Changeset 3383015

Timestamp:

10/23/2025 03:00:16 AM (7 weeks ago)

Author:

Alignak

Message:

v3.5.2

Location:

fast-velocity-minify/trunk

Files:

• assets/fvm.js (modified) (1 diff)
• fvm.php (modified) (2 diffs)
• inc/admin.php (modified) (6 diffs)
• inc/common.php (modified) (4 diffs)
• layout/admin-layout-settings.php (modified) (12 diffs)
• readme.txt (modified) (2 diffs)

fast-velocity-minify/trunk/assets/fvm.js

@@ -1 +1 @@
 // get logs via ajax
 function fvm_get_logs() {
-        
+
     // ajax request
     jQuery( document ).ready(function() {
-        var data = { 'action': 'fvm_get_logs' };
+        var data = { 'action': 'fvm_get_logs', 'nonce': fvm_ajax_object.ajax_nonce };
         jQuery.post(ajaxurl, data, function(resp) {
             if(resp.success == 'OK') { 

fast-velocity-minify/trunk/fvm.php

@@ -4 +4 @@
  * Plugin URI: https://fastvelocity.com
  * Description: Improve your speed score on GTmetrix, Pingdom Tools and Google PageSpeed Insights by merging and minifying CSS and JavaScript files into groups, compressing HTML and other speed optimizations. 
- * Version: 3.5.1
+ * Version: 3.5.2
  * Author: Raul Peixoto
  * Author URI: https://fastvelocity.com
@@ -67 +67 @@
     add_action('admin_menu', 'fvm_add_admin_menu');
     add_action('admin_notices', 'fvm_show_admin_notice_from_transient');
-    add_action('wp_ajax_fvm_get_logs', 'fvm_get_logs_callback');
+    add_action('wp_ajax_fvm_get_logs', 'fvm_get_logs_callback'); # Note: JS must pass nonce as 'fvm_logs_nonce'
         
     # purge everything

fast-velocity-minify/trunk/inc/admin.php

@@ -87 +87 @@
         # check if our tables exist, and do maintenance once a day
         $fvm_table_checker = get_transient('fvm_table_checker');
-        $fvm_table_checker = false;
         if ($fvm_table_checker === false) {
             
@@ -94 +93 @@
             if(!is_null($wpdb)) {
                 $sqla_table_name = $wpdb->prefix . 'fvm_cache';
-                if (!$wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $sqla_table_name)) === $sqla_table_name) {
-                    fvm_plugin_activate();                              
+                if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $sqla_table_name)) !== $sqla_table_name) {
+                    fvm_plugin_activate();
                 }
             }
@@ -168 +167 @@
                             if(is_string($v)) { $_POST['fvm_settings'][$group][$k] = strip_tags($v); }
                             
-                            # clean cdn url
-                            if($group == 'cdn' && $k == 'url') { 
-                                $_POST['fvm_settings'][$group][$k] = trim(trim(str_replace(array('http://', 'https://'), '', $v), '/'));
+                            # clean cdn url with strict validation to prevent XSS
+                            if($group == 'cdn' && $k == 'domain') {
+                                $domain = trim(str_replace(array('http://', 'https://'), '', $v), '/');
+                                // Only allow valid hostnames (alphanumeric, hyphens, dots)
+                                if (!empty($domain) && !preg_match('/^[a-zA-Z0-9\-\.]+$/', $domain)) {
+                                    $_POST['fvm_settings'][$group][$k] = '';
+                                    add_settings_error('fvm_admin_notice', 'fvm_admin_notice', __('Invalid CDN domain format. Only alphanumeric characters, hyphens and dots allowed.', 'fast-velocity-minify'), 'error');
+                                } else {
+                                    $_POST['fvm_settings'][$group][$k] = sanitize_text_field($domain);
+                                }
                             }
         
@@ -232 +238 @@
         # js
         wp_enqueue_script('fvm', $fvm_var_url_path . 'assets/fvm.js', array('jquery'), filemtime($fvm_var_dir_path.'assets'. DIRECTORY_SEPARATOR .'fvm.js'));
+
+        # localize nonce for AJAX security
+        wp_localize_script('fvm', 'fvm_ajax_object', array(
+            'ajax_nonce' => wp_create_nonce('fvm_logs_nonce')
+        ));
         
         # css
@@ -298 +309 @@
 # function to list all cache files on the status page (js ajax code)
 function fvm_get_logs_callback() {
-        
+
+    # Verify nonce for CSRF protection
+    check_ajax_referer('fvm_logs_nonce', 'nonce');
+
     # must be able to cleanup cache
     if (!current_user_can('manage_options')) {
-        wp_die( __('You do not have sufficient permissions to access this page.'), __('Error:'), array('response'=>200)); 
+        wp_die( __('You do not have sufficient permissions to access this page.'), __('Error:'), array('response'=>200));
     }
     
@@ -391 +405 @@
     
     # test if at least one table exists
-    if (!$wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $sqla_table_name)) === $sqla_table_name) {
-        
+    if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $sqla_table_name)) !== $sqla_table_name) {
+
         # log
         $err = 'An error occurred when trying to create the database tables';

fast-velocity-minify/trunk/inc/common.php

@@ -1607 +1607 @@
 # functions, get full url
 function fvm_normalize_url($href, $purl=null) {
-    
+
     # preserve empty source handles
-    $href = trim($href); 
-    if(empty($href)) { return false; }      
+    $href = trim($href);
+    if(empty($href)) { return false; }
+
+    # Detect and block path traversal attempts
+    if (strpos($href, '../') !== false || strpos($href, '..\\') !== false) {
+        error_log('FVM Security: Path traversal attempt blocked in URL: ' . $href);
+        return false;
+    }
 
     # some fixes
@@ -2182 +2188 @@
 # try to open the file from the disk, before downloading
 function fvm_maybe_download($url) {
-    
+
     # must have
     if(is_null($url) || empty($url)) { return false; }
-    
+
+    # Validate URL format and protocol
+    $parsed = parse_url($url);
+    if (!$parsed || !isset($parsed['scheme']) || !isset($parsed['host'])) {
+        return array('error' => 'Invalid URL format');
+    }
+
+    # Only allow http and https protocols (prevent file://, ftp://, etc.)
+    if (!in_array(strtolower($parsed['scheme']), array('http', 'https'))) {
+        return array('error' => 'Only HTTP and HTTPS protocols are allowed');
+    }
+
+    # Block internal/private IP ranges to prevent SSRF
+    $ip = gethostbyname($parsed['host']);
+    if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false) {
+        return array('error' => 'Access to private/internal IPs is not allowed');
+    }
+
     # get domain
     global $fvm_urls;
@@ -2194 +2217 @@
         # file path + windows compatibility
         $f =  strtok(str_replace('/', DIRECTORY_SEPARATOR, str_replace(rtrim($fvm_urls['wp_site_url'], '/'), rtrim(ABSPATH, '/'), $url)), '?');
-                    
-        # did it work?
+
+        # did it work? - with path traversal protection
         if (file_exists($f) && is_file($f)) {
+
+            # Validate file path to prevent directory traversal attacks
+            $realfile = realpath($f);
+            $realbase = realpath(ABSPATH);
+
+            # Verify file is within WordPress installation
+            if ($realfile === false || $realbase === false || strpos($realfile, $realbase) !== 0) {
+                return array('error' => 'Invalid file path - outside allowed directory');
+            }
+
+            # Block sensitive files
+            $basename = basename($realfile);
+            $blocked_files = array('wp-config.php', '.htaccess', '.env', 'php.ini', '.user.ini');
+            if (in_array(strtolower($basename), $blocked_files)) {
+                return array('error' => 'Access to this file is not allowed');
+            }
+
             return array('content'=>file_get_contents($f), 'src'=>'Disk');
         }
@@ -2206 +2246 @@
     $uagent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586';
 
-    # fetch via wordpress functions
-    $response = wp_remote_get($url, array('user-agent'=>$uagent, 'timeout' => 7, 'httpversion' => '1.1', 'sslverify'=>false)); 
+    # fetch via wordpress functions (SSL verification enabled by default for security)
+    $response = wp_remote_get($url, array('user-agent'=>$uagent, 'timeout' => 7, 'httpversion' => '1.1')); 
     if ( is_wp_error( $response ) ) {
         $error_message = $response->get_error_message();

fast-velocity-minify/trunk/layout/admin-layout-settings.php

@@ -150 +150 @@
 <td><fieldset>
 <label for="fvm_settings_css_ignore"><span class="fvm-bold-green fvm-rowintro"><?php _e( "Ignore the following CSS URL's", 'fast-velocity-minify' ); ?></span></label>
-<p><textarea name="fvm_settings[css][ignore]" rows="7" cols="50" id="fvm_settings_css_ignore" class="large-text code" placeholder="ex: /plugins/something/assets/problem.css"><?php echo fvm_get_settings_value($fvm_settings, 'css', 'ignore'); ?></textarea></p>
+<p><textarea name="fvm_settings[css][ignore]" rows="7" cols="50" id="fvm_settings_css_ignore" class="large-text code" placeholder="ex: /plugins/something/assets/problem.css"><?php echo esc_textarea(fvm_get_settings_value($fvm_settings, 'css', 'ignore')); ?></textarea></p>
 <p class="description">[ <?php _e( 'CSS files are merged and grouped automatically by mediatype, hence you have an option to exclude files.', 'fast-velocity-minify' ); ?> ]</p>
 <p class="description">[ <?php _e( 'Will match using <code>PHP stripos</code> against the <code>href attribute</code> on the <code>link tag</code>', 'fast-velocity-minify' ); ?> ]</p>
@@ -160 +160 @@
 <td><fieldset>
 <label for="fvm_settings_css_remove"><span class="fvm-bold-green fvm-rowintro"><?php _e( 'Remove the following CSS files', 'fast-velocity-minify' ); ?></span></label>
-<p><textarea name="fvm_settings[css][remove]" rows="7" cols="50" id="fvm_settings_css_remove" class="large-text code" placeholder="ex: fonts.googleapis.com"><?php echo fvm_get_settings_value($fvm_settings, 'css', 'remove'); ?></textarea></p>
+<p><textarea name="fvm_settings[css][remove]" rows="7" cols="50" id="fvm_settings_css_remove" class="large-text code" placeholder="ex: fonts.googleapis.com"><?php echo esc_textarea(fvm_get_settings_value($fvm_settings, 'css', 'remove')); ?></textarea></p>
 <p class="description">[ <?php _e( 'This will allow you to remove unwanted CSS files by URI path from the frontend', 'fast-velocity-minify' ); ?> ]</p>
 <p class="description">[ <?php _e( 'Will match using <code>PHP stripos</code> against the <code>href attribute</code> on the <code>link tag</code>', 'fast-velocity-minify' ); ?> ]</p>
@@ -170 +170 @@
 <td><fieldset>
 <label for="fvm_settings_css_async"><span class="fvm-bold-green fvm-rowintro"><?php _e( 'Async the following CSS files', 'fast-velocity-minify' ); ?></span></label>
-<p><textarea name="fvm_settings[css][async]" rows="7" cols="50" id="fvm_settings_css_async" class="large-text code" placeholder="ex: /plugins/something/assets/low-priority.css"><?php echo fvm_get_settings_value($fvm_settings, 'css', 'async'); ?></textarea></p>
+<p><textarea name="fvm_settings[css][async]" rows="7" cols="50" id="fvm_settings_css_async" class="large-text code" placeholder="ex: /plugins/something/assets/low-priority.css"><?php echo esc_textarea(fvm_get_settings_value($fvm_settings, 'css', 'async')); ?></textarea></p>
 <p class="description">[ <?php _e( 'This will allow you to Async CSS files by URI path from the frontend', 'fast-velocity-minify' ); ?> ]</p>
 <p class="description">[ <?php _e( 'Will match using <code>PHP stripos</code> against the <code>href attribute</code> on the <code>link tag</code>', 'fast-velocity-minify' ); ?> ]</p>
@@ -239 +239 @@
 <td><fieldset>
 <label for="fvm_settings_js_ignore"><span class="fvm-bold-green fvm-rowintro"><?php _e( 'Will prevent merging or minification for all JS files matching the paths below', 'fast-velocity-minify' ); ?></span></label>
-<p><textarea name="fvm_settings[js][ignore]" rows="7" cols="50" id="fvm_settings_js_ignore" class="large-text code" placeholder="<?php _e( '--- ex: /plugins/something/assets/problem.js ---', 'fast-velocity-minify' ); ?>"><?php echo fvm_get_settings_value($fvm_settings, 'js', 'ignore'); ?></textarea></p>
+<p><textarea name="fvm_settings[js][ignore]" rows="7" cols="50" id="fvm_settings_js_ignore" class="large-text code" placeholder="<?php _e( '--- ex: /plugins/something/assets/problem.js ---', 'fast-velocity-minify' ); ?>"><?php echo esc_textarea(fvm_get_settings_value($fvm_settings, 'js', 'ignore')); ?></textarea></p>
 <p class="description">[ <?php _e( 'Will match using <code>PHP stripos</code> against the script <code>src</code> attribute', 'fast-velocity-minify' ); ?> ]</p>
 <p class="description">[ <?php _e( 'It is highly recommended to try to leave this empty and later be more specific on what to merge', 'fast-velocity-minify' ); ?> ]</p>
@@ -249 +249 @@
 <td><fieldset>
 <label for="fvm_settings_merge_header"><span class="fvm-bold-green fvm-rowintro"><?php _e( 'This will render block all JS files matching the paths below', 'fast-velocity-minify' ); ?></span></label>
-<p><textarea name="fvm_settings[js][merge_header]" rows="7" cols="50" id="fvm_settings_js_merge_header" class="large-text code" placeholder="<?php _e( '--- example ---', 'fast-velocity-minify' ); ?> 
-/jquery-migrate.js 
-/jquery.js 
-/jquery.min.js"><?php echo fvm_get_settings_value($fvm_settings, 'js', 'merge_header'); ?></textarea></p>
+<p><textarea name="fvm_settings[js][merge_header]" rows="7" cols="50" id="fvm_settings_js_merge_header" class="large-text code" placeholder="<?php _e( '--- example ---', 'fast-velocity-minify' ); ?>
+/jquery-migrate.js
+/jquery.js
+/jquery.min.js"><?php echo esc_textarea(fvm_get_settings_value($fvm_settings, 'js', 'merge_header')); ?></textarea></p>
 <p class="description">[ <?php _e( 'Will match using <code>PHP stripos</code> against the script <code>src attribute</code>', 'fast-velocity-minify' ); ?> ]</p>
 </fieldset></td>
@@ -261 +261 @@
 <td><fieldset>
 <label for="fvm_settings_merge_defer"><span class="fvm-bold-green fvm-rowintro"><?php _e( 'This will defer all JS files matching the paths below', 'fast-velocity-minify' ); ?></span></label>
-<p><textarea name="fvm_settings[js][merge_defer]" rows="7" cols="50" id="fvm_settings_js_merge_defer" class="large-text code" placeholder="<?php _e( '--- example ---', 'fast-velocity-minify' ); ?> 
-/wp-admin/ 
-/wp-includes/ 
-/wp-content/"><?php echo fvm_get_settings_value($fvm_settings, 'js', 'merge_defer'); ?></textarea></p>
+<p><textarea name="fvm_settings[js][merge_defer]" rows="7" cols="50" id="fvm_settings_js_merge_defer" class="large-text code" placeholder="<?php _e( '--- example ---', 'fast-velocity-minify' ); ?>
+/wp-admin/
+/wp-includes/
+/wp-content/"><?php echo esc_textarea(fvm_get_settings_value($fvm_settings, 'js', 'merge_defer')); ?></textarea></p>
 <p class="description">[ <?php _e( 'Will match using <code>PHP stripos</code> against the script <code>src attribute', 'fast-velocity-minify' ); ?></code> ]</p>
 </fieldset></td>
@@ -273 +273 @@
 <td><fieldset>
 <label for="fvm_settings_defer_dependencies"><span class="fvm-bold-green fvm-rowintro"><?php _e( 'Preserve the order of scripts execution when deferring JS files dependencies', 'fast-velocity-minify' ); ?></span></label>
-<p><textarea name="fvm_settings[js][defer_dependencies]" rows="7" cols="50" id="fvm_settings_js_defer_dependencies" class="large-text code" placeholder="<?php _e( '--- example ---', 'fast-velocity-minify' ); ?> 
+<p><textarea name="fvm_settings[js][defer_dependencies]" rows="7" cols="50" id="fvm_settings_js_defer_dependencies" class="large-text code" placeholder="<?php _e( '--- example ---', 'fast-velocity-minify' ); ?>
 wp.i18n
 wp.apiFetch.use
 window.lodash
 wp.hooks
-wp.url"><?php echo fvm_get_settings_value($fvm_settings, 'js', 'defer_dependencies'); ?></textarea></p>
+wp.url"><?php echo esc_textarea(fvm_get_settings_value($fvm_settings, 'js', 'defer_dependencies')); ?></textarea></p>
 <p class="description">[ <?php _e( 'Inline JavaScript matching these rules, will be deferred with script type module', 'fast-velocity-minify' ); ?> ]</p>
 <p class="description">[ <?php _e( 'Will match using <code>PHP stripos</code> against the script <code>innerHTML</code>', 'fast-velocity-minify' ); ?> ]</p>
@@ -288 +288 @@
 <td><fieldset>
 <label for="fvm_settings_js_thirdparty"><span class="fvm-bold-green fvm-rowintro"><?php _e( 'Delay JS files or inline scripts until user interaction', 'fast-velocity-minify' ); ?></span></label>
-<p><textarea name="fvm_settings[js][thirdparty]" rows="7" cols="50" id="fvm_settings_js_thirdparty" class="large-text code" placeholder="<?php _e( '--- example ---', 'fast-velocity-minify' ); ?> 
-function(w,d,s,l,i) 
+<p><textarea name="fvm_settings[js][thirdparty]" rows="7" cols="50" id="fvm_settings_js_thirdparty" class="large-text code" placeholder="<?php _e( '--- example ---', 'fast-velocity-minify' ); ?>
+function(w,d,s,l,i)
 function(f,b,e,v,n,t,s)
 function(h,o,t,j,a,r)
-www.googletagmanager.com/gtm.js"><?php echo fvm_get_settings_value($fvm_settings, 'js', 'thirdparty'); ?></textarea></p>
+www.googletagmanager.com/gtm.js"><?php echo esc_textarea(fvm_get_settings_value($fvm_settings, 'js', 'thirdparty')); ?></textarea></p>
 <p class="description">[ <?php _e( 'Used interaction events: mouseover, keydown, touchstart, touchmove and wheel', 'fast-velocity-minify' ); ?> ]</p>
 <p class="description">[ <?php _e( 'Will match using <code>PHP stripos</code> against the inline script <code>innerHTML</code> or <code>src</code> attribute for JS files', 'fast-velocity-minify' ); ?> ]</p>
@@ -302 +302 @@
 <td><fieldset>
 <label for="fvm_settings_js_remove"><span class="fvm-bold-green fvm-rowintro"><?php _e( 'Remove the following JS files or Inline Scripts', 'fast-velocity-minify' ); ?></span></label>
-<p><textarea name="fvm_settings[js][remove]" rows="7" cols="50" id="fvm_settings_js_remove" class="large-text code" placeholder="<?php _e( '--- example ---', 'fast-velocity-minify' ); ?> 
-/some/duplicate/file.js"><?php echo fvm_get_settings_value($fvm_settings, 'js', 'remove'); ?></textarea></p>
+<p><textarea name="fvm_settings[js][remove]" rows="7" cols="50" id="fvm_settings_js_remove" class="large-text code" placeholder="<?php _e( '--- example ---', 'fast-velocity-minify' ); ?>
+/some/duplicate/file.js"><?php echo esc_textarea(fvm_get_settings_value($fvm_settings, 'js', 'remove')); ?></textarea></p>
 <p class="description">[ <?php _e( 'This will allow you to remove unwanted script tags from the frontend', 'fast-velocity-minify' ); ?> ]</p>
 <p class="description">[ <?php _e( 'Will match using <code>PHP stripos</code> against the script <code>outerHTML</code>', 'fast-velocity-minify' ); ?> ]</p>
@@ -347 +347 @@
 <td><fieldset>
 <label for="fvm_settings_cdn_domain">
-<p><input type="text" name="fvm_settings[cdn][domain]" id="fvm_settings_cdn_domain" value="<?php echo fvm_get_settings_value($fvm_settings, 'cdn', 'domain'); ?>" size="80" /></p>
+<p><input type="text" name="fvm_settings[cdn][domain]" id="fvm_settings_cdn_domain" value="<?php echo esc_attr(fvm_get_settings_value($fvm_settings, 'cdn', 'domain')); ?>" size="80" /></p>
 <p class="description">[ <?php _e( 'You can ignore this if your CDN url matches your domain name (ie: Cloudflare)', 'fast-velocity-minify' ); ?> ]</p>
 </label>
@@ -357 +357 @@
 <td><fieldset>
 <label for="fvm_settings_cdn_integration"><span class="fvm-bold-green fvm-rowintro"><?php _e( 'Missing HTML elements to replace', 'fast-velocity-minify' ); ?></span></label>
-<p><textarea name="fvm_settings[cdn][integration]" rows="7" cols="50" id="fvm_settings_cdn_integration" class="large-text code" placeholder="--- check the help section for suggestions ---"><?php echo fvm_get_settings_value($fvm_settings, 'cdn', 'integration'); ?></textarea></p>
+<p><textarea name="fvm_settings[cdn][integration]" rows="7" cols="50" id="fvm_settings_cdn_integration" class="large-text code" placeholder="--- check the help section for suggestions ---"><?php echo esc_textarea(fvm_get_settings_value($fvm_settings, 'cdn', 'integration')); ?></textarea></p>
 <p class="description">[ <?php _e( 'Additional replacement rules with syntax from <code>https://simplehtmldom.sourceforge.io/manual.htm</code>', 'fast-velocity-minify' ); ?> ]</p>
 </fieldset></td>
@@ -373 +373 @@
 <td><fieldset>
 <label for="fvm_settings_settings_qs"><span class="fvm-bold-green fvm-rowintro"><?php _e( 'One query string key per line', 'fast-velocity-minify' ); ?></span></label>
-<p><textarea name="fvm_settings[settings][qs]" rows="7" cols="50" id="fvm_settings_settings_qs" class="large-text code" placeholder="--- check the help section for suggestions ---"><?php echo fvm_get_settings_value($fvm_settings, 'settings', 'qs'); ?></textarea></p>
+<p><textarea name="fvm_settings[settings][qs]" rows="7" cols="50" id="fvm_settings_settings_qs" class="large-text code" placeholder="--- check the help section for suggestions ---"><?php echo esc_textarea(fvm_get_settings_value($fvm_settings, 'settings', 'qs')); ?></textarea></p>
 <p class="description">[ <?php _e( 'Additional query strings, keys only', 'fast-velocity-minify' ); ?> ]</p>
 </fieldset></td>

fast-velocity-minify/trunk/readme.txt

@@ -4 +4 @@
 Requires at least: 5.6
 Requires PHP: 7.2
-Stable tag: 3.5.1
+Stable tag: 3.5.2
 Tested up to: 6.8.3
 Text Domain: fast-velocity-minify
@@ -49 +49 @@
 
 == Changelog ==
+
+= 3.5.2 [2025.10.22] =
+* **SECURITY**: Fixed Stored XSS vulnerability in CDN domain input validation (CVE-2025-12034)
+* **SECURITY**: Fixed Path Traversal vulnerability allowing arbitrary local file disclosure
+* **SECURITY**: Enabled TLS certificate verification for external resource downloads
+* **SECURITY**: Added AJAX nonce validation for log retrieval endpoint (CSRF protection)
+* **SECURITY**: Added URL protocol whitelist and SSRF prevention for external requests
+* **SECURITY**: Added sensitive file protection blocking access to wp-config.php, .htaccess, .env files
+* **SECURITY**: Added output escaping for all admin textarea fields
+* Fixed transient checker operator precedence bug causing unnecessary database checks
+* Fixed AJAX nonce implementation to properly pass security token from JavaScript
 
 = 3.5.1 [2025.10.22] =