From fb3af0879641489594a0c8fa0a201169f5974f16 Mon Sep 17 00:00:00 2001 From: Codebard Date: Wed, 12 Jun 2024 22:27:22 +0200 Subject: [PATCH] An issue that made it possible to circumvent image locking by sending a specific referrer header was fixed. Now locked images should not allow circumvention of the protection via referer header --- classes/patreon_protect.php | 5 ++--- patreon.php | 4 ++-- readme.txt | 10 +++++++++- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/classes/patreon_protect.php b/classes/patreon_protect.php index a63f73e..5e235ae 100644 --- a/classes/patreon_protect.php +++ b/classes/patreon_protect.php @@ -645,8 +645,7 @@ public static function addPatreonRewriteRules() { $append = PHP_EOL . "# BEGIN Patreon WordPress Image Protection RewriteEngine On RewriteBase / -RewriteCond %{REQUEST_FILENAME} (\.png|\.jpg|\.gif|\.jpeg|\.bmp) -RewriteCond %{HTTP_REFERER} !^wp-admin [NC] +RewriteCond %{REQUEST_FILENAME} (\.png|\.jpg|\.gif|\.jpeg|\.bmp) [NC] RewriteRule ^" . $upload_dir . "/(.*)$ index.php?patreon_action=serve_patron_only_image&patron_only_image=$1 [QSA,L] # END Patreon WordPress".PHP_EOL; @@ -1002,4 +1001,4 @@ public static function get_attachment_id_from_url( $url ) { return 0; } -} \ No newline at end of file +} diff --git a/patreon.php b/patreon.php index c0e504f..c23449c 100644 --- a/patreon.php +++ b/patreon.php @@ -4,7 +4,7 @@ Plugin Name: Patreon Wordpress Plugin URI: https://www.patreon.com/apps/wordpress Description: Patron-only content, directly on your website. -Version: 1.9.0 +Version: 1.9.1 Author: Patreon Author URI: https://patreon.com */ @@ -68,7 +68,7 @@ define( "PATREON_CREATOR_BYPASSES_FILTER_MESSAGE", 'This content is for Patrons only, it\'s not locked for you because you are logged in as the Patreon creator' ); define( "PATREON_NO_LOCKING_LEVEL_SET_FOR_THIS_POST", 'Post is already public. If you would like to lock this post, please set a pledge level for it' ); define( "PATREON_NO_POST_ID_TO_UNLOCK_POST", 'Sorry - could not get the post id for this locked post' ); -define( "PATREON_WORDPRESS_VERSION", '1.9.0' ); +define( "PATREON_WORDPRESS_VERSION", '1.9.1' ); define( "PATREON_WORDPRESS_BETA_STRING", '' ); define( "PATREON_WORDPRESS_PLUGIN_SLUG", plugin_basename( __FILE__ ) ); define( "PATREON_PRIVACY_POLICY_ADDENDUM", '

Patreon features in this website

In order to enable you to use this website with Patreon services, we save certain functionally important Patreon information about you in this website if you log in with Patreon. diff --git a/readme.txt b/readme.txt index c35585c..c63323a 100644 --- a/readme.txt +++ b/readme.txt @@ -4,7 +4,7 @@ Tags: patreon, membership, members Requires at least: 4.0 Requires PHP: 7.4 Tested up to: 6.5.3 -Stable tag: 1.9.0 +Stable tag: 1.9.1 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html @@ -79,6 +79,10 @@ It is difficult to protect videos due the intensive bandwidth requirements of h == Upgrade Notice == += 1.9.1 = + +* An issue that made it possible to circumvent image locking by sending a specific referrer header was fixed. Now locked images should not allow circumvention of the protection via referer header + = 1.9.0 = * Now the reconnection wizard can be used to refresh/repair the connection of the site to Patreon without having to disconnect the site even if the site connection is broken or lost @@ -507,6 +511,10 @@ You can report security bugs through the Patchstack Vulnerability Disclosure Pro == Changelog == += 1.9.1 = + +* An issue that made it possible to circumvent image locking by sending a specific referrer header was fixed. Now locked images should not allow circumvention of the protection via referer header + = 1.9.0 = * Now the reconnection wizard can be used to refresh/repair the connection of the site to Patreon without having to disconnect the site even if the site connection is broken or lost