WebP Express - Version 0.14.1

Version Description

(released: 15 jun 2019)

Strengthened security

Release Info

Developer	rosell.dk
Plugin	WebP Express
Version	0.14.1
Comparing to
See all releases

Code changes from version 0.14.0 to 0.14.1

Files changed (14) hide show

README.txt +9 -1
lib/classes/BulkConvert.php +5 -0
lib/classes/CachePurge.php +5 -0
lib/classes/Convert.php +5 -0
lib/classes/ConvertLog.php +4 -0
lib/classes/DismissableMessages.php +4 -0
lib/options/enqueue_scripts.php +9 -1
lib/options/js/bulk-convert.js +29 -1
lib/options/js/purge-cache.js +11 -1
lib/options/js/test-convert.js +7 -2
lib/options/page.php +2 -2
lib/options/submit.php +2 -0
web-service/wpc.php +0 -12
webp-express.php +1 -1

README.txt CHANGED Viewed

	@@ -605,7 +605,12 @@ Easy enough! - [Go here!](https://ko-fi.com/rosell). Or [here](https://buymeacof
605
606	== Changelog ==
607
608	- = 0.14.~~0-beta~~ =





609	(released: 15 jun 2019)
610
611	* Added new "encoding" option, which can be set to auto. This can in some cases dramatically reduce the size of the webp. It is supported by all converters except ewww and gd.
	@@ -797,6 +802,9 @@ For older releases, check out changelog.txt
797
798	== Upgrade Notice ==
799



800	= 0.14.0 =
801	New awesome conversion options that gets you even smaller webp files without compromising quality.
802


605
606	== Changelog ==
607
608	+ = 0.14.1 =
609	+ (released: 15 jun 2019)
610	+
611	+ * Strengthened security
612	+
613	+ = 0.14.0 =
614	(released: 15 jun 2019)
615
616	* Added new "encoding" option, which can be set to auto. This can in some cases dramatically reduce the size of the webp. It is supported by all converters except ewww and gd.

802
803	== Upgrade Notice ==
804
805	+ = 0.14.1 =
806	+ Strengthening security
807	+
808	= 0.14.0 =
809	New awesome conversion options that gets you even smaller webp files without compromising quality.
810

lib/classes/BulkConvert.php CHANGED Viewed

	@@ -198,6 +198,11 @@ class BulkConvert
198
199	public static function processAjaxListUnconvertedFiles()
200	{





201	$config = Config::loadConfigAndFix();
202	$arr = self::getList($config);
203	echo json_encode($arr, JSON_UNESCAPED_SLASHES \| JSON_NUMERIC_CHECK \| JSON_PRETTY_PRINT);


198
199	public static function processAjaxListUnconvertedFiles()
200	{
201	+ if (!check_ajax_referer('webpexpress-ajax-list-unconverted-files-nonce', 'nonce', false)) {
202	+ wp_send_json_error('Invalid security nonce (it has probably expired - try refreshing)');
203	+ wp_die();
204	+ }
205	+
206	$config = Config::loadConfigAndFix();
207	$arr = self::getList($config);
208	echo json_encode($arr, JSON_UNESCAPED_SLASHES \| JSON_NUMERIC_CHECK \| JSON_PRETTY_PRINT);

lib/classes/CachePurge.php CHANGED Viewed

	@@ -147,6 +147,11 @@ class CachePurge
147	public static function processAjaxPurgeCache()
148	{
149





150	$onlyPng = ($_POST['only-png'] == 'true');
151
152	$config = Config::loadConfigAndFix();


147	public static function processAjaxPurgeCache()
148	{
149
150	+ if (!check_ajax_referer('webpexpress-ajax-purge-cache-nonce', 'nonce', false)) {
151	+ wp_send_json_error('Invalid security nonce (it has probably expired - try refreshing)');
152	+ wp_die();
153	+ }
154	+
155	$onlyPng = ($_POST['only-png'] == 'true');
156
157	$config = Config::loadConfigAndFix();

lib/classes/Convert.php CHANGED Viewed

	@@ -69,6 +69,11 @@ class Convert
69
70	public static function processAjaxConvertFile()
71	{





72	$filename = $_POST['filename'];
73
74	if (isset($_POST['config-overrides'])) {


69
70	public static function processAjaxConvertFile()
71	{
72	+ if (!check_ajax_referer('webpexpress-ajax-convert-nonce', 'nonce', false)) {
73	+ wp_send_json_error('Invalid security nonce (it has probably expired - try refreshing)');
74	+ wp_die();
75	+ }
76	+
77	$filename = $_POST['filename'];
78
79	if (isset($_POST['config-overrides'])) {

lib/classes/ConvertLog.php CHANGED Viewed

	@@ -9,6 +9,10 @@ class ConvertLog
9	{
10	public static function processAjaxViewLog()
11	{




12	$source = $_POST['source'];
13
14	$logFile = ConvertHelperIndependent::getLogFilename($source, Paths::getLogDirAbs());


9	{
10	public static function processAjaxViewLog()
11	{
12	+ if (!check_ajax_referer('webpexpress-ajax-view-log-nonce', 'nonce', false)) {
13	+ wp_send_json_error('Invalid security nonce (it has probably expired - try refreshing)');
14	+ wp_die();
15	+ }
16	$source = $_POST['source'];
17
18	$logFile = ConvertHelperIndependent::getLogFilename($source, Paths::getLogDirAbs());

lib/classes/DismissableMessages.php CHANGED Viewed

	@@ -74,6 +74,10 @@ class DismissableMessages
74	}
75
76	public static function processAjaxDismissMessage() {




77	$id = $_POST['id'];
78	self::dismissMessage($id);
79	}


74	}
75
76	public static function processAjaxDismissMessage() {
77	+ /*
78	+ We have no security nonce here. Dismissing a message is not harmful and dismissMessage($id) do anything harmful, no matter what you
79	+ send in the "id"
80	+ */
81	$id = $_POST['id'];
82	self::dismissMessage($id);
83	}

lib/options/enqueue_scripts.php CHANGED Viewed

	@@ -6,7 +6,7 @@ use \WebPExpress\Paths;
6	include_once __DIR__ . '/../classes/Config.php';
7	use \WebPExpress\Config;
8
9	- $version = '0.14.0';
10
11
12	if (!function_exists('webp_express_add_inline_script')) {
	@@ -86,6 +86,14 @@ if (!(isset($config['operation-mode']) && ($config['operation-mode'] == 'no-conv
86	//wp_enqueue_script('api_keys');
87
88	wp_register_script( 'page', plugins_url('js/page.js', __FILE__), [], $version);








89	wp_enqueue_script('page');
90
91


6	include_once __DIR__ . '/../classes/Config.php';
7	use \WebPExpress\Config;
8
9	+ $version = '0.14.1';
10
11
12	if (!function_exists('webp_express_add_inline_script')) {

86	//wp_enqueue_script('api_keys');
87
88	wp_register_script( 'page', plugins_url('js/page.js', __FILE__), [], $version);
89	+ webp_express_add_inline_script(
90	+ 'page',
91	+ 'window.webpExpressAjaxConvertNonce = "' . wp_create_nonce('webpexpress-ajax-convert-nonce') . '";' .
92	+ 'window.webpExpressAjaxListUnconvertedFilesNonce = "' . wp_create_nonce('webpexpress-ajax-list-unconverted-files-nonce') . '";' .
93	+ 'window.webpExpressAjaxPurgeCacheNonce = "' . wp_create_nonce('webpexpress-ajax-purge-cache-nonce') . '";' .
94	+ 'window.webpExpressAjaxViewLogNonce = "' . wp_create_nonce('webpexpress-ajax-view-log-nonce') . '";',
95	+ 'before'
96	+ );
97	wp_enqueue_script('page');
98
99

lib/options/js/bulk-convert.js CHANGED Viewed

	@@ -5,9 +5,17 @@ function openBulkConvertPopup() {
5
6	var data = {
7	'action': 'list_unconverted_files',
8	- //'~~whatever~~': ~~ajax_object~~.~~we_value // We pass php values differently!~~
9	};
10	jQuery.post(ajaxurl, data, function(response) {








11	var bulkInfo = {
12	'groups': JSON.parse(response),
13	'groupPointer': 0,
	@@ -138,10 +146,20 @@ function webpexpress_viewLog(groupPointer, filePointer) {
138	url: ajaxurl,
139	data: {
140	'action': 'webpexpress_view_log',

141	'source': source
142	},
143	success: (response) => {
144	//alert(response);









145	var result = JSON.parse(response);
146	var html = '<h1>Conversion log</h1><br>' + result;
147	document.getElementById('conversionlog_content').innerHTML = html;
	@@ -189,12 +207,22 @@ function convertNextInBulkQueue() {
189
190	var data = {
191	'action': 'convert_file',

192	'filename': group.root + '/' + filename
193
194	//'whatever': ajax_object.we_value // We pass php values differently!
195	};
196
197	function responseCallback(response){









198	var result = typeof response.requestError !== 'boolean' ? JSON.parse(response) : {
199	success: false,
200	msg: '',


5
6	var data = {
7	'action': 'list_unconverted_files',
8	+ 'nonce' : window.webpExpressAjaxListUnconvertedFilesNonce,
9	};
10	jQuery.post(ajaxurl, data, function(response) {
11	+ if ((typeof response == 'object') && (response['success'] == false)) {
12	+ html = '<h1>Error</h1>';
13	+ if (response['data'] && ((typeof response['data']) == 'string')) {
14	+ html += response['data'];
15	+ }
16	+ document.getElementById('bulkconvertcontent').innerHTML = html;
17	+ return
18	+ }
19	var bulkInfo = {
20	'groups': JSON.parse(response),
21	'groupPointer': 0,

146	url: ajaxurl,
147	data: {
148	'action': 'webpexpress_view_log',
149	+ 'nonce' : window.webpExpressAjaxViewLogNonce,
150	'source': source
151	},
152	success: (response) => {
153	//alert(response);
154	+ if ((typeof response == 'object') && (response['success'] == false)) {
155	+ html = '<h1>Error</h1>';
156	+ if (response['data'] && ((typeof response['data']) == 'string')) {
157	+ html += response['data'];
158	+ }
159	+ document.getElementById('conversionlog_content').innerHTML = html;
160	+ return
161	+ }
162	+
163	var result = JSON.parse(response);
164	var html = '<h1>Conversion log</h1><br>' + result;
165	document.getElementById('conversionlog_content').innerHTML = html;

207
208	var data = {
209	'action': 'convert_file',
210	+ 'nonce' : window.webpExpressAjaxConvertNonce,
211	'filename': group.root + '/' + filename
212
213	//'whatever': ajax_object.we_value // We pass php values differently!
214	};
215
216	function responseCallback(response){
217	+ if ((typeof response == 'object') && (response['success'] == false)) {
218	+ html = '<h1>Error</h1>';
219	+ if (response['data'] && ((typeof response['data']) == 'string')) {
220	+ html += response['data'];
221	+ }
222	+ logLn(html);
223	+ return
224	+ }
225	+
226	var result = typeof response.requestError !== 'boolean' ? JSON.parse(response) : {
227	success: false,
228	msg: '',

lib/options/js/purge-cache.js CHANGED Viewed

	@@ -16,11 +16,21 @@ function openDeleteConvertedFilesPopup() {
16	function purgeCache(onlyPng) {
17	var data = {
18	'action': 'webpexpress_purge_cache',

19	'only-png': onlyPng
20	};
21	jQuery.post(ajaxurl, data, function(response) {









22	var result = JSON.parse(response);
23	- console.log(result);
24
25	if (result['fail-count'] == 0) {
26	if (result['delete-count'] == 0) {


16	function purgeCache(onlyPng) {
17	var data = {
18	'action': 'webpexpress_purge_cache',
19	+ 'nonce' : window.webpExpressAjaxPurgeCacheNonce,
20	'only-png': onlyPng
21	};
22	jQuery.post(ajaxurl, data, function(response) {
23	+ if ((typeof response == 'object') && (response['success'] == false)) {
24	+ if (response['data'] && ((typeof response['data']) == 'string')) {
25	+ alert(response['data']);
26	+ } else {
27	+ alert('Something failed');
28	+ }
29	+ return;
30	+ }
31	+
32	var result = JSON.parse(response);
33	+ //console.log(result);
34
35	if (result['fail-count'] == 0) {
36	if (result['delete-count'] == 0) {

lib/options/js/test-convert.js CHANGED Viewed

	@@ -130,6 +130,7 @@ function runTestConversion() {
130
131	var data = {
132	'action': 'convert_file',

133	'filename': window.webpExpressPaths['filePaths']['webpExpressRoot'] + '/test/' + elTxt('image'),
134	"converter": elTxt("converter"),
135	'config-overrides': JSON.stringify(configOverrides)
	@@ -189,18 +190,22 @@ function processLogMoveOptions(thelog) {
189
190	function convertResponseCallback(response){
191
192	-
193	if (typeof response.requestError == 'boolean') {
194	document.getElementById('tc_conversion_result').innerHTML = '<h1 style="color:red">An error occured!</h1>';
195	//console.log('response', response);
196	return;
197	}




198
199	- if (response[0] != '{') {
200	document.getElementById('tc_conversion_result').innerHTML =
201	'<h1 style="color:red">Response was not JSON</h1><p>The following was returned:</p>' + response;
202	return;
203	}

204	var result = JSON.parse(response);
205	result['log'] = processLogMoveOptions(result['log']);
206


130
131	var data = {
132	'action': 'convert_file',
133	+ 'nonce': window.webpExpressAjaxConvertNonce,
134	'filename': window.webpExpressPaths['filePaths']['webpExpressRoot'] + '/test/' + elTxt('image'),
135	"converter": elTxt("converter"),
136	'config-overrides': JSON.stringify(configOverrides)

190
191	function convertResponseCallback(response){
192

193	if (typeof response.requestError == 'boolean') {
194	document.getElementById('tc_conversion_result').innerHTML = '<h1 style="color:red">An error occured!</h1>';
195	//console.log('response', response);
196	return;
197	}
198	+ if ((response['success'] === false) && response['data']) {
199	+ document.getElementById('tc_conversion_result').innerHTML = '<h1 style="color:red">An error occured</h1>' + response['data'];
200	+ return;
201	+ }
202
203	+ if ((typeof response == 'string') && (response[0] != '{')) {
204	document.getElementById('tc_conversion_result').innerHTML =
205	'<h1 style="color:red">Response was not JSON</h1><p>The following was returned:</p>' + response;
206	return;
207	}
208	+
209	var result = JSON.parse(response);
210	result['log'] = processLogMoveOptions(result['log']);
211

lib/options/page.php CHANGED Viewed

	@@ -87,7 +87,7 @@ foreach (Paths::getHTAccessDirs() as $dir) {
87
88	//echo 'Working converters:' . print_r($workingConverters, true) . '<br>';
89	// Generate a custom nonce value.
90	- $~~webpexpress_settings_nonce~~ = wp_create_nonce('~~webpexpress_settings_nonce~~');
91	?>
92
93	<?php
	@@ -100,7 +100,7 @@ $actionUrl = admin_url('admin-post.php');
100	echo '<form id="webpexpress_settings" action="' . esc_url($actionUrl) . '" method="post" >';
101	?>
102	<input type="hidden" name="action" value="webpexpress_settings_submit">
103	- <input type="hidden" name="~~webpexpress_settings_nonce~~" value="<?php echo $~~webpexpress_settings_nonce~~ ?>" />
104
105	<fieldset class="block buttons">
106	<table>


87
88	//echo 'Working converters:' . print_r($workingConverters, true) . '<br>';
89	// Generate a custom nonce value.
90	+ $webpexpressSaveSettingsNonce = wp_create_nonce('webpexpress-save-settings-nonce');
91	?>
92
93	<?php

100	echo '<form id="webpexpress_settings" action="' . esc_url($actionUrl) . '" method="post" >';
101	?>
102	<input type="hidden" name="action" value="webpexpress_settings_submit">
103	+ <input type="hidden" name="_wpnonce" value="<?php echo $webpexpressSaveSettingsNonce ?>" />
104
105	<fieldset class="block buttons">
106	<table>

lib/options/submit.php CHANGED Viewed

	@@ -9,6 +9,8 @@ use \WebPExpress\Messenger;
9	use \WebPExpress\Paths;
10
11


12	DismissableMessages::dismissMessage('0.14.0/say-hello-to-vips');
13
14


9	use \WebPExpress\Paths;
10
11
12	+ check_admin_referer('webpexpress-save-settings-nonce');
13	+
14	DismissableMessages::dismissMessage('0.14.0/say-hello-to-vips');
15
16

web-service/wpc.php CHANGED Viewed

@@ -34,18 +34,6 @@ $options['access'] = [
                 'whitelist' => $webServiceConfig['whitelist']
             ];
-            -
            /*
-            -
            $options['access'] = [
-            -
                'whitelist' => [
-            -
                    [
-            -
                        'label' => 'testing',
-            -
                        'ip' => '127.0.0.1',
-            -
                        'api-key' => 'my dog is white',
-            -
                        'require-api-key-to-be-hashed-in-transfer' => false,
-            -
                    ]
-            -
                ]
-            -
            ]; */
-            -
             $options['webp-convert'] = Config::generateWodOptionsFromConfigObj($config);
             WebPConvertCloudService::handleRequest($options);

                 'whitelist' => $webServiceConfig['whitelist']
             ];
             $options['webp-convert'] = Config::generateWodOptionsFromConfigObj($config);
             WebPConvertCloudService::handleRequest($options);

webp-express.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	* Plugin Name: WebP Express
4	* Plugin URI: https://github.com/rosell-dk/webp-express
5	* Description: Serve autogenerated WebP images instead of jpeg/png to browsers that supports WebP. Works on anything (media library images, galleries, theme images etc).
6	- * Version: 0.14.0
7	* Author: Bjørn Rosell
8	* Author URI: https://www.bitwise-it.dk
9	* License: GPL2


3	* Plugin Name: WebP Express
4	* Plugin URI: https://github.com/rosell-dk/webp-express
5	* Description: Serve autogenerated WebP images instead of jpeg/png to browsers that supports WebP. Works on anything (media library images, galleries, theme images etc).
6	+ * Version: 0.14.1
7	* Author: Bjørn Rosell
8	* Author URI: https://www.bitwise-it.dk
9	* License: GPL2