WebP Express - Version 0.14.1

Version Description

(released: 15 jun 2019)

  • Strengthened security
Download this release

Release Info

Developer rosell.dk
Plugin Icon 128x128 WebP Express
Version 0.14.1
Comparing to
See all releases

Code changes from version 0.14.0 to 0.14.1

README.txt CHANGED
@@ -605,7 +605,12 @@ Easy enough! - [Go here!](https://ko-fi.com/rosell). Or [here](https://buymeacof
605
606
== Changelog ==
607
608
- = 0.14.0-beta =
609
*(released: 15 jun 2019)*
610
611
* Added new "encoding" option, which can be set to auto. This can in some cases dramatically reduce the size of the webp. It is supported by all converters except ewww and gd.
@@ -797,6 +802,9 @@ For older releases, check out changelog.txt
797
798
== Upgrade Notice ==
799
800
= 0.14.0 =
801
New awesome conversion options that gets you even smaller webp files without compromising quality.
802
605
606
== Changelog ==
607
608
+ = 0.14.1 =
609
+ *(released: 15 jun 2019)*
610
+
611
+ * Strengthened security
612
+
613
+ = 0.14.0 =
614
*(released: 15 jun 2019)*
615
616
* Added new "encoding" option, which can be set to auto. This can in some cases dramatically reduce the size of the webp. It is supported by all converters except ewww and gd.
802
803
== Upgrade Notice ==
804
805
+ = 0.14.1 =
806
+ Strengthening security
807
+
808
= 0.14.0 =
809
New awesome conversion options that gets you even smaller webp files without compromising quality.
810
lib/classes/BulkConvert.php CHANGED
@@ -198,6 +198,11 @@ class BulkConvert
198
199
public static function processAjaxListUnconvertedFiles()
200
{
201
$config = Config::loadConfigAndFix();
202
$arr = self::getList($config);
203
echo json_encode($arr, JSON_UNESCAPED_SLASHES | JSON_NUMERIC_CHECK | JSON_PRETTY_PRINT);
198
199
public static function processAjaxListUnconvertedFiles()
200
{
201
+ if (!check_ajax_referer('webpexpress-ajax-list-unconverted-files-nonce', 'nonce', false)) {
202
+ wp_send_json_error('Invalid security nonce (it has probably expired - try refreshing)');
203
+ wp_die();
204
+ }
205
+
206
$config = Config::loadConfigAndFix();
207
$arr = self::getList($config);
208
echo json_encode($arr, JSON_UNESCAPED_SLASHES | JSON_NUMERIC_CHECK | JSON_PRETTY_PRINT);
lib/classes/CachePurge.php CHANGED
@@ -147,6 +147,11 @@ class CachePurge
147
public static function processAjaxPurgeCache()
148
{
149
150
$onlyPng = ($_POST['only-png'] == 'true');
151
152
$config = Config::loadConfigAndFix();
147
public static function processAjaxPurgeCache()
148
{
149
150
+ if (!check_ajax_referer('webpexpress-ajax-purge-cache-nonce', 'nonce', false)) {
151
+ wp_send_json_error('Invalid security nonce (it has probably expired - try refreshing)');
152
+ wp_die();
153
+ }
154
+
155
$onlyPng = ($_POST['only-png'] == 'true');
156
157
$config = Config::loadConfigAndFix();
lib/classes/Convert.php CHANGED
@@ -69,6 +69,11 @@ class Convert
69
70
public static function processAjaxConvertFile()
71
{
72
$filename = $_POST['filename'];
73
74
if (isset($_POST['config-overrides'])) {
69
70
public static function processAjaxConvertFile()
71
{
72
+ if (!check_ajax_referer('webpexpress-ajax-convert-nonce', 'nonce', false)) {
73
+ wp_send_json_error('Invalid security nonce (it has probably expired - try refreshing)');
74
+ wp_die();
75
+ }
76
+
77
$filename = $_POST['filename'];
78
79
if (isset($_POST['config-overrides'])) {
lib/classes/ConvertLog.php CHANGED
@@ -9,6 +9,10 @@ class ConvertLog
9
{
10
public static function processAjaxViewLog()
11
{
12
$source = $_POST['source'];
13
14
$logFile = ConvertHelperIndependent::getLogFilename($source, Paths::getLogDirAbs());
9
{
10
public static function processAjaxViewLog()
11
{
12
+ if (!check_ajax_referer('webpexpress-ajax-view-log-nonce', 'nonce', false)) {
13
+ wp_send_json_error('Invalid security nonce (it has probably expired - try refreshing)');
14
+ wp_die();
15
+ }
16
$source = $_POST['source'];
17
18
$logFile = ConvertHelperIndependent::getLogFilename($source, Paths::getLogDirAbs());
lib/classes/DismissableMessages.php CHANGED
@@ -74,6 +74,10 @@ class DismissableMessages
74
}
75
76
public static function processAjaxDismissMessage() {
77
$id = $_POST['id'];
78
self::dismissMessage($id);
79
}
74
}
75
76
public static function processAjaxDismissMessage() {
77
+ /*
78
+ We have no security nonce here. Dismissing a message is not harmful and dismissMessage($id) do anything harmful, no matter what you
79
+ send in the "id"
80
+ */
81
$id = $_POST['id'];
82
self::dismissMessage($id);
83
}
lib/options/enqueue_scripts.php CHANGED
@@ -6,7 +6,7 @@ use \WebPExpress\Paths;
6
include_once __DIR__ . '/../classes/Config.php';
7
use \WebPExpress\Config;
8
9
- $version = '0.14.0';
10
11
12
if (!function_exists('webp_express_add_inline_script')) {
@@ -86,6 +86,14 @@ if (!(isset($config['operation-mode']) && ($config['operation-mode'] == 'no-conv
86
//wp_enqueue_script('api_keys');
87
88
wp_register_script( 'page', plugins_url('js/page.js', __FILE__), [], $version);
89
wp_enqueue_script('page');
90
91
6
include_once __DIR__ . '/../classes/Config.php';
7
use \WebPExpress\Config;
8
9
+ $version = '0.14.1';
10
11
12
if (!function_exists('webp_express_add_inline_script')) {
86
//wp_enqueue_script('api_keys');
87
88
wp_register_script( 'page', plugins_url('js/page.js', __FILE__), [], $version);
89
+ webp_express_add_inline_script(
90
+ 'page',
91
+ 'window.webpExpressAjaxConvertNonce = "' . wp_create_nonce('webpexpress-ajax-convert-nonce') . '";' .
92
+ 'window.webpExpressAjaxListUnconvertedFilesNonce = "' . wp_create_nonce('webpexpress-ajax-list-unconverted-files-nonce') . '";' .
93
+ 'window.webpExpressAjaxPurgeCacheNonce = "' . wp_create_nonce('webpexpress-ajax-purge-cache-nonce') . '";' .
94
+ 'window.webpExpressAjaxViewLogNonce = "' . wp_create_nonce('webpexpress-ajax-view-log-nonce') . '";',
95
+ 'before'
96
+ );
97
wp_enqueue_script('page');
98
99
lib/options/js/bulk-convert.js CHANGED
@@ -5,9 +5,17 @@ function openBulkConvertPopup() {
5
6
var data = {
7
'action': 'list_unconverted_files',
8
- //'whatever': ajax_object.we_value // We pass php values differently!
9
};
10
jQuery.post(ajaxurl, data, function(response) {
11
var bulkInfo = {
12
'groups': JSON.parse(response),
13
'groupPointer': 0,
@@ -138,10 +146,20 @@ function webpexpress_viewLog(groupPointer, filePointer) {
138
url: ajaxurl,
139
data: {
140
'action': 'webpexpress_view_log',
141
'source': source
142
},
143
success: (response) => {
144
//alert(response);
145
var result = JSON.parse(response);
146
var html = '<h1>Conversion log</h1><br>' + result;
147
document.getElementById('conversionlog_content').innerHTML = html;
@@ -189,12 +207,22 @@ function convertNextInBulkQueue() {
189
190
var data = {
191
'action': 'convert_file',
192
'filename': group.root + '/' + filename
193
194
//'whatever': ajax_object.we_value // We pass php values differently!
195
};
196
197
function responseCallback(response){
198
var result = typeof response.requestError !== 'boolean' ? JSON.parse(response) : {
199
success: false,
200
msg: '',
5
6
var data = {
7
'action': 'list_unconverted_files',
8
+ 'nonce' : window.webpExpressAjaxListUnconvertedFilesNonce,
9
};
10
jQuery.post(ajaxurl, data, function(response) {
11
+ if ((typeof response == 'object') && (response['success'] == false)) {
12
+ html = '<h1>Error</h1>';
13
+ if (response['data'] && ((typeof response['data']) == 'string')) {
14
+ html += response['data'];
15
+ }
16
+ document.getElementById('bulkconvertcontent').innerHTML = html;
17
+ return
18
+ }
19
var bulkInfo = {
20
'groups': JSON.parse(response),
21
'groupPointer': 0,
146
url: ajaxurl,
147
data: {
148
'action': 'webpexpress_view_log',
149
+ 'nonce' : window.webpExpressAjaxViewLogNonce,
150
'source': source
151
},
152
success: (response) => {
153
//alert(response);
154
+ if ((typeof response == 'object') && (response['success'] == false)) {
155
+ html = '<h1>Error</h1>';
156
+ if (response['data'] && ((typeof response['data']) == 'string')) {
157
+ html += response['data'];
158
+ }
159
+ document.getElementById('conversionlog_content').innerHTML = html;
160
+ return
161
+ }
162
+
163
var result = JSON.parse(response);
164
var html = '<h1>Conversion log</h1><br>' + result;
165
document.getElementById('conversionlog_content').innerHTML = html;
207
208
var data = {
209
'action': 'convert_file',
210
+ 'nonce' : window.webpExpressAjaxConvertNonce,
211
'filename': group.root + '/' + filename
212
213
//'whatever': ajax_object.we_value // We pass php values differently!
214
};
215
216
function responseCallback(response){
217
+ if ((typeof response == 'object') && (response['success'] == false)) {
218
+ html = '<h1>Error</h1>';
219
+ if (response['data'] && ((typeof response['data']) == 'string')) {
220
+ html += response['data'];
221
+ }
222
+ logLn(html);
223
+ return
224
+ }
225
+
226
var result = typeof response.requestError !== 'boolean' ? JSON.parse(response) : {
227
success: false,
228
msg: '',
lib/options/js/purge-cache.js CHANGED
@@ -16,11 +16,21 @@ function openDeleteConvertedFilesPopup() {
16
function purgeCache(onlyPng) {
17
var data = {
18
'action': 'webpexpress_purge_cache',
19
'only-png': onlyPng
20
};
21
jQuery.post(ajaxurl, data, function(response) {
22
var result = JSON.parse(response);
23
- console.log(result);
24
25
if (result['fail-count'] == 0) {
26
if (result['delete-count'] == 0) {
16
function purgeCache(onlyPng) {
17
var data = {
18
'action': 'webpexpress_purge_cache',
19
+ 'nonce' : window.webpExpressAjaxPurgeCacheNonce,
20
'only-png': onlyPng
21
};
22
jQuery.post(ajaxurl, data, function(response) {
23
+ if ((typeof response == 'object') && (response['success'] == false)) {
24
+ if (response['data'] && ((typeof response['data']) == 'string')) {
25
+ alert(response['data']);
26
+ } else {
27
+ alert('Something failed');
28
+ }
29
+ return;
30
+ }
31
+
32
var result = JSON.parse(response);
33
+ //console.log(result);
34
35
if (result['fail-count'] == 0) {
36
if (result['delete-count'] == 0) {
lib/options/js/test-convert.js CHANGED
@@ -130,6 +130,7 @@ function runTestConversion() {
130
131
var data = {
132
'action': 'convert_file',
133
'filename': window.webpExpressPaths['filePaths']['webpExpressRoot'] + '/test/' + elTxt('image'),
134
"converter": elTxt("converter"),
135
'config-overrides': JSON.stringify(configOverrides)
@@ -189,18 +190,22 @@ function processLogMoveOptions(thelog) {
189
190
function convertResponseCallback(response){
191
192
-
193
if (typeof response.requestError == 'boolean') {
194
document.getElementById('tc_conversion_result').innerHTML = '<h1 style="color:red">An error occured!</h1>';
195
//console.log('response', response);
196
return;
197
}
198
199
- if (response[0] != '{') {
200
document.getElementById('tc_conversion_result').innerHTML =
201
'<h1 style="color:red">Response was not JSON</h1><p>The following was returned:</p>' + response;
202
return;
203
}
204
var result = JSON.parse(response);
205
result['log'] = processLogMoveOptions(result['log']);
206
130
131
var data = {
132
'action': 'convert_file',
133
+ 'nonce': window.webpExpressAjaxConvertNonce,
134
'filename': window.webpExpressPaths['filePaths']['webpExpressRoot'] + '/test/' + elTxt('image'),
135
"converter": elTxt("converter"),
136
'config-overrides': JSON.stringify(configOverrides)
190
191
function convertResponseCallback(response){
192
193
if (typeof response.requestError == 'boolean') {
194
document.getElementById('tc_conversion_result').innerHTML = '<h1 style="color:red">An error occured!</h1>';
195
//console.log('response', response);
196
return;
197
}
198
+ if ((response['success'] === false) && response['data']) {
199
+ document.getElementById('tc_conversion_result').innerHTML = '<h1 style="color:red">An error occured</h1>' + response['data'];
200
+ return;
201
+ }
202
203
+ if ((typeof response == 'string') && (response[0] != '{')) {
204
document.getElementById('tc_conversion_result').innerHTML =
205
'<h1 style="color:red">Response was not JSON</h1><p>The following was returned:</p>' + response;
206
return;
207
}
208
+
209
var result = JSON.parse(response);
210
result['log'] = processLogMoveOptions(result['log']);
211
lib/options/page.php CHANGED
@@ -87,7 +87,7 @@ foreach (Paths::getHTAccessDirs() as $dir) {
87
88
//echo 'Working converters:' . print_r($workingConverters, true) . '<br>';
89
// Generate a custom nonce value.
90
- $webpexpress_settings_nonce = wp_create_nonce('webpexpress_settings_nonce');
91
?>
92
93
<?php
@@ -100,7 +100,7 @@ $actionUrl = admin_url('admin-post.php');
100
echo '<form id="webpexpress_settings" action="' . esc_url($actionUrl) . '" method="post" >';
101
?>
102
<input type="hidden" name="action" value="webpexpress_settings_submit">
103
- <input type="hidden" name="webpexpress_settings_nonce" value="<?php echo $webpexpress_settings_nonce ?>" />
104
105
<fieldset class="block buttons">
106
<table>
87
88
//echo 'Working converters:' . print_r($workingConverters, true) . '<br>';
89
// Generate a custom nonce value.
90
+ $webpexpressSaveSettingsNonce = wp_create_nonce('webpexpress-save-settings-nonce');
91
?>
92
93
<?php
100
echo '<form id="webpexpress_settings" action="' . esc_url($actionUrl) . '" method="post" >';
101
?>
102
<input type="hidden" name="action" value="webpexpress_settings_submit">
103
+ <input type="hidden" name="_wpnonce" value="<?php echo $webpexpressSaveSettingsNonce ?>" />
104
105
<fieldset class="block buttons">
106
<table>
lib/options/submit.php CHANGED
@@ -9,6 +9,8 @@ use \WebPExpress\Messenger;
9
use \WebPExpress\Paths;
10
11
12
DismissableMessages::dismissMessage('0.14.0/say-hello-to-vips');
13
14
9
use \WebPExpress\Paths;
10
11
12
+ check_admin_referer('webpexpress-save-settings-nonce');
13
+
14
DismissableMessages::dismissMessage('0.14.0/say-hello-to-vips');
15
16
web-service/wpc.php CHANGED
@@ -34,18 +34,6 @@ $options['access'] = [
34
'whitelist' => $webServiceConfig['whitelist']
35
];
36
37
- /*
38
- $options['access'] = [
39
- 'whitelist' => [
40
- [
41
- 'label' => 'testing',
42
- 'ip' => '127.0.0.1',
43
- 'api-key' => 'my dog is white',
44
- 'require-api-key-to-be-hashed-in-transfer' => false,
45
- ]
46
- ]
47
- ]; */
48
-
49
$options['webp-convert'] = Config::generateWodOptionsFromConfigObj($config);
50
51
WebPConvertCloudService::handleRequest($options);
34
'whitelist' => $webServiceConfig['whitelist']
35
];
36
37
$options['webp-convert'] = Config::generateWodOptionsFromConfigObj($config);
38
39
WebPConvertCloudService::handleRequest($options);
webp-express.php CHANGED
@@ -3,7 +3,7 @@
3
* Plugin Name: WebP Express
4
* Plugin URI: https://github.com/rosell-dk/webp-express
5
* Description: Serve autogenerated WebP images instead of jpeg/png to browsers that supports WebP. Works on anything (media library images, galleries, theme images etc).
6
- * Version: 0.14.0
7
* Author: Bjørn Rosell
8
* Author URI: https://www.bitwise-it.dk
9
* License: GPL2
3
* Plugin Name: WebP Express
4
* Plugin URI: https://github.com/rosell-dk/webp-express
5
* Description: Serve autogenerated WebP images instead of jpeg/png to browsers that supports WebP. Works on anything (media library images, galleries, theme images etc).
6
+ * Version: 0.14.1
7
* Author: Bjørn Rosell
8
* Author URI: https://www.bitwise-it.dk
9
* License: GPL2