From fb3af0879641489594a0c8fa0a201169f5974f16 Mon Sep 17 00:00:00 2001
From: Codebard <contact@codebard.com>
Date: Wed, 12 Jun 2024 22:27:22 +0200
Subject: [PATCH] An issue that made it possible to circumvent image locking by
 sending a specific referrer header was fixed. Now locked images should not
 allow circumvention of the protection via referer header

---
 classes/patreon_protect.php |  5 ++---
 patreon.php                 |  4 ++--
 readme.txt                  | 10 +++++++++-
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/classes/patreon_protect.php b/classes/patreon_protect.php
index a63f73e..5e235ae 100644
--- a/classes/patreon_protect.php
+++ b/classes/patreon_protect.php
@@ -645,8 +645,7 @@ public static function addPatreonRewriteRules() {
 		$append = PHP_EOL . "# BEGIN Patreon WordPress Image Protection
 RewriteEngine On
 RewriteBase /		
-RewriteCond %{REQUEST_FILENAME} (\.png|\.jpg|\.gif|\.jpeg|\.bmp)
-RewriteCond %{HTTP_REFERER} !^wp-admin [NC]
+RewriteCond %{REQUEST_FILENAME} (\.png|\.jpg|\.gif|\.jpeg|\.bmp) [NC]
 RewriteRule ^" . $upload_dir . "/(.*)$ index.php?patreon_action=serve_patron_only_image&patron_only_image=$1 [QSA,L]
 # END Patreon WordPress".PHP_EOL;
 		
@@ -1002,4 +1001,4 @@ public static function get_attachment_id_from_url( $url ) {
         return 0;
     }
 	
-}
\ No newline at end of file
+}
diff --git a/patreon.php b/patreon.php
index c0e504f..c23449c 100644
--- a/patreon.php
+++ b/patreon.php
@@ -4,7 +4,7 @@
 Plugin Name: Patreon Wordpress
 Plugin URI: https://www.patreon.com/apps/wordpress
 Description: Patron-only content, directly on your website.
-Version: 1.9.0
+Version: 1.9.1
 Author: Patreon <platform@patreon.com>
 Author URI: https://patreon.com
 */
@@ -68,7 +68,7 @@
 define( "PATREON_CREATOR_BYPASSES_FILTER_MESSAGE", 'This content is for Patrons only, it\'s not locked for you because you are logged in as the Patreon creator' );
 define( "PATREON_NO_LOCKING_LEVEL_SET_FOR_THIS_POST", 'Post is already public. If you would like to lock this post, please set a pledge level for it' );
 define( "PATREON_NO_POST_ID_TO_UNLOCK_POST", 'Sorry - could not get the post id for this locked post' );
-define( "PATREON_WORDPRESS_VERSION", '1.9.0' );
+define( "PATREON_WORDPRESS_VERSION", '1.9.1' );
 define( "PATREON_WORDPRESS_BETA_STRING", '' );
 define( "PATREON_WORDPRESS_PLUGIN_SLUG", plugin_basename( __FILE__ ) );
 define( "PATREON_PRIVACY_POLICY_ADDENDUM", '<h2>Patreon features in this website</h2>In order to enable you to use this website with Patreon services, we save certain functionally important Patreon information about you in this website if you log in with Patreon.
diff --git a/readme.txt b/readme.txt
index c35585c..c63323a 100644
--- a/readme.txt
+++ b/readme.txt
@@ -4,7 +4,7 @@ Tags: patreon, membership, members
 Requires at least: 4.0
 Requires PHP: 7.4
 Tested up to: 6.5.3
-Stable tag: 1.9.0
+Stable tag: 1.9.1
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -79,6 +79,10 @@ It is  difficult to protect videos due the intensive bandwidth requirements of h
 
 == Upgrade Notice ==
 
+= 1.9.1 =
+
+* An issue that made it possible to circumvent image locking by sending a specific referrer header was fixed. Now locked images should not allow circumvention of the protection via referer header
+
 = 1.9.0 =
 
 * Now the reconnection wizard can be used to refresh/repair the connection of the site to Patreon without having to disconnect the site even if the site connection is broken or lost
@@ -507,6 +511,10 @@ You can report security bugs through the Patchstack Vulnerability Disclosure Pro
 
 == Changelog ==
 
+= 1.9.1 =
+
+* An issue that made it possible to circumvent image locking by sending a specific referrer header was fixed. Now locked images should not allow circumvention of the protection via referer header
+
 = 1.9.0 =
 
 * Now the reconnection wizard can be used to refresh/repair the connection of the site to Patreon without having to disconnect the site even if the site connection is broken or lost