Changeset 3325924

Timestamp:

07/10/2025 08:58:28 PM (9 months ago)

Author:

marceljm

Message:

Security issue

Location:

featured-image-from-url/trunk

Files:

• admin/api.php (modified) (7 diffs)
• admin/column.php (modified) (1 diff)
• admin/dimensions.php (modified) (1 diff)
• admin/html/js/meta-box.js (modified) (2 diffs)
• admin/html/meta-box.html (modified) (3 diffs)
• admin/html/troubleshooting.html (modified) (3 diffs)
• admin/languages.php (modified) (1 diff)
• admin/menu.php (modified) (2 diffs)
• admin/meta-box.php (modified) (3 diffs)
• admin/widgets.php (modified) (6 diffs)
• featured-image-from-url.php (modified) (2 diffs)
• gravity-forms/includes/class-fifu-image-gf-field.php (modified) (1 diff)
• includes/jetpack.php (modified) (1 diff)
• includes/speedup.php (modified) (1 diff)
• includes/thumbnail.php (modified) (8 diffs)
• includes/util.php (modified) (1 diff)
• readme.txt (modified) (4 diffs)

featured-image-from-url/trunk/admin/api.php

@@ -192 +192 @@
 function fifu_get_ip() {
     foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key) {
-        if (array_key_exists($key, $_SERVER) === true) {
+        if (isset($_SERVER[$key]) === true) {
             foreach (explode(',', $_SERVER[$key]) as $ip) {
                 $ip = trim($ip);
@@ -200 +200 @@
         }
     }
-    return $_SERVER['REMOTE_ADDR'];
+    return isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1';
 }
 
@@ -207 +207 @@
         return json_decode(FIFU_NO_CREDENTIALS);
 
-    $images = $request['selected'];
+    $images = isset($request['selected']) ? $request['selected'] : [];
 
     return fifu_create_thumbnails_list($images, false);
@@ -231 +231 @@
         if (!$cron) {
             // manual
-            $post_id = $image[0];
-            $url = $image[1];
-            $meta_key = $image[2];
-            $meta_id = $image[3];
-            $is_category = $image[4] == 1;
-            $video_url = $image[5];
+            $post_id = isset($image[0]) ? $image[0] : null;
+            $url = isset($image[1]) ? $image[1] : null;
+            $meta_key = isset($image[2]) ? $image[2] : null;
+            $meta_id = isset($image[3]) ? $image[3] : null;
+            $is_category = isset($image[4]) ? ($image[4] == 1) : false;
+            $video_url = isset($image[5]) ? $image[5] : null;
         } else {
             // upload auto
@@ -445 +445 @@
 
     $rows = array();
-    $images = $request['selected'];
+    $images = isset($request['selected']) ? $request['selected'] : [];
     $total = count($images);
     $url_sign = '';
     foreach ($images as $image) {
-        $storage_id = $image['storage_id'];
+        $storage_id = isset($image['storage_id']) ? $image['storage_id'] : null;
         if (!$storage_id)
             continue;
@@ -843 +843 @@
 
 function fifu_api_list_all_fifu(WP_REST_Request $request) {
-    $page = (int) $request['page'];
-    $type = $request['type'];
-    $keyword = $request['keyword'];
+    $page = (int) (isset($request['page']) ? $request['page'] : 0);
+    $type = isset($request['type']) ? $request['type'] : null;
+    $keyword = isset($request['keyword']) ? $request['keyword'] : null;
     $urls = fifu_db_get_all_urls($page, $type, $keyword);
     return $urls;
@@ -854 +854 @@
         return null;
 
-    $page = (int) $request['page'];
-    $type = $request['type'];
-    $keyword = $request['keyword'];
+    $page = (int) (isset($request['page']) ? $request['page'] : 0);
+    $type = isset($request['type']) ? $request['type'] : null;
+    $keyword = isset($request['keyword']) ? $request['keyword'] : null;
     return fifu_db_get_posts_with_internal_featured_image($page, $type, $keyword);
 }

featured-image-from-url/trunk/admin/column.php

@@ -256 +256 @@
 function fifu_optimized_column_image($url, $att_id) {
     if (fifu_is_from_speedup($url)) {
-        $url = explode('?', $url)[0];
+        $aux = explode('?', $url);
+        $url = isset($aux[0]) ? $aux[0] : $url;
         return fifu_speedup_get_signed_url($url, 128, 128, null, null, false);
     }

featured-image-from-url/trunk/admin/dimensions.php

@@ -25 +25 @@
     "https://img.youtube.com",
     "https://cdn.diariodeavisos.com",
+    "https://i.guim.co.uk",
 ]);
 

featured-image-from-url/trunk/admin/html/js/meta-box.js

@@ -112 +112 @@
     var image = new Image();
     jQuery(image).attr('onload', 'fifu_store_sizes(this);');
+    image.onerror = function () {
+        // Set the background to the fallback error image
+        jQuery("#fifu_image").css('background-image', "url('https://storage.googleapis.com/featuredimagefromurl/image-not-found.jpg')");
+    };
     jQuery(image).attr('src', url);
 }
@@ -123 +127 @@
     jQuery("#fifu_image").on('click', function (evt) {
         evt.stopImmediatePropagation();
+
+        // Do not open lightbox if the error image is set as background
+        const errorImg = "https://storage.googleapis.com/featuredimagefromurl/image-not-found.jpg";
+        const bg = jQuery("#fifu_image").css('background-image');
+        if (bg && bg.includes(errorImg)) {
+            return;
+        }
+
         let url = fifu_convert(jQuery("#fifu_input_url").val());
         let adjustedUrl = fifu_cdn_adjust(url);

featured-image-from-url/trunk/admin/html/meta-box.html

@@ -10 +10 @@
                        name="fifu_input_alt" 
                        placeholder="<?php $fifu['common']['alt']() ?>"
-                       value="<?php echo $alt; ?>" 
+                       value="<?php echo esc_attr($alt); ?>" 
                        style="<?php echo $width ?>;font-size:13px;margin:0px 0px 0px 2px" />
             </td>
@@ -25 +25 @@
     <div id="fifu_image"
          style="<?php echo $height, $show_image ?>
-         background:url('<?php echo $url; ?>') no-repeat center center;
+         background:url('<?php echo esc_url($url); ?>') no-repeat center center;
          background-size:cover;
          cursor:zoom-in;
@@ -39 +39 @@
                        name="fifu_input_url" 
                        placeholder="<?php $fifu['image']['keywords']() ?>"
-                       value="<?php echo $url; ?>"
+                       value="<?php echo esc_url($url); ?>"
                        style="<?php echo $width ?>;font-size:13px;" />
             </td>

featured-image-from-url/trunk/admin/html/troubleshooting.html

@@ -70 +70 @@
                     <div class="greybox" style="position: relative; top: -10px;">
                         WP RSS Aggregator feed items have no featured image:<br>
-                        1) Enable 'FIFU → Settings → Automatic → Auto set featured media from post content → auto set featured media from post content' before fetching the feed source.<br>
+                        1) Enable 'FIFU → Settings → Automatic → Auto set featured media from post content → Auto set → auto set featured media from post content' before fetching the feed source.<br>
                     </div>                    
                 </div>
@@ -879 +879 @@
                         Using a video from post content as featured video:<br>
                         1) enable "FIFU Settings → Video → Featured Video"<br>
-                        2) enable "FIFU Settings → Automatic → Auto set featured media from post content → use the found image/video as featured image/video"<br>
-                        3) enable "FIFU Settings → Automatic → Auto set featured media from post content → hide the image/video from content"<br>
+                        2) enable "FIFU Settings → Automatic → Auto set featured media from post content → Auto set → auto set featured media from post content"<br>
+                        3) select "FIFU Settings → Automatic → Auto set featured media from post content → Media type filter → Video"<br>
                         4) access the campaign and uncheck all options in "Images" box<br>
                         5) click on "Run campaign" button<br>
@@ -1236 +1236 @@
                     <div class="greybox" style="position: relative; top: -10px">
                         Setting featured video automatically:<br>
-                        1) access "FIFU Settings → Automatic → Auto set featured media from post content";<br>
-                        2) enable "use the found image/video as featured image";<br>
-                        3) enable "hide the image/video from content";<br>
-                        4) access "Zapier → Make a Zap", select YouTube as the first app and configure as you want;<br>
+                        1) go to "FIFU Settings → Automatic → Auto set featured media from post content";<br>
+                        2) enable "Auto set → auto set featured media from post content";<br>
+                        3) select "Media type filter → Video";<br>
+                        4) go to "Zapier → Make a Zap", select YouTube as the first app and configure as you want;<br>
                         5) select WordPress as the second app;<br>
                         6) click on "Choose Action Event", select "Create Post" and "Continue";<br>

featured-image-from-url/trunk/admin/languages.php

@@ -267 +267 @@
     // Dynamically handle locales not in the mapping
     $parts = explode('_', $locale);
-    return $parts[0]; // Return the first part of the locale (e.g., "es" from "es_ES")
+    return !empty($parts) ? $parts[0] : $locale; // Return the first part of the locale (e.g., "es" from "es_ES")
 }

featured-image-from-url/trunk/admin/menu.php

@@ -12 +12 @@
     $fifu = fifu_get_strings_settings();
 
-    if (strpos($_SERVER['REQUEST_URI'], 'featured-image-from-url') !== false || strpos($_SERVER['REQUEST_URI'], 'fifu') !== false) {
+    if (isset($_SERVER['REQUEST_URI']) && (strpos($_SERVER['REQUEST_URI'], 'featured-image-from-url') !== false || strpos($_SERVER['REQUEST_URI'], 'fifu') !== false)) {
         wp_enqueue_script('font-awesome', 'https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.1.1/js/all.min.js');
         wp_enqueue_style('jquery-ui-style1', 'https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.css');
@@ -276 +276 @@
     $arrDefaultType = array('fifu_default_cpt');
     $arrOn = array('fifu_wc_zoom', 'fifu_wc_lbox');
-    $arrOnNo = array('fifu_fake', 'fifu_photon');
+    $arrOnNo = array('fifu_fake');
     $arrOffNo = array('fifu_data_clean', 'fifu_run_delete_all', 'fifu_reset');
 

featured-image-from-url/trunk/admin/meta-box.php

@@ -96 +96 @@
     $align = 'text-align:left;';
 
-    $url = get_post_meta($post->ID, 'fifu_image_url', true);
-    $alt = get_post_meta($post->ID, 'fifu_image_alt', true);
+    $url = esc_url(get_post_meta($post->ID, 'fifu_image_url', true));
+    $alt = esc_attr(get_post_meta($post->ID, 'fifu_image_alt', true));
 
     if ($url) {
@@ -387 +387 @@
 function fifu_dokan_product_edit_after_product_tags($post, $post_id) {
     $fifu = fifu_get_strings_dokan();
-    $url = get_post_meta($post_id, 'fifu_image_url', true);
+    $url = esc_url(get_post_meta($post_id, 'fifu_image_url', true));
     ?>
 
@@ -419 +419 @@
 function fifu_mvx_product_manager_right_panel_after($post_id) {
     $fifu = fifu_get_strings_dokan();
-    $url = get_post_meta($post_id, 'fifu_image_url', true);
+    $url = esc_url(get_post_meta($post_id, 'fifu_image_url', true));
     ?>
 

featured-image-from-url/trunk/admin/widgets.php

@@ -13 +13 @@
 
     public function widget($args, $instance) {
-        echo $args['before_widget'];
-        echo $args['after_widget'];
+        if (isset($args['before_widget'])) {
+            echo $args['before_widget'];
+        }
+        if (isset($args['after_widget'])) {
+            echo $args['after_widget'];
+        }
     }
 
@@ -26 +30 @@
         return $instance;
     }
-
 }
 
@@ -42 +45 @@
     public function widget($args, $instance) {
         extract($args);
-        echo $args['before_widget'];
-        echo $args['after_widget'];
+        if (isset($args['before_widget'])) {
+            echo $args['before_widget'];
+        }
+        if (isset($args['after_widget'])) {
+            echo $args['after_widget'];
+        }
     }
 
@@ -57 +64 @@
         return $instance;
     }
-
 }
 
@@ -72 +78 @@
 
     public function widget($args, $instance) {
-        echo $args['before_widget'];
-        echo $args['after_widget'];
+        if (isset($args['before_widget'])) {
+            echo $args['before_widget'];
+        }
+        if (isset($args['after_widget'])) {
+            echo $args['after_widget'];
+        }
     }
 
@@ -86 +96 @@
         return $instance;
     }
-
 }
 

featured-image-from-url/trunk/featured-image-from-url.php

@@ -5 +5 @@
  * Plugin URI: https://fifu.app/
  * Description: Use a remote image or video as featured image of a post or WooCommerce product.
- * Version: 5.1.9
+ * Version: 5.2.0
  * Author: fifu.app
  * Author URI: https://fifu.app/
@@ -132 +132 @@
 
 function fifu_uninstall() {
-    // buddyboss app
-    if (isset($_REQUEST['page']) && strpos($_REQUEST['page'], 'bbapp') !== false)
+    global $pagenow;
+    if ($pagenow !== 'plugins.php')
         return;
 

featured-image-from-url/trunk/gravity-forms/includes/class-fifu-image-gf-field.php

@@ -133 +133 @@
     public function get_value_save_entry($value, $form, $input_name, $lead_id, $lead) {
         if ($this->phoneFormat == 'standard' && preg_match('/^\D?(\d{3})\D?\D?(\d{3})\D?(\d{4})$/', $value, $matches)) {
-            $value = sprintf('(%s) %s-%s', $matches[1], $matches[2], $matches[3]);
+            $value = sprintf('(%s) %s-%s', isset($matches[1]) ? $matches[1] : '', isset($matches[2]) ? $matches[2] : '', isset($matches[3]) ? $matches[3] : '');
         }
 

featured-image-from-url/trunk/includes/jetpack.php

@@ -93 +93 @@
         return true;
 
-    $blocklist = array('localhost', 'amazon-adsystem.com', 'sapo.io', 'i.guim.co.uk', 'image.influenster.com', 'api.screenshotmachine.com', 'img.brownsfashion.com', 'fbcdn.net', 'nitrocdn.com', 'brightspotcdn.com', 'realtysouth.com', 'tiktokcdn.com', 'fdcdn.akamaized.net', 'blockchainstock.azureedge.net', 'aa.com.tr', 'cdn.discordapp.com', 'download.schneider-electric.com', 'images.twojjs.com', 'preview.redd.it', 'external-preview.redd.it', 'i.redd.it', 'cdn.fbsbx.com', 'canva.com', 'cdn.fifu.app', 'cloud.fifu.app', 'images.placeholders.dev');
+    $blocklist = array('localhost', 'amazon-adsystem.com', 'sapo.io', 'image.influenster.com', 'api.screenshotmachine.com', 'img.brownsfashion.com', 'fbcdn.net', 'nitrocdn.com', 'brightspotcdn.com', 'realtysouth.com', 'tiktokcdn.com', 'fdcdn.akamaized.net', 'blockchainstock.azureedge.net', 'aa.com.tr', 'cdn.discordapp.com', 'download.schneider-electric.com', 'images.twojjs.com', 'preview.redd.it', 'external-preview.redd.it', 'i.redd.it', 'cdn.fbsbx.com', 'canva.com', 'cdn.fifu.app', 'cloud.fifu.app', 'images.placeholders.dev');
     foreach ($blocklist as $domain) {
         if (strpos($url, $domain) !== false)

featured-image-from-url/trunk/includes/speedup.php

@@ -151 +151 @@
 
     $aux = explode('-', $url);
-    $width = (int) $aux[1];
-    $height = (int) $aux[2];
+    $width = isset($aux[1]) ? (int) $aux[1] : 0;
+    $height = isset($aux[2]) ? (int) $aux[2] : 0;
 
     if (isset($parameters['resize'])) {

featured-image-from-url/trunk/includes/thumbnail.php

@@ -9 +9 @@
 
 global $pagenow;
-if (!in_array($pagenow, array('post.php', 'post-new.php', 'admin-ajax.php', 'wp-cron.php'))) {
+if (!isset($pagenow) || !in_array($pagenow, array('post.php', 'post-new.php', 'admin-ajax.php', 'wp-cron.php'))) {
     if (is_plugin_active('wordpress-seo/wp-seo.php')) {
         add_action('wpseo_opengraph_image', 'fifu_add_social_tag_yoast');
@@ -117 +117 @@
         if (!empty($url)) {
             $buffer_contents = ob_get_contents();
-            if (strpos($buffer_contents, '<meta property="og:image"') === false) {
+            if ($buffer_contents !== false && strpos($buffer_contents, '<meta property="og:image"') === false) {
                 $url = esc_url($url);
                 include 'html/social-home.html';
@@ -147 +147 @@
 
     // "all products" page
-    if (function_exists('get_current_screen') && isset(get_current_screen()->parent_file) && get_current_screen()->parent_file == 'edit.php?post_type=product') {
+    if (function_exists('get_current_screen') && get_current_screen() && isset(get_current_screen()->parent_file) && get_current_screen()->parent_file == 'edit.php?post_type=product') {
         $attr['src'] = fifu_optimized_column_image($url, $attachment->ID);
         return $attr;
@@ -185 +185 @@
 
     $src = fifu_get_attribute('src', $html);
-    if (isset($FIFU_SESSION[$src])) {
+    if (isset($FIFU_SESSION) && isset($FIFU_SESSION[$src])) {
         $data = $FIFU_SESSION[$src];
         if (strpos($html, 'fifu-replaced') !== false)
@@ -259 +259 @@
 
     global $post;
+    if (!isset($post) || !isset($post->ID))
+        return $content;
+
     $post_id = $post->ID;
     $att_id = get_post_thumbnail_id($post_id);
@@ -325 +328 @@
 
         $del = substr($src[0], - 1);
-        $url = fifu_normalize(explode($del, $src[0])[1]);
+        $url_parts = explode($del, $src[0]);
+        $url = isset($url_parts[1]) ? fifu_normalize($url_parts[1]) : '';
 
         if (!$url || fifu_jetpack_blocked($url) || strpos($url, 'data:image') === 0)
@@ -443 +447 @@
 function fifu_add_rss() {
     global $post;
+    if (!isset($post) || !isset($post->ID))
+        return;
+
     if (has_post_thumbnail($post->ID)) {
         $thumbnail = fifu_main_image_url($post->ID, true); // external (no CDN)
@@ -465 +472 @@
 // for ajax pagination
 function fifu_posts_results($posts, $query) {
-    if (!is_admin() && $query->is_main_query() && is_paged()) {
+    if (!is_admin() && $query->is_main_query() && is_paged() && !empty($posts)) {
         foreach ($posts as $post) {
-            fifu_add_parameters_single_post($post->ID);
+            if (isset($post->ID)) {
+                fifu_add_parameters_single_post($post->ID);
+            }
         }
     }

featured-image-from-url/trunk/includes/util.php

@@ -7 +7 @@
 
     $aux = explode($attribute, $html);
-    if ($aux)
+    if (isset($aux[1]))
         $aux = $aux[1];
+    else
+        return null;
+
+    if (empty($aux))
+        return null;
 
     $quote = $aux[0];

featured-image-from-url/trunk/readme.txt

@@ -5 +5 @@
 Requires at least: 5.6
 Tested up to: 6.8.1
-Stable tag: 5.1.9
+Stable tag: 5.2.0
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
@@ -246 +246 @@
 == Changelog ==
 
+= 5.2.0 =
+* Enhancement: Image Not Found message displayed in the post editor when the image URL is invalid; Fix: vulnerability reported by Wordfence (improved validation of values added in FIFU fields via post editor for better security); Fix: potential undefined index notices.
+
 = 5.1.9 =
 * Notice: the plugin collects the theme name anonymously (the goal is to identify the most common themes and ensure FIFU works correctly with all of them).
@@ -252 +255 @@
 * Fix: Optimized Images (performance issue when serving full image size and possible conflicts with images from Cloudinary); Fix: images in the WooCommerce product gallery (not displayed when Optimized Images was disabled).
 
-= 5.1.7 =
-* Enhancement: REST API (JSON examples with highlighted syntax).
-
 = others =
 * [more](https://fifu.app/changelog)
@@ -261 +261 @@
 == Upgrade Notice ==
 
-= 5.1.9 =
-* Notice: the plugin collects the theme name anonymously (the goal is to identify the most common themes and ensure FIFU works correctly with all of them).
+= 5.2.0 =
+* Enhancement: Image Not Found message displayed in the post editor when the image URL is invalid; Fix: vulnerability reported by Wordfence (improved validation of values added in FIFU fields via post editor for better security); Fix: potential undefined index notices.