From fb3af0879641489594a0c8fa0a201169f5974f16 Mon Sep 17 00:00:00 2001 From: Codebard <contact@codebard.com> Date: Wed, 12 Jun 2024 22:27:22 +0200 Subject: [PATCH] An issue that made it possible to circumvent image locking by sending a specific referrer header was fixed. Now locked images should not allow circumvention of the protection via referer header --- classes/patreon_protect.php | 5 ++--- patreon.php | 4 ++-- readme.txt | 10 +++++++++- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/classes/patreon_protect.php b/classes/patreon_protect.php index a63f73e..5e235ae 100644 --- a/classes/patreon_protect.php +++ b/classes/patreon_protect.php @@ -645,8 +645,7 @@ public static function addPatreonRewriteRules() { $append = PHP_EOL . "# BEGIN Patreon WordPress Image Protection RewriteEngine On RewriteBase / -RewriteCond %{REQUEST_FILENAME} (\.png|\.jpg|\.gif|\.jpeg|\.bmp) -RewriteCond %{HTTP_REFERER} !^wp-admin [NC] +RewriteCond %{REQUEST_FILENAME} (\.png|\.jpg|\.gif|\.jpeg|\.bmp) [NC] RewriteRule ^" . $upload_dir . "/(.*)$ index.php?patreon_action=serve_patron_only_image&patron_only_image=$1 [QSA,L] # END Patreon WordPress".PHP_EOL; @@ -1002,4 +1001,4 @@ public static function get_attachment_id_from_url( $url ) { return 0; } -} \ No newline at end of file +} diff --git a/patreon.php b/patreon.php index c0e504f..c23449c 100644 --- a/patreon.php +++ b/patreon.php @@ -4,7 +4,7 @@ Plugin Name: Patreon Wordpress Plugin URI: https://www.patreon.com/apps/wordpress Description: Patron-only content, directly on your website. -Version: 1.9.0 +Version: 1.9.1 Author: Patreon <platform@patreon.com> Author URI: https://patreon.com */ @@ -68,7 +68,7 @@ define( "PATREON_CREATOR_BYPASSES_FILTER_MESSAGE", 'This content is for Patrons only, it\'s not locked for you because you are logged in as the Patreon creator' ); define( "PATREON_NO_LOCKING_LEVEL_SET_FOR_THIS_POST", 'Post is already public. If you would like to lock this post, please set a pledge level for it' ); define( "PATREON_NO_POST_ID_TO_UNLOCK_POST", 'Sorry - could not get the post id for this locked post' ); -define( "PATREON_WORDPRESS_VERSION", '1.9.0' ); +define( "PATREON_WORDPRESS_VERSION", '1.9.1' ); define( "PATREON_WORDPRESS_BETA_STRING", '' ); define( "PATREON_WORDPRESS_PLUGIN_SLUG", plugin_basename( __FILE__ ) ); define( "PATREON_PRIVACY_POLICY_ADDENDUM", '<h2>Patreon features in this website</h2>In order to enable you to use this website with Patreon services, we save certain functionally important Patreon information about you in this website if you log in with Patreon. diff --git a/readme.txt b/readme.txt index c35585c..c63323a 100644 --- a/readme.txt +++ b/readme.txt @@ -4,7 +4,7 @@ Tags: patreon, membership, members Requires at least: 4.0 Requires PHP: 7.4 Tested up to: 6.5.3 -Stable tag: 1.9.0 +Stable tag: 1.9.1 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html @@ -79,6 +79,10 @@ It is difficult to protect videos due the intensive bandwidth requirements of h == Upgrade Notice == += 1.9.1 = + +* An issue that made it possible to circumvent image locking by sending a specific referrer header was fixed. Now locked images should not allow circumvention of the protection via referer header + = 1.9.0 = * Now the reconnection wizard can be used to refresh/repair the connection of the site to Patreon without having to disconnect the site even if the site connection is broken or lost @@ -507,6 +511,10 @@ You can report security bugs through the Patchstack Vulnerability Disclosure Pro == Changelog == += 1.9.1 = + +* An issue that made it possible to circumvent image locking by sending a specific referrer header was fixed. Now locked images should not allow circumvention of the protection via referer header + = 1.9.0 = * Now the reconnection wizard can be used to refresh/repair the connection of the site to Patreon without having to disconnect the site even if the site connection is broken or lost