WordPress.org

Plugin Directory

Changeset 611813


Ignore:
Timestamp:
10/13/12 06:41:06 (18 months ago)
Author:
DrewAPicture
Message:

Security fix for unintentional file exposure, other formatting also bump version and stable

Location:
download-shortcode/trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • download-shortcode/trunk/download-shortcode.php

    r578875 r611813  
    11<?php 
    2 /* 
    3 Plugin Name: Force Download Shortcode 
    4 Plugin URI: http://www.werdswords.com 
    5 Description: Allows you to wrap file links in a shortcode that will force a download when clicked 
    6 Author: Drew Jaynes 
    7 Author URI: http://www.drewapicture.com 
    8 Version: 0.1 
    9 */ 
     2/** 
     3 * Plugin Name: Force Download Shortcode 
     4 * Plugin URI: http://www.werdswords.com 
     5 * Description: Allows you to wrap uploaded file links in a shortcode that will force a download when clicked 
     6 * Author: Drew Jaynes (DrewAPicture) 
     7 * Author URI: http://www.werdswords.com 
     8 * Version: 0.2 
     9 */ 
    1010 
    1111class Download_Shortcode { 
  • download-shortcode/trunk/force-download.php

    r578875 r611813  
    11<?php 
    2 /* 
    3 Author: Louai Munajim 
    4 Source: http://elouai.com/force-download.php 
    5 Contributors: Jorg Weske, Rajkumar Singh 
    6 */ 
     2/** 
     3 * This script forces download on the specified file-types. 
     4 * It was been slightly modified to provide more security from 
     5 * unauthorized files such as those with a .php extension being 
     6 * downloaded, or force-download.php itself being exposed. 
     7 * 
     8 * Original Author: Louai Munajim 
     9 * Source: http://elouai.com/force-download.php 
     10 * Contributors: Jorg Weske, Rajkumar Singh, Drew Jaynes 
     11 */ 
    712 
    813$filename = $_GET['file']; 
    914 
    10 if ( $filename == "" || !file_exists( $filename ) ) 
     15// Check for empty value or shenanigans 
     16if ( $filename == "" ||  
     17    strpos( $filename, '.php' ) ||  
     18    strlen( $filename <= 3 ) ||  
     19    ! file_exists( $filename ) ) 
    1120  exit; 
    1221 
  • download-shortcode/trunk/readme.txt

    r578875 r611813  
    44Tags: downloads, shortcode, force download 
    55Requires at least: 3.0 
    6 Tested up to: 3.4.1 
    7 Stable tag: 0.1 
     6Tested up to: 3.4.2 
     7Stable tag: 0.2 
    88License: GPLv2 
    99 
     
    1313 
    1414Sometimes you want to force users to download files from a link without having those files opened by the browser. 
    15 This plugin introduces the [download] shortcode that wraps your links and does just that. You'll need to manually 
    16 upload the force-downloads.php file into your wp-content using FTP. 
     15This plugin introduces the [download] shortcode that wraps links in your content and does just that.  
     16 
     17Two things: 
     18*   You **MUST** manually upload force-download.php into your wp-content directory. 
     19*   Files **MUST** be uploaded via the WordPress uploader for the shortcode to work. 
    1720 
    1821The shortcode can be used in multiple ways: 
    1922 
    20 `[download label="My Label"]http://myuploadedfile.mp3[/download]` would show as a link titled `My Label` 
     23`[download label="My Label"]http://example.com/wp-content/uploads/my_song.mp3[/download]` would show as a link titled `My Label` 
    2124 
    22 `[download]http://myuploadedfile.mp3[/download]` would show as a link titled `http://myuploadedfile.mp3` 
     25`[download]http://example.com/wp-content/uploads/my_song.mp3[/download]` would show as a link titled `http://example.com/wp-content/uploads/my_song.mp3` 
    2326 
    2427If you wanted to use this in a php file, you could call something like `<?php do_shortcode( '[download label="My Label"]http://myuploadedfile.mp3[/download]' ); ?>` 
     
    3942You probably didn't manually upload the force-downloads.php script to your site's wp-content directory. 
    4043 
     44= How can I style download links differently? 
     45 
     46There is a built-in filter hook you can use to add a class to the link tags the shortcode produces, `ww_download_class`. 
     47 
     48This example filter adds the 'downloads' class: 
     49 
     50` 
     51function filter_download_links() { 
     52    return 'downloads'; 
     53} 
     54add_filter( 'ww_download_class', 'filter_download_links' ); 
     55` 
     56 
    4157== Changelog == 
    4258 
    4359= 0.1 = First version 
     60 
     61= 0.2 = Fix security vulnerability which exposed php core files to direct download, docblocking and other tweaks.  
    4462 
    4563== Upgrade Notice == 
     
    4765= 0.1 = Initial submission 
    4866 
     67= 0.2 = Security Fix 
     68 
    4969== Screenshots == 
    5070 
Note: See TracChangeset for help on using the changeset viewer.