WordPress.org
Get WordPress

Plugin Directory

Changeset 3210550


Ignore:
Timestamp:
12/19/2024 02:23:22 PM (16 months ago)
Author:
axeptio
Message:

version 2.5.4 release

Location:
axeptio-sdk-integration
Files:
1504 added
4 edited

Legend:

Unmodified
Added
Removed

  • axeptio-sdk-integration/trunk/axeptio-wordpress-plugin.php

    r3206866 r3210550  
    44    Plugin URI: https://www.axeptio.eu/
    55    Description: Axeptio allows you to make your website compliant with GDPR.
    6     Version: 2.5.3
     6    Version: 2.5.4
    77    Author: axeptio
    88    License: GPLv3
     
    1414use Axeptio\Plugin\Models\Settings;
    1515
    16 define( 'XPWP_VERSION', '2.5.3' );
     16define( 'XPWP_VERSION', '2.5.4' );
    1717define( 'XPWP_URL', plugin_dir_url( __FILE__ ) );
    1818define( 'XPWP_PATH', plugin_dir_path( __FILE__ ) );

  • axeptio-sdk-integration/trunk/includes/classes/frontend/class-sdk-proxy.php

    r3206185 r3210550  
    1010use Axeptio\Plugin\Models\Settings;
    1111use Axeptio\Plugin\Module;
    12 use WP_Filesystem_Direct;
    1312
    1413class Sdk_Proxy extends Module {
    1514
    1615    /**
    17      * Constants for cache time, file name, and directory.
     16     * Constants for cache time and transient name
    1817     */
    1918    const CACHE_TIME = DAY_IN_SECONDS;
    20     const CACHE_FILE = 'axeptio-sdk.js';
    21     const CACHE_DIR  = 'axeptio';
     19    const TRANSIENT_KEY = 'axeptio_sdk_content';
     20    private const ALLOWED_MIME_TYPES = ['application/javascript', 'text/javascript'];
    2221
    2322    /**
     
    5352        }
    5453        update_option( 'axeptio/need_flush', '1' );
     54
     55        // Supprimer le transient pour forcer un rechargement
     56        delete_transient( self::TRANSIENT_KEY );
     57    }
     58
     59    /**
     60     * Fetch the SDK content from remote URL
     61     */
     62    private function fetch_sdk_content() {
     63        $external_url = 'https://static.axept.io/sdk.js';
     64        $response = wp_remote_get( $external_url );
     65
     66        if ( is_wp_error( $response ) ) {
     67            return false;
     68        }
     69
     70        $content = wp_remote_retrieve_body( $response );
     71
     72        if ( empty( $content ) ) {
     73            return false;
     74        }
     75
     76        // Nettoyer et normaliser le contenu JavaScript
     77        $content = str_replace(["\r\n", "\r"], "\n", $content);
     78
     79        // Stocker le contenu dans un transient
     80        set_transient( self::TRANSIENT_KEY, $content, self::CACHE_TIME );
     81
     82        return $content;
     83    }
     84
     85    /**
     86     * Serve the SDK proxy content
     87     */
     88    public function proxy_cmp_js() {
     89        if ( ! get_query_var( 'proxy_axeptio_sdk' ) ) {
     90            return;
     91        }
     92
     93        // Récupérer le contenu du cache
     94        $sdk_content = get_transient( self::TRANSIENT_KEY );
     95
     96
     97        // Si le cache est vide ou expiré, récupérer le contenu distant
     98        if ( false === $sdk_content ) {
     99            $sdk_content = $this->fetch_sdk_content();
     100
     101            if ( false === $sdk_content ) {
     102                wp_die( 'Error fetching SDK content' );
     103            }
     104        }
     105
     106        // Headers de sécurité
     107        nocache_headers();
     108        header( 'Content-Type: application/javascript; charset=utf-8' );
     109        header( 'X-Content-Type-Options: nosniff' );
     110
     111        // Autres headers de sécurité
     112        header( 'X-Frame-Options: DENY' );
     113        header( 'X-XSS-Protection: 1; mode=block' );
     114
     115        // S'assurer que le contenu est bien encodé avant de l'envoyer
     116        $sdk_content = wp_check_invalid_utf8($sdk_content);
     117        header('Content-Length: ' . strlen($sdk_content));
     118
     119        echo $sdk_content;
     120        exit;
    55121    }
    56122
     
    103169        return $vars;
    104170    }
    105 
    106     /**
    107      * Serve the SDK proxy file.
    108      */
    109     public function proxy_cmp_js() {
    110         if ( ! get_query_var( 'proxy_axeptio_sdk' ) ) {
    111             return;
    112         }
    113 
    114         // Initialize the WP_Filesystem API.
    115         global $wp_filesystem;
    116         if ( empty( $wp_filesystem ) ) {
    117             require_once ABSPATH . 'wp-admin/includes/file.php';
    118             WP_Filesystem();
    119         }
    120 
    121         $upload_dir = wp_upload_dir();
    122         $file_path  = $upload_dir['basedir'] . '/' . self::CACHE_DIR . '/' . self::CACHE_FILE;
    123 
    124         // Create directory if it doesn't exist and set correct permissions.
    125         if ( ! $wp_filesystem->is_dir( $upload_dir['basedir'] . '/' . self::CACHE_DIR ) ) {
    126             $wp_filesystem->mkdir( $upload_dir['basedir'] . '/' . self::CACHE_DIR );
    127             $wp_filesystem->chmod( $upload_dir['basedir'] . '/' . self::CACHE_DIR, 0755 );
    128         }
    129 
    130         header( 'Content-Type: application/javascript' );
    131         header( 'Cache-Control: public, max-age=' . self::CACHE_TIME );
    132         header( 'Expires: ' . gmdate( 'D, d M Y H:i:s', time() + self::CACHE_TIME ) . ' GMT' );
    133         // Serve cached file if it exists and is still valid.
    134         if ( $wp_filesystem->exists( $file_path ) && ( time() - $wp_filesystem->mtime( $file_path ) ) < self::CACHE_TIME ) {
    135 
    136             echo esc_js( $wp_filesystem->get_contents( $file_path ) );
    137             exit;
    138         }
    139 
    140         $external_url = 'https://static.axept.io/sdk.js';
    141         $response     = wp_remote_get( $external_url );
    142 
    143         if ( is_wp_error( $response ) ) {
    144             wp_die( 'Error fetching the file.' );
    145         }
    146 
    147         $body = wp_remote_retrieve_body( $response );
    148         $wp_filesystem->put_contents( $file_path, $body, FS_CHMOD_FILE );
    149 
    150         echo esc_js( $body ); // Ensure output is escaped.
    151         exit;
    152     }
    153171}

  • axeptio-sdk-integration/trunk/includes/core.php

    r3206866 r3210550  
    182182    $screen = get_current_screen();
    183183
    184     if (!str_contains($screen->id, 'axeptio-')) {
     184    if (!in_array($screen->id, ['toplevel_page_axeptio-wordpress-plugin', 'axeptio_page_axeptio-plugin-manager'], true)) {
    185185        return;
    186186    }

  • axeptio-sdk-integration/trunk/readme.txt

    r3206866 r3210550  
    44Requires at least: 5.0
    55Tested up to: 6.5.5
    6 Stable tag: 2.5.3
     6Stable tag: 2.5.4
    77Requires PHP: 7.4
    88License: GPLv3
     
    8585== Changelog ==
    8686
     87### 🔒 2.5.4 🔒 ###
     88
     89**Security Enhancement:**
     90- Fixed a Local File Inclusion vulnerability
     91- Improved SDK proxy security with better file handling and encoding
     92
    8793### 🐞 2.5.3 🐞 ###
    8894
Note: See TracChangeset for help on using the changeset viewer.