Skip to content

Commit

Permalink
An issue that made it possible to circumvent image locking by sending…
Browse files Browse the repository at this point in the history
… a specific referrer header was fixed. Now locked images should not allow circumvention of the protection via referer header
  • Loading branch information
codebard committed Jun 12, 2024
1 parent 41c0b13 commit fb3af08
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 6 deletions.
5 changes: 2 additions & 3 deletions classes/patreon_protect.php
Original file line number Diff line number Diff line change
Expand Up @@ -645,8 +645,7 @@ public static function addPatreonRewriteRules() {
$append = PHP_EOL . "# BEGIN Patreon WordPress Image Protection
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} (\.png|\.jpg|\.gif|\.jpeg|\.bmp)
RewriteCond %{HTTP_REFERER} !^wp-admin [NC]
RewriteCond %{REQUEST_FILENAME} (\.png|\.jpg|\.gif|\.jpeg|\.bmp) [NC]
RewriteRule ^" . $upload_dir . "/(.*)$ index.php?patreon_action=serve_patron_only_image&patron_only_image=$1 [QSA,L]
# END Patreon WordPress".PHP_EOL;

Expand Down Expand Up @@ -1002,4 +1001,4 @@ public static function get_attachment_id_from_url( $url ) {
return 0;
}

}
}
4 changes: 2 additions & 2 deletions patreon.php
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
Plugin Name: Patreon Wordpress
Plugin URI: https://www.patreon.com/apps/wordpress
Description: Patron-only content, directly on your website.
Version: 1.9.0
Version: 1.9.1
Author: Patreon <[email protected]>
Author URI: https://patreon.com
*/
Expand Down Expand Up @@ -68,7 +68,7 @@
define( "PATREON_CREATOR_BYPASSES_FILTER_MESSAGE", 'This content is for Patrons only, it\'s not locked for you because you are logged in as the Patreon creator' );
define( "PATREON_NO_LOCKING_LEVEL_SET_FOR_THIS_POST", 'Post is already public. If you would like to lock this post, please set a pledge level for it' );
define( "PATREON_NO_POST_ID_TO_UNLOCK_POST", 'Sorry - could not get the post id for this locked post' );
define( "PATREON_WORDPRESS_VERSION", '1.9.0' );
define( "PATREON_WORDPRESS_VERSION", '1.9.1' );
define( "PATREON_WORDPRESS_BETA_STRING", '' );
define( "PATREON_WORDPRESS_PLUGIN_SLUG", plugin_basename( __FILE__ ) );
define( "PATREON_PRIVACY_POLICY_ADDENDUM", '<h2>Patreon features in this website</h2>In order to enable you to use this website with Patreon services, we save certain functionally important Patreon information about you in this website if you log in with Patreon.
Expand Down
10 changes: 9 additions & 1 deletion readme.txt
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ Tags: patreon, membership, members
Requires at least: 4.0
Requires PHP: 7.4
Tested up to: 6.5.3
Stable tag: 1.9.0
Stable tag: 1.9.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Expand Down Expand Up @@ -79,6 +79,10 @@ It is difficult to protect videos due the intensive bandwidth requirements of h

== Upgrade Notice ==

= 1.9.1 =

* An issue that made it possible to circumvent image locking by sending a specific referrer header was fixed. Now locked images should not allow circumvention of the protection via referer header

= 1.9.0 =

* Now the reconnection wizard can be used to refresh/repair the connection of the site to Patreon without having to disconnect the site even if the site connection is broken or lost
Expand Down Expand Up @@ -507,6 +511,10 @@ You can report security bugs through the Patchstack Vulnerability Disclosure Pro

== Changelog ==

= 1.9.1 =

* An issue that made it possible to circumvent image locking by sending a specific referrer header was fixed. Now locked images should not allow circumvention of the protection via referer header

= 1.9.0 =

* Now the reconnection wizard can be used to refresh/repair the connection of the site to Patreon without having to disconnect the site even if the site connection is broken or lost
Expand Down

0 comments on commit fb3af08

Please sign in to comment.