Changeset 3019209

Timestamp:

01/09/2024 11:26:23 AM (2 years ago)

Author:

soft8soft

Message:

New version 4.5.3

Location:

verge3d/trunk

Files:

• app.php (modified) (1 diff)
• css/admin.css (modified) (1 diff)
• js/admin.js (modified) (2 diffs)
• order.php (modified) (1 diff)
• readme.txt (modified) (2 diffs)
• verge3d.php (modified) (6 diffs)

verge3d/trunk/app.php

@@ -629 +629 @@
 
             // prevent harmful file types to be uploaded to the server
-            $ext = strtolower(pathinfo($fullpath, PATHINFO_EXTENSION));
-            $denied = ['php', 'phps', 'phar', 'exe'];
-            if (in_array($ext, $denied)) {
+            $allowed_mimes = get_allowed_mime_types();
+
+            $v3d_mimes = get_option('v3d_upload_mime_types');
+            if (!empty($v3d_mimes)) {
+                foreach (explode(PHP_EOL, $v3d_mimes) as $line) {
+                    $line = wp_strip_all_tags($line);
+                    $line_split = preg_split('/ +/', $line, null, PREG_SPLIT_NO_EMPTY);
+
+                    if (count($line_split) != 2)
+                        continue;
+
+                    $mime = trim($line_split[0]);
+                    $ext = trim($line_split[1]);
+
+                    if (!empty($mime) && !empty($ext))
+                        $allowed_mimes[$ext] = $mime;
+                }
+            }
+
+            $validate = wp_check_filetype($fullpath, $allowed_mimes);
+            if ($validate['type'] === false) {
+                //error_log('invalid: '.$fullpath);
                 wp_die('error');
             }

verge3d/trunk/css/admin.css

@@ -123 +123 @@
 }
 
+textarea.v3d-tall-textarea {
+    height: 300px;
+}
+
 p.error {
     color: red;

verge3d/trunk/js/admin.js

@@ -4 +4 @@
     'blend1',
     'max',
-    'ma',
-    'mb'
+    'ma',       // maya
+    'mb',       // maya
+    'mat',      // max material file
+    'mel'       // e.g workspace.mel
 ]
 
@@ -41 +43 @@
 
         // prevent upload of some files
-        if (ext in V3D_IGNORE_EXT || path.indexOf('v3d_app_data') > -1) {
+        if (V3D_IGNORE_EXT.includes(ext) || path.indexOf('v3d_app_data') > -1) {
             updateProgress();
             continue;

verge3d/trunk/order.php

@@ -456 +456 @@
                 // NOTE: undocumented wkhtmltopdf feature
                 if (basename($chrome_path) == 'wkhtmltopdf')
-                    v3d_terminal($chrome_path.' -s Letter --print-media-type '.$pdf_html.' '.$pdf);
+                    v3d_terminal($chrome_path.' -s Letter --print-media-type '.$pdf_html.' '.escapeshellarg($pdf));
                 else
-                    v3d_terminal($chrome_path.' --headless --disable-gpu --print-to-pdf='.$pdf.' '.$pdf_html);
+                    v3d_terminal($chrome_path.' --headless --disable-gpu --print-to-pdf='.escapeshellarg($pdf).' '.$pdf_html);
+
                 if (is_file($pdf))
                     $attachments[] = $pdf;

verge3d/trunk/readme.txt

@@ -5 +5 @@
 Tested up to: 6.4.1
 Requires PHP: 7.0
-Stable tag: 4.5.1
+Stable tag: 4.5.3
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -68 +68 @@
 
 == Changelog ==
+
+= 4.5.3 =
+* Implement proper MIME filter for uploaded files.
+* Fix uploaded file types not being ignored.
+* Security fixes.
 
 = 4.5.2 =

verge3d/trunk/verge3d.php

@@ -4 +4 @@
 Plugin URI: https://www.soft8soft.com/verge3d
 Description: Verge3D is the most artist-friendly toolkit for creating interactive web-based experiences. It can be used to create product configurators, 3D presentations, online stores, e-learning apps, 3D portfolios, browser games and more.
-Version: 4.5.2
+Version: 4.5.3
 Author: Soft8Soft LLC
 Author URI: https://www.soft8soft.com
@@ -287 +287 @@
     delete_option('v3d_cross_domain');
     delete_option('v3d_custom_products');
+    delete_option('v3d_upload_mime_types');
 }
 register_deactivation_hook(__FILE__, 'v3d_cleanup_options');
@@ -355 +356 @@
     add_option('v3d_cross_domain', 1);
     add_option('v3d_custom_products', 1);
+    add_option('v3d_upload_mime_types',
+        "application/json json\n".
+        "application/octet-stream bin\n".
+        "application/wasm wasm\n".
+        "application/x-xz xz\n".
+        "font/ttf ttf\n".
+        "font/woff woff\n".
+        "font/woff2 woff2\n".
+        "image/ktx2 ktx2\n".
+        "image/svg+xml svg\n".
+        "image/vnd.radiance hdr\n".
+        "model/gltf-binary glb\n".
+        "model/gltf+json gltf\n".
+        "text/csv csv\n".
+        "text/xml xml");
 
     register_setting('verge3d_general', 'v3d_currency');
@@ -791 +807 @@
     register_setting('verge3d_security', 'v3d_cross_domain');
     register_setting('verge3d_security', 'v3d_custom_products');
+    register_setting('verge3d_security', 'v3d_upload_mime_types');
 
     add_settings_section(
@@ -823 +840 @@
     );
 
+    add_settings_field(
+        'v3d_upload_mime_types',
+        'Allowed MIME types',
+        'v3d_upload_mime_types_cb',
+        'verge3d_security',
+        'v3d_security_settings'
+    );
 }
 add_action('admin_init', 'v3d_settings_init');
@@ -1327 +1351 @@
 }
 
+function v3d_upload_mime_types_cb() {
+    $content = get_option('v3d_upload_mime_types');
+    ?>
+    <textarea name="v3d_upload_mime_types" class="v3d-wide-textarea v3d-tall-textarea"><?php echo isset($content) ? esc_attr($content) : ''; ?></textarea>
+    <p class="description">Additional MIME types allowed for upload.</p>
+    <?php
+}
 
 function v3d_init_custom_styles() {