VaultPress - Version 1.8.3

Version Description

26 May 2016 =
Security: Hotfix for certain versions of Jetpack

Release Info

Developer	benedictsinger
Plugin	VaultPress
Version	1.8.3
Comparing to
See all releases

Code changes from version 1.8.2 to 1.8.3

Files changed (3) hide show

class.vaultpress-hotfixes.php +69 -1
readme.txt +4 -1
vaultpress.php +2 -2

class.vaultpress-hotfixes.php CHANGED Viewed

@@ -103,6 +103,9 @@ class VaultPress_Hotfixes {
             		// Protect WooCommerce from object injection via PayPal IPN notifications. Affects 2.0.20 -> 2.3.10
             		add_action( 'init', array( $this , 'protect_woocommerce_paypal_object_injection' ), 1 );
             		if ( version_compare(  $wp_version, '3.1', '>=') && version_compare( $wp_version, '4.3', '<=' ) ) {
             			if ( is_admin() ) {
             				add_filter( 'user_email', array( $this, 'patch_user_email' ), 10 , 3 );
@@ -117,7 +120,72 @@ class VaultPress_Hotfixes {
             		// Protect Akismet < 3.1.5 from stored XSS in admin page
             		add_filter( 'init', array( $this, 'protect_akismet_comment_xss' ), 50 );
+            	}
-            -
             	function filter_long_comment_xss( $commentdata ) {
             		if ( strlen( $commentdata['comment_content'] ) > 65500 )
             			wp_die( 'Comment too long', 'Invalid comment' );


103	// Protect WooCommerce from object injection via PayPal IPN notifications. Affects 2.0.20 -> 2.3.10
104	add_action( 'init', array( $this , 'protect_woocommerce_paypal_object_injection' ), 1 );
105
106	+ // Protect Jetpack from comments-based XSS attack
107	+ add_action( 'plugins_loaded', array( $this, 'protect_jetpack_402_from_oembed_xss' ), 1 );
108	+
109	if ( version_compare( $wp_version, '3.1', '>=') && version_compare( $wp_version, '4.3', '<=' ) ) {
110	if ( is_admin() ) {
111	add_filter( 'user_email', array( $this, 'patch_user_email' ), 10 , 3 );

120	// Protect Akismet < 3.1.5 from stored XSS in admin page
121	add_filter( 'init', array( $this, 'protect_akismet_comment_xss' ), 50 );
122	}
123	+
124	+ function protect_jetpack_402_from_oembed_xss() {
125	+ if ( $this->needs_jetpack_402_fix() ) {
126	+ add_filter( 'jetpack_comments_allow_oembed', array( $this, 'disable_jetpack_oembed' ) );
127	+ }
128	+ }
129	+
130	+ function needs_jetpack_402_fix() {
131	+ if ( ! defined( 'JETPACK__VERSION' ) ) {
132	+ return false;
133	+ }
134	+
135	+ if ( version_compare( JETPACK__VERSION, '2.0.7', '<' ) ) {
136	+ return true;
137	+ }
138	+
139	+ if ( version_compare( JETPACK__VERSION, '4.0.2', '>' ) ) {
140	+ return false;
141	+ }
142	+
143	+ $secure_jetpacks = array(
144	+ '2.1' => '2.1.5',
145	+ '2.2' => '2.2.8',
146	+ '2.3' => '2.3.8',
147	+ '2.4' => '2.4.5',
148	+ '2.5' => '2.5.3',
149	+ '2.6' => '2.6.4',
150	+ '2.7' => '2.7.3',
151	+ '2.8' => '2.8.3',
152	+ '2.9' => '2.9.4',
153	+ '3.0' => '3.0.4',
154	+ '3.1' => '3.1.3',
155	+ '3.2' => '3.2.3',
156	+ '3.3' => '3.3.4',
157	+ '3.4' => '3.4.4',
158	+ '3.5' => '3.5.4',
159	+ '3.6' => '3.6.2',
160	+ '3.7' => '3.7.3',
161	+ '3.8' => '3.8.3',
162	+ '3.9' => '3.9.7',
163	+ '4.0' => '4.0.3',
164	+ );
165	+
166	+ $parts = explode( '.', JETPACK__VERSION, 3 );
167	+ if ( count( $parts ) < 2 ) {
168	+ // no/not enough periods in the version;
169	+ return false;
170	+ }
171	+
172	+ // pull out the first two components, cast to int to get rid of weird 'beta2' junk
173	+ $int_parts = array();
174	+ $int_parts[0] = intval( $parts[0] );
175	+ $int_parts[1] = intval( $parts[1] );
176	+
177	+ // and find the secure version for this branch
178	+ $branch = sprintf( '%d.%d', $int_parts[0], $int_parts[1] );
179	+ if ( ! isset( $secure_jetpacks[ $branch ] ) ) {
180	+ return false;
181	+ }
182	+ return version_compare( JETPACK__VERSION, $secure_jetpacks[ $branch ], '<' );
183	+ }
184	+
185	+ function disable_jetpack_oembed( $enabled ) {
186	+ return false;
187	+ }
188	+
189	function filter_long_comment_xss( $commentdata ) {
190	if ( strlen( $commentdata['comment_content'] ) > 65500 )
191	wp_die( 'Comment too long', 'Invalid comment' );

readme.txt CHANGED Viewed

	@@ -3,7 +3,7 @@ Contributors: automattic, apokalyptik, briancolinger, josephscott, shaunandrews,
3	Tags: security, malware, virus, archive, back up, back ups, backup, backups, scanning, restore, wordpress backup, site backup, website backup
4	Requires at least: 3.2
5	Tested up to: 4.5
6	- Stable tag: 1.8.2
7	License: GPLv2
8
9	VaultPress is a subscription service offering realtime backup, automated security scanning, and support from WordPress experts.
	@@ -51,6 +51,9 @@ A VaultPress subscription is for a single WordPress site. You can purchase addit
51	Yes, VaultPress supports Multisite installs. Each site will require its own subscription.
52
53	== Changelog ==



54	= 1.8.2 - 11 May 2016 =
55	* Workaround for some versions of mod_security.
56


3	Tags: security, malware, virus, archive, back up, back ups, backup, backups, scanning, restore, wordpress backup, site backup, website backup
4	Requires at least: 3.2
5	Tested up to: 4.5
6	+ Stable tag: 1.8.3
7	License: GPLv2
8
9	VaultPress is a subscription service offering realtime backup, automated security scanning, and support from WordPress experts.

51	Yes, VaultPress supports Multisite installs. Each site will require its own subscription.
52
53	== Changelog ==
54	+ = 1.8.3 - 26 May 2016 =
55	+ * Security: Hotfix for certain versions of Jetpack
56	+
57	= 1.8.2 - 11 May 2016 =
58	* Workaround for some versions of mod_security.
59

vaultpress.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	* Plugin Name: VaultPress
4	* Plugin URI: http://vaultpress.com/?utm_source=plugin-uri&utm_medium=plugin-description&utm_campaign=1.0
5	* Description: Protect your content, themes, plugins, and settings with <strong>realtime backup</strong> and <strong>automated security scanning</strong> from <a href="http://vaultpress.com/?utm_source=wp-admin&utm_medium=plugin-description&utm_campaign=1.0" rel="nofollow">VaultPress</a>. Activate, enter your registration key, and never worry again. <a href="http://vaultpress.com/help/?utm_source=wp-admin&utm_medium=plugin-description&utm_campaign=1.0" rel="nofollow">Need some help?</a>
6	- * Version: 1.8.2
7	* Author: Automattic
8	* Author URI: http://vaultpress.com/?utm_source=author-uri&utm_medium=plugin-description&utm_campaign=1.0
9	* License: GPL2+
	@@ -18,7 +18,7 @@ class VaultPress {
18	var $option_name = 'vaultpress';
19	var $auto_register_option = 'vaultpress_auto_register';
20	var $db_version = 4;
21	- var $plugin_version = '1.8.2';
22
23	function __construct() {
24	register_activation_hook( __FILE__, array( $this, 'activate' ) );


3	* Plugin Name: VaultPress
4	* Plugin URI: http://vaultpress.com/?utm_source=plugin-uri&utm_medium=plugin-description&utm_campaign=1.0
5	* Description: Protect your content, themes, plugins, and settings with <strong>realtime backup</strong> and <strong>automated security scanning</strong> from <a href="http://vaultpress.com/?utm_source=wp-admin&utm_medium=plugin-description&utm_campaign=1.0" rel="nofollow">VaultPress</a>. Activate, enter your registration key, and never worry again. <a href="http://vaultpress.com/help/?utm_source=wp-admin&utm_medium=plugin-description&utm_campaign=1.0" rel="nofollow">Need some help?</a>
6	+ * Version: 1.8.3
7	* Author: Automattic
8	* Author URI: http://vaultpress.com/?utm_source=author-uri&utm_medium=plugin-description&utm_campaign=1.0
9	* License: GPL2+

18	var $option_name = 'vaultpress';
19	var $auto_register_option = 'vaultpress_auto_register';
20	var $db_version = 4;
21	+ var $plugin_version = '1.8.3';
22
23	function __construct() {
24	register_activation_hook( __FILE__, array( $this, 'activate' ) );