WordPress.org
Get WordPress

Plugin Directory

Changeset 3442200


Ignore:
Timestamp:
01/19/2026 04:58:36 AM (2 months ago)
Author:
vedathemes
Message:

prevent unlimited images downloads

Location:
podcast-player
Files:
188 added
8 edited

Legend:

Unmodified
Added
Removed

  • podcast-player/trunk/README.txt

    r3418338 r3442200  
    55Tested up to: 6.9
    66Requires PHP: 5.6
    7 Stable tag: 7.9.13
     7Stable tag: 7.9.14
    88License: GPLv3 or later
    99License URI: http://www.gnu.org/licenses/gpl-3.0.html
     
    1616Watch this introductory video to learn about the podcast player.
    1717
    18 [youtube https://www.youtube.com/watch?v=XwA7ZBp1vMM]
     18[youtube https://www.youtube.com/watch?v=0FqVN5-Ja0A]
    1919
    2020Learn More About the Podcast Player Pro
     
    107107
    108108== Changelog ==
     109= 7.9.14 =
     110* Modify: Put hard cap on Image download feature to prevent unwanted image downloads in case of any error.
     111* Bug Fix: Prevent direct file access to critical files.
     112
    109113= 7.9.12 =
    110114* Add: Added a filter to bypass media verification and allow any media.

  • podcast-player/trunk/backend/admin/class-options.php

    r3316089 r3442200  
    1111
    1212namespace Podcast_Player\Backend\Admin;
     13
     14// Return if called directly.
     15if ( ! defined( 'ABSPATH' ) ) {
     16    exit;
     17}
    1318
    1419use Podcast_Player\Helper\Functions\Getters as Get_Fn;

  • podcast-player/trunk/backend/class-register.php

    r3306134 r3442200  
    1111
    1212namespace Podcast_Player\Backend;
     13
     14// Return if called directly.
     15if ( ! defined( 'ABSPATH' ) ) {
     16    exit;
     17}
    1318
    1419use Podcast_Player\Backend\Inc\Loader;

  • podcast-player/trunk/backend/inc/class-background-tasks.php

    r3407648 r3442200  
    2727
    2828    /**
     29     * There are cases where download data is not saved properly due to some error, server settings,
     30     * custom codes or conflict with other plugin. These edge cases sometimes cause plugin to
     31     * download a large number of images. Let's put a hard cap on that to prevent any issues on user's website.
     32     */
     33    const MAX_TOTAL_IMAGE_DOWNLOADS = 1000;
     34
     35    /**
    2936     * Download episode featured images.
    3037     *
     
    4047            // Skip task and remove it from the queue.
    4148            return array( true, $args['data'] );
     49        }
     50
     51        // GLOBAL SAFETY STOP
     52        if ( $this->image_download_limit_reached() ) {
     53            $this->disable_image_downloads();
     54
     55            return array(
     56                new \WP_Error(
     57                    'image-limit-reached',
     58                    esc_html__( 'Global image download limit reached. Image saving disabled.', 'podcast-player' )
     59                ),
     60                false
     61            );
    4262        }
    4363
     
    99119        require_once ABSPATH . 'wp-admin/includes/image.php';
    100120        foreach ( $pending as $key => $item ) {
     121
     122            // Hard Stop if download limit has reached.
     123            if ( $this->image_download_limit_reached() ) {
     124                $this->disable_image_downloads();
     125                return array(
     126                    new \WP_Error(
     127                        'image-limit-reached',
     128                        esc_html__( 'Global image limit reached. Downloads stopped.', 'podcast-player' )
     129                    ),
     130                    false
     131                );
     132            }
     133
    101134            $image_url = isset( $item['featured'] ) ? $item['featured'] : '';
    102135            $title     = isset( $item['title'] ) ? $item['title'] : '';
     
    128161
    129162                if ( ! is_wp_error( $attachment_id ) ) {
     163
     164                    // Count successful downloads.
     165                    $this->increment_image_download_count();
     166
    130167                    add_post_meta( $attachment_id, 'pp_featured_key', md5( $image_url ), true );
     168
     169                    // Let's do post_meta verification to see if data is getting saved correctly.
     170                    $stored = get_post_meta( $attachment_id, 'pp_featured_key', true );
     171                    if ( $stored !== md5( $image_url ) ) {
     172                        $this->disable_image_downloads();
     173                        return array(
     174                            new \WP_Error(
     175                                'meta-write-failed',
     176                                esc_html__( 'Failed to persist image meta. Downloads stopped.', 'podcast-player' )
     177                            ),
     178                            false
     179                        );
     180                    }
     181
    131182                    $completed[ $key ] = array_merge( $item, array( 'post_id' => $attachment_id ) );
    132183                } else {
     
    256307        return array( true, $data );
    257308    }
     309
     310    /**
     311     * Get how many image download operations have been performed successfully.
     312     *
     313     * @since 7.9.14
     314     */
     315    private function get_total_image_download_count() {
     316        return (int) get_option( 'pp_total_image_downloads', 0 );
     317    }
     318
     319    /**
     320     * Increase image download operations by one.
     321     *
     322     * @since 7.9.14
     323     */
     324    private function increment_image_download_count() {
     325        $count = $this->get_total_image_download_count();
     326        update_option( 'pp_total_image_downloads', $count + 1, false );
     327    }
     328
     329    /**
     330     * Check if image download limit has been reached.
     331     *
     332     * @since 7.9.14
     333     */
     334    private function image_download_limit_reached() {
     335        return $this->get_total_image_download_count() >= self::MAX_TOTAL_IMAGE_DOWNLOADS;
     336    }
     337
     338    /**
     339     * Disable image download options and reset the counter.
     340     *
     341     * @since 7.9.14
     342     */
     343    private function disable_image_downloads() {
     344        $options = get_option( 'pp-common-options', array() );
     345        if ( ! isset( $options['img_save'] ) || 'yes' !== $options['img_save'] ) {
     346            return; // already disabled
     347        }
     348        $options['img_save'] = 'no';
     349        update_option( 'pp-common-options', $options );
     350        delete_option( 'pp_total_image_downloads' );
     351    }
    258352}

  • podcast-player/trunk/frontend/class-register.php

    r3274237 r3442200  
    1111
    1212namespace Podcast_Player\Frontend;
     13
     14// Return if called directly.
     15if ( ! defined( 'ABSPATH' ) ) {
     16    exit;
     17}
    1318
    1419use Podcast_Player\Helper\Functions\Getters as Get_Fn;

  • podcast-player/trunk/frontend/inc/class-feed.php

    r3339440 r3442200  
    362362            }
    363363
     364            // TODO: $item['featured'] contains original image URL, its md5 should not match with $img_src1. Then, why is it there?
    364365            if ( isset( $item['featured_id'] ) && $item['featured_id'] ) {
    365366                $img_src1 = wp_get_attachment_image_src( $item['featured_id'], 'large' );

  • podcast-player/trunk/helper/core/class-background-jobs.php

    r3300373 r3442200  
    1414namespace Podcast_Player\Helper\Core;
    1515
     16// Return if called directly.
     17if ( ! defined( 'ABSPATH' ) ) {
     18    exit;
     19}
     20
    1621/**
    1722 * Handle background jobs to import episodes, download images and update feeds.
     
    125130            $prev_data = $prev_task['data'];
    126131            $new_data  = array_merge( $prev_data, $task_data['data'] );
     132
     133            // Limit to 10 images only.
     134            if ( 'download_image' === $task_type ) {
     135                $new_data = array_slice( $new_data, 0, 10, true );
     136            }
    127137            $queue[ $unique_id ] = array_merge( $prev_task, array( 'data' => $new_data ) );
    128138        } else {

  • podcast-player/trunk/podcast-player.php

    r3418338 r3442200  
    1515 * Plugin URI:        https://easypodcastpro.com
    1616 * Description:       Host your podcast episodes anywhere, display them only using podcast feed url. Use custom widget or shortcode to display podcast player anywhere on your site.
    17  * Version:           7.9.13
     17 * Version:           7.9.14
    1818 * Author:            vedathemes
    1919 * Author URI:        https://easypodcastpro.com
     
    3030
    3131// Currently plugin version.
    32 define( 'PODCAST_PLAYER_VERSION', '7.9.13' );
     32define( 'PODCAST_PLAYER_VERSION', '7.9.14' );
    3333
    3434// Define plugin constants.
Note: See TracChangeset for help on using the changeset viewer.