // Just check that it is an image, the correct image type and that the image is square
159
+ {
160
+ $upload_result = wp_handle_upload($_FILES['itunes_image_file'], array('action' => $_POST['action'], 'test_form' => false));
161
+ if (is_array($upload_result) && isset($upload_result['error'])) {
162
+ powerpress_page_message_add_error(__('Error saving image', 'powerpress') . ': ' . $upload_result['error']);
163
+ } elseif (is_array($upload_result) && isset($upload_result['url'])) {
164
+ $Feed['itunes_image'] = $upload_result['url'];
165
+ if (!empty($_POST['itunes_image_checkbox_as_rss'])) {
166
+ $Feed['rss2_image'] = $upload_result['url'];
167
+ }
168
+ } else {
169
+ powerpress_page_message_add_error(__('Error saving image', 'powerpress'));
170
+ }
171
+ } else if ($ImageData['channels'] != 3 || $rgb == false) {
172
+ powerpress_page_message_add_error(__('Invalid image', 'powerpress') . ': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) . ' - ' . __('Image must be in RGB color space (CMYK is not supported).', 'powerpress'));
173
+ } else if ($ImageData[0] != $ImageData[1]) {
174
+ powerpress_page_message_add_error(__('Invalid image', 'powerpress') . ': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) . ' - ' . __('Image must be square, 1400 x 1400 is the required minimum size.', 'powerpress'));
175
+ } else if ($ImageData[0] != $ImageData[1] || $ImageData[0] < 1400) {
176
+ powerpress_page_message_add_error(__('Invalid image', 'powerpress') . ': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) . ' - ' . __('Image is too small, 1400 x 1400 is the required minimum size.', 'powerpress'));
177
+ } else if ($ImageData[0] != $ImageData[1] || $ImageData[0] > 3000) {
178
+ powerpress_page_message_add_error(__('Invalid image', 'powerpress') . ': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) . ' - ' . __('Image is too large, 3000 x 3000 is the maximum size allowed.', 'powerpress'));
179
+ } else {
180
+ powerpress_page_message_add_error(__('Invalid image', 'powerpress') . ': ' . htmlspecialchars($_FILES['itunes_image_file']['name']));
181
+ }
182
+ } else {
183
+ powerpress_page_message_add_error(__('Invalid image', 'powerpress') . ': ' . htmlspecialchars($_FILES['itunes_image_file']['name']));
184
+ }
185
+ }
186
+ }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
187
  }
188
 
189
  // New RSS2 image
190
  if( !empty($_POST['rss2_image_checkbox']) )
191
  {
 
192
  $temp = $_FILES['rss2_image_file']['tmp_name'];
193
+
194
+ //Make sure the file extension is alright
195
+ $name = $_FILES['rss2_image_file']['name'];
196
+ $ext = substr($name, strrpos($name, '.') + 1);
197
+
198
+ if (!in_array(strtolower($ext), $acceptable_extensions)) {
199
+ powerpress_page_message_add_error(__('RSS2 image has an invalid file type: ' . $ext, 'powerpress') );
200
+ } else {
201
+ if (@getimagesize($temp)) // Just check that it is an image, we may add more to this later
202
+ {
203
+ $upload_result = wp_handle_upload($_FILES['rss2_image_file'], array('action' => $_POST['action'], 'test_form' => false));
204
+ if (is_array($upload_result) && isset($upload_result['error'])) {
205
+ powerpress_page_message_add_error(__('Error saving RSS image', 'powerpress') . ': ' . $upload_result['error']);
206
+ } elseif (is_array($upload_result) && isset($upload_result['url'])) {
207
+ $Feed['rss2_image'] = $upload_result['url'];
208
+ } else {
209
+ powerpress_page_message_add_error(__('Error saving RSS image', 'powerpress'));
210
+ }
211
+ } else {
212
+ powerpress_page_message_add_error(__('Invalid RSS image', 'powerpress') . ': ' . htmlspecialchars($_FILES['rss2_image_file']['name']));
213
+ }
214
+ }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
215
  }
216
 
217
  // New mp3 coverart image
218
  if( !empty($_POST['coverart_image_checkbox']) )
219
  {
 
220
  $temp = $_FILES['coverart_image_file']['tmp_name'];
221
+
222
+ //Make sure the file extension is alright
223
+ $name = $_FILES['coverart_image_file']['name'];
224
+ $ext = substr($name, strrpos($name, '.') + 1);
225
+
226
+ if (!in_array(strtolower($ext), $acceptable_extensions)) {
227
+ powerpress_page_message_add_error(__('Coverart image has an invalid file type: ' . $ext, 'powerpress') );
228
+ } else {
229
+ if (@getimagesize($temp)) // Just check that it is an image, we may add more to this later
230
+ {
231
+ $upload_result = wp_handle_upload($_FILES['coverart_image_file'], array('action' => $_POST['action'], 'test_form' => false));
232
+ if (is_array($upload_result) && isset($upload_result['error'])) {
233
+ powerpress_page_message_add_error(__('Error saving Coverart image', 'powerpress') . ': ' . $upload_result['error']);
234
+ } elseif (is_array($upload_result) && isset($upload_result['url'])) {
235
+ $General['tag_coverart'] = $upload_result['url'];
236
+ } else {
237
+ powerpress_page_message_add_error(__('Error saving Coverart image', 'powerpress'));
238
+ }
239
+ } else {
240
+ powerpress_page_message_add_error(__('Invalid Coverat image', 'powerpress') . ': ' . htmlspecialchars($_FILES['coverart_image_file']['name']));
241
+ }
242
+ }
 
 
 
 
243
  }
244
 
245
  // New poster image
246
  if( !empty($_POST['poster_image_checkbox']) )
247
  {
 
248
  $temp = $_FILES['poster_image_file']['tmp_name'];
249
+
250
+ //Make sure the file extension is alright
251
+ $name = $_FILES['poster_image_file']['name'];
252
+ $ext = substr($name, strrpos($name, '.') + 1);
253
+
254
+ if (!in_array(strtolower($ext), $acceptable_extensions)) {
255
+ powerpress_page_message_add_error(__('Poster image has an invalid file type: ' . $ext, 'powerpress') );
256
+ } else {
257
+ if (@getimagesize($temp)) // Just check that it is an image, we may add more to this later
258
+ {
259
+ $upload_result = wp_handle_upload($_FILES['poster_image_file'], array('action' => $_POST['action'], 'test_form' => false));
260
+ if (is_array($upload_result) && isset($upload_result['error'])) {
261
+ powerpress_page_message_add_error(__('Error saving Poster image', 'powerpress') . ': ' . $upload_result['error']);
262
+ } elseif (is_array($upload_result) && isset($upload_result['url'])) {
263
+ $General['poster_image'] = $upload_result['url'];
264
+ } else {
265
+ powerpress_page_message_add_error(__('Error saving Poster image', 'powerpress'));
266
+ }
267
+ } else {
268
+ powerpress_page_message_add_error(__('Invalid poster image', 'powerpress') . ': ' . htmlspecialchars($_FILES['poster_image_file']['name']));
269
+ }
270
+ }
 
 
 
271
  }
272
 
273
 
274
  // New audio play icon image
275
  if( !empty($_POST['audio_custom_play_button_checkbox']) )
276
  {
 
277
  $temp = $_FILES['audio_custom_play_button_file']['tmp_name'];
278
+
279
+ //Make sure the file extension is alright
280
+ $name = $_FILES['audio_custom_play_button_file']['name'];
281
+ $ext = substr($name, strrpos($name, '.') + 1);
282
+
283
+ if (!in_array(strtolower($ext), $acceptable_extensions)) {
284
+ powerpress_page_message_add_error(__('Custom audio play button image has an invalid file type: ' . $ext, 'powerpress') );
285
+ } else {
286
+ if (@getimagesize($temp)) // Just check that it is an image, we may add more to this later
287
+ {
288
+ $upload_result = wp_handle_upload($_FILES['audio_custom_play_button_file'], array('action' => $_POST['action'], 'test_form' => false));
289
+ if (is_array($upload_result) && isset($upload_result['error'])) {
290
+ powerpress_page_message_add_error(__('Error saving Play image', 'powerpress') . ': ' . $upload_result['error']);
291
+ } elseif (is_array($upload_result) && isset($upload_result['url'])) {
292
+ $General['audio_custom_play_button'] = $upload_result['url'];
293
+ } else {
294
+ powerpress_page_message_add_error(__('Error saving Play image', 'powerpress'));
295
+ }
296
+ } else {
297
+ powerpress_page_message_add_error(__('Invalid play icon image', 'powerpress') . ': ' . htmlspecialchars($_FILES['audio_custom_play_button_file']['name']));
298
+ }
299
+ }
 
 
 
300
  }
301
 
302
+ // New video play icon image powerpress-select-player
303
  if( !empty($_POST['video_custom_play_button_checkbox']) )
304
  {
 
305
  $temp = $_FILES['video_custom_play_button_file']['tmp_name'];
306
+
307
+ //Make sure the file extension is alright
308
+ $name = $_FILES['video_custom_play_button_file']['name'];
309
+ $ext = substr($name, strrpos($name, '.') + 1);
310
+
311
+ if (!in_array(strtolower($ext), $acceptable_extensions)) {
312
+ powerpress_page_message_add_error(__('Custom video play button image has an invalid file type: ' . $ext, 'powerpress') );
313
+ } else {
314
+ $imageInfo = @getimagesize($temp);
315
+ if ($imageInfo && $imageInfo[0] == $imageInfo[1] && $imageInfo[0] == 60) // Just check that it is an image, we may add more to this later
316
+ {
317
+ $upload_result = wp_handle_upload($_FILES['video_custom_play_button_file'], array('action' => $_POST['action'], 'test_form' => false));
318
+ if (is_array($upload_result) && isset($upload_result['error'])) {
319
+ powerpress_page_message_add_error(__('Error saving Video Play icon image', 'powerpress') . ': ' . $upload_result['error']);
320
+ } elseif (is_array($upload_result) && isset($upload_result['url'])) {
321
+ $General['video_custom_play_button'] = $upload_result['url'];
322
+ } else {
323
+ powerpress_page_message_add_error(__('Error saving Video Play icon image', 'powerpress'));
324
+ }
325
+ } else if ($imageInfo) {
326
+ powerpress_page_message_add_error(__('Invalid play icon image size', 'powerpress') . ': ' . htmlspecialchars($_FILES['video_custom_play_button_file']['name']));
327
+ } else {
328
+ powerpress_page_message_add_error(__('Invalid play icon image', 'powerpress') . ': ' . htmlspecialchars($_FILES['video_custom_play_button_file']['name']));
329
+ }
330
+ }
 
 
 
 
 
331
  }
332
 
333
  if( isset($_POST['UpdateDisablePlayer']) )
readme.txt CHANGED
@@ -4,7 +4,7 @@ Tags: podcasting, podcast, podcaster, powerpress, itunes, apple, apple podcasts,
4
  Requires at least: 3.6
5
  Requires PHP: 5.2
6
  Tested up to: 5.5
7
- Stable tag: 8.3.7
8
  Donate link: https://create.blubrry.com/resources/podcast-media-hosting/
9
  License: GPLv2 or later
10
 
@@ -236,6 +236,11 @@ To install Blubrry PowerPress manually, follow these steps:
236
  = Fan of PowerPress and want to show your support? =
237
  If you are a fan of PowerPress, we would greatly appreciate it if you could take a moment and [leave us a review on WordPress.org](https://wordpress.org/support/plugin/powerpress/reviews/?rate=5#new-post). Your support is greatly appreciated!
238
 
 
 
 
 
 
239
  = 8.3.7 =
240
  * Released 08/31/2020
241
  * Fixed a bug that was displaying subscribe links that had not been set
4
  Requires at least: 3.6
5
  Requires PHP: 5.2
6
  Tested up to: 5.5
7
+ Stable tag: 8.3.8
8
  Donate link: https://create.blubrry.com/resources/podcast-media-hosting/
9
  License: GPLv2 or later
10
 
236
  = Fan of PowerPress and want to show your support? =
237
  If you are a fan of PowerPress, we would greatly appreciate it if you could take a moment and [leave us a review on WordPress.org](https://wordpress.org/support/plugin/powerpress/reviews/?rate=5#new-post). Your support is greatly appreciated!
238
 
239
+ = 8.3.8 =
240
+ * Released 10/08/2020
241
+ * Fixed a security vulnerability concerning image uploads
242
+ * Small bugfix so that welcome tab of settings page shows the correct feed info
243
+
244
  = 8.3.7 =
245
  * Released 08/31/2020
246
  * Fixed a bug that was displaying subscribe links that had not been set
views/onboarding/show_basics.php CHANGED
@@ -26,40 +26,30 @@ if (isset($_FILES['itunes_image_file'])) {
26
  break;
27
  }
28
  }
29
- $upload_path = false;
30
- $upload_url = false;
31
- $error = false;
32
- $UploadArray = wp_upload_dir();
33
- if( false === $UploadArray['error'] )
34
- {
35
- $upload_path = $UploadArray['basedir'].'/powerpress/';
36
- $upload_url = $UploadArray['baseurl'].'/powerpress/';
37
- }
38
- $filename = str_replace(" ", "_", basename($_FILES['itunes_image_file']['name']) );
39
  $temp = $_FILES['itunes_image_file']['tmp_name'];
40
 
41
- if( file_exists($upload_path . $filename ) )
42
- {
43
- $filenameParts = pathinfo($filename);
44
- if( !empty($filenameParts['extension']) ) {
45
- do {
46
- $filename_no_ext = substr($filenameParts['basename'], 0, (strlen($filenameParts['extension'])+1) * -1 );
47
- $filename = sprintf('%s-%03d.%s', $filename_no_ext, rand(0, 999), $filenameParts['extension'] );
48
- } while( file_exists($upload_path . $filename ) );
49
- }
50
- }
51
 
52
- // Check the image...
53
- if( file_exists($temp) )
54
- {
55
- if (!file_exists($upload_path)) {
56
- mkdir($upload_path, 0777, true);
57
- }
58
- if (!move_uploaded_file($temp, $upload_path . $filename)) {
59
- powerpress_page_message_add_error(__('Error saving Apple Podcasts image', 'powerpress') . ': ' . htmlspecialchars($_FILES['itunes_image_file']['name']) . ' - ' . __('An error occurred saving the iTunes image on the server.', 'powerpress') . ' ' . sprintf(__('Local folder: %s; File name: %s', 'powerpress'), $upload_path, $filename));
60
- $error = true;
61
- } else {
62
- $previewImageURL = $upload_url . $filename;
 
 
 
 
 
63
  }
64
  }
65
  }
26
  break;
27
  }
28
  }
29
+
 
 
 
 
 
 
 
 
 
30
  $temp = $_FILES['itunes_image_file']['tmp_name'];
31
 
32
+ //Make sure the file extension is alright
33
+ $acceptable_extensions = ['jpg', 'jpeg', 'png'];
34
+ $name = $_FILES['itunes_image_file']['name'];
35
+ $ext = substr($name, strrpos($name, '.') + 1);
 
 
 
 
 
 
36
 
37
+ if (!in_array(strtolower($ext), $acceptable_extensions)) {
38
+ powerpress_page_message_add_error(__('Image has an invalid file type: ' . $ext, 'powerpress') );
39
+ $error = true;
40
+ } else {
41
+ // Check the image...
42
+ if (file_exists($temp)) {
43
+ $upload_result = wp_handle_upload($_FILES['itunes_image_file'], array('test_form' => false));
44
+ if (is_array($upload_result) && isset($upload_result['error'])) {
45
+ powerpress_page_message_add_error(__('Error saving Apple Podcasts image', 'powerpress') . ': ' . $upload_result['error']);
46
+ $error = true;
47
+ } elseif (is_array($upload_result) && isset($upload_result['url'])) {
48
+ $previewImageURL = $upload_result['url'];
49
+ } else {
50
+ powerpress_page_message_add_error(__('Error saving Apple Podcasts image', 'powerpress'));
51
+ $error = true;
52
+ }
53
  }
54
  }
55
  }