Changeset 3421231

Timestamp:

12/16/2025 04:07:13 PM (2 months ago)

Author:

rosell.dk

Message:

0.25.10. Protects the config files from being accessed directly on NGINX by renaming them to randomized names. It also creates an index.php to prevent directory listing

Location:

webp-express

Files:

• tags/0.25.10 (copied) (copied from webp-express/trunk)
• tags/0.25.10/README.txt (modified) (5 diffs)
• tags/0.25.10/lib/classes/AdminInit.php (modified) (2 diffs)
• tags/0.25.10/lib/classes/Config.php (modified) (1 diff)
• tags/0.25.10/lib/classes/ConfigMigrationInit.php (added)
• tags/0.25.10/lib/classes/ConvertHelperIndependent.php (modified) (1 diff)
• tags/0.25.10/lib/classes/HTAccessRules.php (modified) (9 diffs)
• tags/0.25.10/lib/classes/Paths.php (modified) (3 diffs)
• tags/0.25.10/lib/classes/WodConfigLoader.php (modified) (2 diffs)
• tags/0.25.10/lib/dismissable-global-messages/0.25.10 (added)
• tags/0.25.10/lib/dismissable-global-messages/0.25.10/failed-renaming-config-file.php (added)
• tags/0.25.10/lib/dismissable-global-messages/0.25.10/renamed-config-file.php (added)
• tags/0.25.10/lib/migrate/migrate15.php (added)
• tags/0.25.10/webp-express.php (modified) (2 diffs)
• trunk/README.txt (modified) (5 diffs)
• trunk/docs/publishing.md (modified) (1 diff)
• trunk/lib/classes/AdminInit.php (modified) (2 diffs)
• trunk/lib/classes/Config.php (modified) (1 diff)
• trunk/lib/classes/ConfigMigrationInit.php (added)
• trunk/lib/classes/ConvertHelperIndependent.php (modified) (1 diff)
• trunk/lib/classes/HTAccessRules.php (modified) (9 diffs)
• trunk/lib/classes/Paths.php (modified) (3 diffs)
• trunk/lib/classes/WodConfigLoader.php (modified) (2 diffs)
• trunk/lib/dismissable-global-messages/0.25.10 (added)
• trunk/lib/dismissable-global-messages/0.25.10/failed-renaming-config-file.php (added)
• trunk/lib/dismissable-global-messages/0.25.10/renamed-config-file.php (added)
• trunk/lib/migrate/migrate15.php (added)
• trunk/webp-express.php (modified) (2 diffs)

webp-express/tags/0.25.10/README.txt

@@ -4 +4 @@
 Tags: webp, images, performance
 Requires at least: 4.0
-Tested up to: 6.5
-Stable tag: 0.25.9
+Tested up to: 6.9
+Stable tag: 0.25.10
 Requires PHP: 5.6
 License: GPLv3
@@ -174 +174 @@
 **Persons who recently contributed with [ko-fi](https://ko-fi.com/rosell) - Thanks!**
 
-* 3 Nov: Tobi
-* 5 Nov: Anon
-* 18 Nov: Oleksii
-* 20 Feb: Assen Kovatchev
-* 22 Feb: Peter
-* 29 Feb: Luis Méndez Alejo
-* 5 Mar: tomottoe
-* 9 Mar: La Braud
+* 9 Aug: Tanzi
+* 3 Jul: Jen
+* 26 Jun: Per
+* 16 May: Erick Danzer
+* 8 May: Mike
+* 31 May: parallactic
+* 14 May: Gitte Rebsdorf
+* 9 May: La Braud
 
 **Persons who contributed with extra generously amounts of coffee / lifetime backing (>30$) - thanks!:**
@@ -196 +196 @@
 * Brian Laursen ($50)
 * Dimitris Vayenas ($50)
-
-**Persons currently backing the project via GitHub Sponsors or patreon - Thanks!**
-
-* [Mathieu Gollain-Dupont](https://www.linkedin.com/in/mathieu-gollain-dupont-9938a4a/)
 
 == Frequently Asked Questions ==
@@ -819 +815 @@
 == Changelog ==
 
+= 0.25.10 =
+(released 15 December 2025)
+* Security fix: Config file was exposed on systems running on NGINX. Herr Patrick Müller from Switzerland for creating a patch as well as Rune Philosof from Denmark for improving it. Some credit also goes to myself for perfecting the patch. Sorry for slacking on the maintenance. There are good reasons for this, but I can and will do better in the future
+
 = 0.25.9 =
 (released 7 April 2024)
@@ -868 +868 @@
 == Upgrade Notice ==
 
+= 0.25.10 =
+* Security fix. The config file could be exposed on NGINX
+
 = 0.25.9 =
 * Fixed ewww conversion method after ewww API change

webp-express/tags/0.25.10/lib/classes/AdminInit.php

@@ -26 +26 @@
     {
         // When an update requires a migration, the number should be increased
-        define('WEBPEXPRESS_MIGRATION_VERSION', '14');
+        define('WEBPEXPRESS_MIGRATION_VERSION', '15');
 
         if (WEBPEXPRESS_MIGRATION_VERSION != Option::getOption('webp-express-migration-version', 0)) {
@@ -34 +34 @@
 
         // uncomment next line to test-run a migration
-        //include WEBPEXPRESS_PLUGIN_DIR . '/lib/migrate/migrate14.php';
+        //include WEBPEXPRESS_PLUGIN_DIR . '/lib/migrate/migrate15.php';
     }
 

webp-express/tags/0.25.10/lib/classes/Config.php

@@ -9 +9 @@
 
     /**
+     * Migrate old predictable config files to randomized names (CVE-2025-11379 fix)
+     * This should be called during plugin upgrade or early on admin load
+     */
+    public static function migrateConfigFiles()
+    {
+        $oldConfigFile = Paths::getOldConfigFileName();
+        $newConfigFile = Paths::getConfigFileName();
+        $oldWodFile = Paths::getOldWodOptionsFileName();
+        $newWodFile = Paths::getWodOptionsFileName();
+
+        $migrated = false;
+
+        // Migrate config.json if it exists and new one doesn't
+        if (file_exists($oldConfigFile) && !file_exists($newConfigFile)) {
+            if (@rename($oldConfigFile, $newConfigFile)) {
+                $migrated = true;
+            } elseif (@copy($oldConfigFile, $newConfigFile)) {
+                @unlink($oldConfigFile);
+                $migrated = true;
+            }
+        }
+
+        // Migrate wod-options.json if it exists and new one doesn't
+        if (file_exists($oldWodFile) && !file_exists($newWodFile)) {
+            if (@rename($oldWodFile, $newWodFile)) {
+                $migrated = true;
+            } elseif (@copy($oldWodFile, $newWodFile)) {
+                @unlink($oldWodFile);
+                $migrated = true;
+            }
+        }
+
+        // Clean up any remaining old files (in case new files already existed)
+        if (file_exists($oldConfigFile) && file_exists($newConfigFile)) {
+            @unlink($oldConfigFile);
+        }
+        if (file_exists($oldWodFile) && file_exists($newWodFile)) {
+            @unlink($oldWodFile);
+        }
+
+        return $migrated;
+    }
+
+    /**
+     * Check and perform config file migration if needed (CVE-2025-11379 fix)
+     * This is called early on admin load to ensure migration happens even if options page is never visited
+     *
+     * @return boolean true if its either already migrated or it was migratede successfully or there is no need for migration (in case one starts from newer WebP Express version). false if migration fails
+     */
+    public static function checkAndMigrateConfigIfNeeded()
+    {
+        // Only run once per request to avoid performance impact
+        static $checked = false;
+        if ($checked) {
+            return true;
+        }
+        $checked = true;
+
+        // Check if migration flag is set to avoid checking filesystem on every request
+        if (Option::getOption('webp-express-config-migrated-cve-2025-11379', false)) {
+            return true;
+        }
+
+        // Check if old files exist
+        $oldConfigFile = Paths::getOldConfigFileName();
+        $oldWodFile = Paths::getOldWodOptionsFileName();
+
+        if (file_exists($oldConfigFile) || file_exists($oldWodFile)) {
+            if (self::migrateConfigFiles()) {
+                Option::updateOption('webp-express-config-migrated-cve-2025-11379', true, true);
+                return true;
+            }
+            return false;
+        } else {
+            // No old files found, mark as migrated to avoid future checks
+            Option::updateOption('webp-express-config-migrated-cve-2025-11379', true, true);
+            return true;
+        }
+    }
+
+    /**
      *  @return  object|false   Returns config object if config file exists and can be read. Otherwise it returns false
      */
     public static function loadConfig()
     {
+        // Attempt migration before loading config
+        self::checkAndMigrateConfigIfNeeded();
+
         return FileHelper::loadJSONOptions(Paths::getConfigFileName());
     }

webp-express/tags/0.25.10/lib/classes/ConvertHelperIndependent.php

@@ -572 +572 @@
 
         // TODO: Put version number somewhere else. Ie \WebPExpress\VersionNumber::version
-        $text = 'WebP Express 0.25.9. ' . $msgTop . ', ' . date("Y-m-d H:i:s") . "\n\r\n\r" . $text;
+        $text = 'WebP Express 0.25.10. ' . $msgTop . ', ' . date("Y-m-d H:i:s") . "\n\r\n\r" . $text;
 
         $logFile = self::getLogFilename($source, $logDir);

webp-express/tags/0.25.10/lib/classes/HTAccessRules.php

@@ -435 +435 @@
 
 
+        $configHash = Paths::getConfigHash();
+
         if (self::$useDocRootForStructuringCacheDir) {
             /*
@@ -447 +449 @@
             if (!self::$passThroughEnvVarDefinitelyUnavailable) {
                 $flags[] = 'E=DESTINATIONREL:' . self::$htaccessDirRelToDocRoot . '/$0';
-            }
-            if (!self::$passThroughEnvVarDefinitelyUnavailable) {
-                $flags[] = 'E=WPCONTENT:' . Paths::getContentDirRel();
+                $flags[] = 'E=WPCONTENT:' . Paths::getContentDirRel() . '/$0';
+                $flags[] = 'E=HASH:' . $configHash;
             }
             $flags[] = 'NC';
@@ -460 +461 @@
             if (!self::$passThroughEnvVarDefinitelyAvailable) {
                 $params[] = "wp-content=" . Paths::getContentDirRel();
+                $params[] = "hash=" . $configHash;
             }
 
@@ -486 +488 @@
                 $flags[] = 'E=WE_DESTINATION_REL_HTACCESS:$0';
                 $flags[] = 'E=WE_HTACCESS_ID:' . self::$htaccessDir;    // this will btw either be "uploads" or "cache"
+                $flags[] = 'E=HASH:' . $configHash;
             }
             $flags[] = 'NC';  // case-insensitive match (so file extension can be jpg, JPG or even jPg)
@@ -495 +498 @@
                 $params[] = 'xdestination-rel-htaccess=x$0';
                 $params[] = 'htaccess-id=' . self::$htaccessDir;
+                $params[] = "hash=" . $configHash;
             }
 
@@ -633 +637 @@
         }
 
+        $configHash = Paths::getConfigHash();
         if (self::$useDocRootForStructuringCacheDir) {
             /*
@@ -653 +658 @@
             if (!self::$passThroughEnvVarDefinitelyAvailable) {
                 $params[] = "wp-content=" . Paths::getContentDirRel();
+                $params[] = "hash=" . $configHash;
             }
             if (!self::$passThroughEnvVarDefinitelyUnavailable) {
                 $flags[] = 'E=WPCONTENT:' . Paths::getContentDirRel();
+                $flags[] = 'E=HASH:' . $configHash;
             }
 
@@ -684 +691 @@
                 $flags[] = 'E=WE_WP_CONTENT_REL_TO_WE_PLUGIN_DIR:' . Paths::getContentDirRelToWebPExpressPluginDir();
                 $flags[] = 'E=WE_SOURCE_REL_HTACCESS:$0';
-                $flags[] = 'E=WE_HTACCESS_ID:' . self::$htaccessDir;    // this will btw be one of the image roots. It will not be "cache"
+                $flags[] = 'E=WE_HTACCESS_ID:' . self::$htaccessDir;
+                $flags[] = 'E=HASH:' . $configHash;  // this will btw be one of the image roots. It will not be "cache"
             }
             $flags[] = 'NC';  // case-insensitive match (so file extension can be jpg, JPG or even jPg)
@@ -694 +702 @@
                 $params[] = 'xsource-rel-htaccess=x$0';
                 $params[] = 'htaccess-id=' . self::$htaccessDir;
+                $params[] = "hash=" . $configHash;
             }
 

webp-express/tags/0.25.10/lib/classes/Paths.php

@@ -428 +428 @@
     {
         return PathHelper::getRelPathFromDocRootToDirNoDirectoryTraversalAllowed(self::getConfigDirAbs());
+    }
+
+    /**
+     * Get or create a random hash for config filename obfuscation (CVE-2025-11379 fix)
+     * This prevents predictable config file access on Nginx servers
+     */
+    public static function getConfigHash()
+    {
+        $hash = \WebPExpress\Option::getOption('webp-express-config-hash', false);
+        if (!$hash) {
+            // Generate a cryptographically secure random hash
+            if (function_exists('random_bytes')) {
+                $hash = bin2hex(random_bytes(16));
+            } else {
+                // Fallback for older PHP versions
+                $hash = md5(uniqid(mt_rand(), true) . microtime(true));
+            }
+            \WebPExpress\Option::updateOption('webp-express-config-hash', $hash, true);
+        }
+        return $hash;
     }
 
@@ -450 +470 @@
             );
             @chmod($configDir . '/.htaccess', 0664);
+
+            // Additional protection for Nginx: PHP-based access control (CVE-2025-11379 fix)
+            @file_put_contents(rtrim($configDir . '/') . '/index.php', <<<'PHP'
+<?php
+// Prevent direct access to config files on Nginx (CVE-2025-11379 fix)
+if (!defined('ABSPATH')) {
+    http_response_code(403);
+    die('Direct access forbidden');
+}
+PHP
+            );
+            @chmod($configDir . '/index.php', 0644);
         }
         return is_dir($configDir);
@@ -456 +488 @@
     public static function getConfigFileName()
     {
+        // Use randomized filename to prevent predictable access on Nginx (CVE-2025-11379 fix)
+        $hash = self::getConfigHash();
+        return self::getConfigDirAbs() . '/config.' . $hash . '.json';
+    }
+
+    public static function getWodOptionsFileName()
+    {
+        // Use randomized filename to prevent predictable access on Nginx (CVE-2025-11379 fix)
+        $hash = self::getConfigHash();
+        return self::getConfigDirAbs() . '/wod-options.' . $hash . '.json';
+    }
+
+    /**
+     * Get old predictable config filename for migration purposes
+     */
+    public static function getOldConfigFileName()
+    {
         return self::getConfigDirAbs() . '/config.json';
     }
 
-    public static function getWodOptionsFileName()
+    /**
+     * Get old predictable wod-options filename for migration purposes
+     */
+    public static function getOldWodOptionsFileName()
     {
         return self::getConfigDirAbs() . '/wod-options.json';

webp-express/tags/0.25.10/lib/classes/WodConfigLoader.php

@@ -183 +183 @@
     protected static function loadConfig() {
 
+        $hash = self::getEnvPassedInRewriteRule('HASH');
+        if ($hash === false) {
+            // Passed in QS?
+            if (isset($_GET['hash'])) {
+                $hash = $_GET['hash'];
+            } else {
+                // In case above fails, fall back to standard location
+                $hash = '';
+            }
+        }
+        $filename = '';
+
+        if ($hash == '') {
+            $filename = 'wod-options.json';
+        } else {
+            $filename = 'wod-options.' . $hash . '.json';
+        }
+
         $usingDocRoot = !(
             isset($_GET['xwp-content-rel-to-we-plugin-dir']) ||
@@ -218 +236 @@
         self::$checking = 'config file';
 
-        $configFilename = self::$webExpressContentDirAbs . '/config/wod-options.json';
+        $configFilename = self::$webExpressContentDirAbs . '/config/' . $filename;
         if (!file_exists($configFilename)) {
-            throw new \Exception('Configuration file was not found (wod-options.json)');
+            throw new \Exception('Configuration file was not found (wod-options.some-hash.json)');
         }
 

webp-express/tags/0.25.10/webp-express.php

@@ -4 +4 @@
  * Plugin URI: https://github.com/rosell-dk/webp-express
  * Description: Serve autogenerated WebP images instead of jpeg/png to browsers that supports WebP. Works on anything (media library images, galleries, theme images etc).
- * Version: 0.25.9
+ * Version: 0.25.10
  * Author: Bjørn Rosell
  * Author URI: https://www.bitwise-it.dk
@@ -31 +31 @@
 
 if (is_admin()) {
+    // Initialize admin hooks
     \WebPExpress\AdminInit::init();
 }

webp-express/trunk/README.txt

@@ -4 +4 @@
 Tags: webp, images, performance
 Requires at least: 4.0
-Tested up to: 6.5
-Stable tag: 0.25.9
+Tested up to: 6.9
+Stable tag: 0.25.10
 Requires PHP: 5.6
 License: GPLv3
@@ -174 +174 @@
 **Persons who recently contributed with [ko-fi](https://ko-fi.com/rosell) - Thanks!**
 
-* 3 Nov: Tobi
-* 5 Nov: Anon
-* 18 Nov: Oleksii
-* 20 Feb: Assen Kovatchev
-* 22 Feb: Peter
-* 29 Feb: Luis Méndez Alejo
-* 5 Mar: tomottoe
-* 9 Mar: La Braud
+* 9 Aug: Tanzi
+* 3 Jul: Jen
+* 26 Jun: Per
+* 16 May: Erick Danzer
+* 8 May: Mike
+* 31 May: parallactic
+* 14 May: Gitte Rebsdorf
+* 9 May: La Braud
 
 **Persons who contributed with extra generously amounts of coffee / lifetime backing (>30$) - thanks!:**
@@ -196 +196 @@
 * Brian Laursen ($50)
 * Dimitris Vayenas ($50)
-
-**Persons currently backing the project via GitHub Sponsors or patreon - Thanks!**
-
-* [Mathieu Gollain-Dupont](https://www.linkedin.com/in/mathieu-gollain-dupont-9938a4a/)
 
 == Frequently Asked Questions ==
@@ -819 +815 @@
 == Changelog ==
 
+= 0.25.10 =
+(released 15 December 2025)
+* Security fix: Config file was exposed on systems running on NGINX. Herr Patrick Müller from Switzerland for creating a patch as well as Rune Philosof from Denmark for improving it. Some credit also goes to myself for perfecting the patch. Sorry for slacking on the maintenance. There are good reasons for this, but I can and will do better in the future
+
 = 0.25.9 =
 (released 7 April 2024)
@@ -868 +868 @@
 == Upgrade Notice ==
 
+= 0.25.10 =
+* Security fix. The config file could be exposed on NGINX
+
 = 0.25.9 =
 * Fixed ewww conversion method after ewww API change

webp-express/trunk/docs/publishing.md

@@ -112 +112 @@
 ```
 cd svn
-svn cp trunk tags/0.25.9       (this will copy trunk into a new tag)
+svn cp trunk tags/0.25.10       (this will copy trunk into a new tag)
 ```
 
 And commit!
 ```
-svn ci -m '0.25.9'
+svn ci -m '0.25.10. Fixed '
 ```
 

webp-express/trunk/lib/classes/AdminInit.php

@@ -26 +26 @@
     {
         // When an update requires a migration, the number should be increased
-        define('WEBPEXPRESS_MIGRATION_VERSION', '14');
+        define('WEBPEXPRESS_MIGRATION_VERSION', '15');
 
         if (WEBPEXPRESS_MIGRATION_VERSION != Option::getOption('webp-express-migration-version', 0)) {
@@ -34 +34 @@
 
         // uncomment next line to test-run a migration
-        //include WEBPEXPRESS_PLUGIN_DIR . '/lib/migrate/migrate14.php';
+        // include WEBPEXPRESS_PLUGIN_DIR . '/lib/migrate/migrate15.php';
     }
 

webp-express/trunk/lib/classes/Config.php

@@ -9 +9 @@
 
     /**
+     * Migrate old predictable config files to randomized names (CVE-2025-11379 fix)
+     * This should be called during plugin upgrade or early on admin load
+     */
+    public static function migrateConfigFiles()
+    {
+        $oldConfigFile = Paths::getOldConfigFileName();
+        $newConfigFile = Paths::getConfigFileName();
+        $oldWodFile = Paths::getOldWodOptionsFileName();
+        $newWodFile = Paths::getWodOptionsFileName();
+
+        $migrated = false;
+
+        // Migrate config.json if it exists and new one doesn't
+        if (file_exists($oldConfigFile) && !file_exists($newConfigFile)) {
+            if (@rename($oldConfigFile, $newConfigFile)) {
+                $migrated = true;
+            } elseif (@copy($oldConfigFile, $newConfigFile)) {
+                @unlink($oldConfigFile);
+                $migrated = true;
+            }
+        }
+
+        // Migrate wod-options.json if it exists and new one doesn't
+        if (file_exists($oldWodFile) && !file_exists($newWodFile)) {
+            if (@rename($oldWodFile, $newWodFile)) {
+                $migrated = true;
+            } elseif (@copy($oldWodFile, $newWodFile)) {
+                @unlink($oldWodFile);
+                $migrated = true;
+            }
+        }
+
+        // Clean up any remaining old files (in case new files already existed)
+        if (file_exists($oldConfigFile) && file_exists($newConfigFile)) {
+            @unlink($oldConfigFile);
+        }
+        if (file_exists($oldWodFile) && file_exists($newWodFile)) {
+            @unlink($oldWodFile);
+        }
+
+        return $migrated;
+    }
+
+    /**
+     * Check and perform config file migration if needed (CVE-2025-11379 fix)
+     * This is called early on admin load to ensure migration happens even if options page is never visited
+     *
+     * @return boolean true if its either already migrated or it was migratede successfully or there is no need for migration (in case one starts from newer WebP Express version). false if migration fails
+     */
+    public static function checkAndMigrateConfigIfNeeded()
+    {
+        // Only run once per request to avoid performance impact
+        static $checked = false;
+        if ($checked) {
+            return true;
+        }
+        $checked = true;
+
+        // Check if migration flag is set to avoid checking filesystem on every request
+        if (Option::getOption('webp-express-config-migrated-cve-2025-11379', false)) {
+            return true;
+        }
+
+        // Check if old files exist
+        $oldConfigFile = Paths::getOldConfigFileName();
+        $oldWodFile = Paths::getOldWodOptionsFileName();
+
+        if (file_exists($oldConfigFile) || file_exists($oldWodFile)) {
+            if (self::migrateConfigFiles()) {
+                Option::updateOption('webp-express-config-migrated-cve-2025-11379', true, true);
+                return true;
+            }
+            return false;
+        } else {
+            // No old files found, mark as migrated to avoid future checks
+            Option::updateOption('webp-express-config-migrated-cve-2025-11379', true, true);
+            return true;
+        }
+    }
+
+    /**
      *  @return  object|false   Returns config object if config file exists and can be read. Otherwise it returns false
      */
     public static function loadConfig()
     {
+        // Attempt migration before loading config
+        self::checkAndMigrateConfigIfNeeded();
+
         return FileHelper::loadJSONOptions(Paths::getConfigFileName());
     }

webp-express/trunk/lib/classes/ConvertHelperIndependent.php

@@ -572 +572 @@
 
         // TODO: Put version number somewhere else. Ie \WebPExpress\VersionNumber::version
-        $text = 'WebP Express 0.25.9. ' . $msgTop . ', ' . date("Y-m-d H:i:s") . "\n\r\n\r" . $text;
+        $text = 'WebP Express 0.25.10. ' . $msgTop . ', ' . date("Y-m-d H:i:s") . "\n\r\n\r" . $text;
 
         $logFile = self::getLogFilename($source, $logDir);

webp-express/trunk/lib/classes/HTAccessRules.php

@@ -435 +435 @@
 
 
+        $configHash = Paths::getConfigHash();
+
         if (self::$useDocRootForStructuringCacheDir) {
             /*
@@ -447 +449 @@
             if (!self::$passThroughEnvVarDefinitelyUnavailable) {
                 $flags[] = 'E=DESTINATIONREL:' . self::$htaccessDirRelToDocRoot . '/$0';
-            }
-            if (!self::$passThroughEnvVarDefinitelyUnavailable) {
-                $flags[] = 'E=WPCONTENT:' . Paths::getContentDirRel();
+                $flags[] = 'E=WPCONTENT:' . Paths::getContentDirRel() . '/$0';
+                $flags[] = 'E=HASH:' . $configHash;
             }
             $flags[] = 'NC';
@@ -460 +461 @@
             if (!self::$passThroughEnvVarDefinitelyAvailable) {
                 $params[] = "wp-content=" . Paths::getContentDirRel();
+                $params[] = "hash=" . $configHash;
             }
 
@@ -486 +488 @@
                 $flags[] = 'E=WE_DESTINATION_REL_HTACCESS:$0';
                 $flags[] = 'E=WE_HTACCESS_ID:' . self::$htaccessDir;    // this will btw either be "uploads" or "cache"
+                $flags[] = 'E=HASH:' . $configHash;
             }
             $flags[] = 'NC';  // case-insensitive match (so file extension can be jpg, JPG or even jPg)
@@ -495 +498 @@
                 $params[] = 'xdestination-rel-htaccess=x$0';
                 $params[] = 'htaccess-id=' . self::$htaccessDir;
+                $params[] = "hash=" . $configHash;
             }
 
@@ -633 +637 @@
         }
 
+        $configHash = Paths::getConfigHash();
         if (self::$useDocRootForStructuringCacheDir) {
             /*
@@ -653 +658 @@
             if (!self::$passThroughEnvVarDefinitelyAvailable) {
                 $params[] = "wp-content=" . Paths::getContentDirRel();
+                $params[] = "hash=" . $configHash;
             }
             if (!self::$passThroughEnvVarDefinitelyUnavailable) {
                 $flags[] = 'E=WPCONTENT:' . Paths::getContentDirRel();
+                $flags[] = 'E=HASH:' . $configHash;
             }
 
@@ -684 +691 @@
                 $flags[] = 'E=WE_WP_CONTENT_REL_TO_WE_PLUGIN_DIR:' . Paths::getContentDirRelToWebPExpressPluginDir();
                 $flags[] = 'E=WE_SOURCE_REL_HTACCESS:$0';
-                $flags[] = 'E=WE_HTACCESS_ID:' . self::$htaccessDir;    // this will btw be one of the image roots. It will not be "cache"
+                $flags[] = 'E=WE_HTACCESS_ID:' . self::$htaccessDir;
+                $flags[] = 'E=HASH:' . $configHash;  // this will btw be one of the image roots. It will not be "cache"
             }
             $flags[] = 'NC';  // case-insensitive match (so file extension can be jpg, JPG or even jPg)
@@ -694 +702 @@
                 $params[] = 'xsource-rel-htaccess=x$0';
                 $params[] = 'htaccess-id=' . self::$htaccessDir;
+                $params[] = "hash=" . $configHash;
             }
 

webp-express/trunk/lib/classes/Paths.php

@@ -430 +430 @@
     }
 
-    public static function createConfigDirIfMissing()
+    /**
+     * Get or create a random hash for config filename obfuscation (CVE-2025-11379 fix)
+     * This prevents predictable config file access on Nginx servers
+     */
+    public static function getConfigHash()
+    {
+        $hash = \WebPExpress\Option::getOption('webp-express-config-hash', false);
+        if (!$hash) {
+            // Generate a cryptographically secure random hash
+            if (function_exists('random_bytes')) {
+                $hash = bin2hex(random_bytes(16));
+            } else {
+                // Fallback for older PHP versions
+                $hash = md5(uniqid(mt_rand(), true) . microtime(true));
+            }
+            \WebPExpress\Option::updateOption('webp-express-config-hash', $hash, true);
+        }
+        return $hash;
+    }
+
+    // Only call if certain that config dir exists
+    private static function doCreateIndexPHPInConfigDirIfMissing()
     {
         $configDir = self::getConfigDirAbs();
-        // Using code from Wordfence bootstrap.php...
-        // Why not simply use wp_mkdir_p ? - it sets the permissions to same as parent. Isn't that better?
-        // or perhaps not... - Because we need write permissions in the config dir.
-        if (!is_dir($configDir)) {
-            @mkdir($configDir, 0775);
-            @chmod($configDir, 0775);
-            @file_put_contents(rtrim($configDir . '/') . '/.htaccess', <<<APACHE
+        $indexPHPfilename = rtrim($configDir, '/') . '/index.php';
+
+        if (!@file_exists($indexPHPfilename)) {
+          // Additional protection for Nginx: PHP-based access control (CVE-2025-11379 fix)
+          @file_put_contents($indexPHPfilename, <<<'PHP'
+<?php
+// Prevent direct access to config files on Nginx (CVE-2025-11379 fix)
+if (!defined('ABSPATH')) {
+  http_response_code(403);
+  die('Direct access forbidden');
+}
+PHP
+          );
+          @chmod($indexPHPfilename, 0644);
+        }
+    }
+
+    // Only call if certain that config dir exists
+    private static function doCreateHTAccessInConfigDirIfMissing()
+    {
+        $configDir = self::getConfigDirAbs();
+        $filename = rtrim($configDir, '/') . '/.htaccess';
+
+        if (!@file_exists($filename)) {
+          // Additional protection for Nginx: PHP-based access control (CVE-2025-11379 fix)
+          @file_put_contents(rtrim($configDir . '/') . '/.htaccess', <<<APACHE
 <IfModule mod_authz_core.c>
 Require all denied
@@ -448 +488 @@
 </IfModule>
 APACHE
-            );
-            @chmod($configDir . '/.htaccess', 0664);
+          );
+          @chmod($filename, 0664);
+        }
+    }
+
+    public static function createIndexPHPInConfigDirIfMissing()
+    {
+        $configDir = self::getConfigDirAbs();
+
+        if (is_dir($configDir)) {
+          self::doCreateIndexPHPInConfigDirIfMissing();
+        }
+    }
+
+    public static function createConfigDirIfMissing()
+    {
+        $configDir = self::getConfigDirAbs();
+        // Using code from Wordfence bootstrap.php...
+        // Why not simply use wp_mkdir_p ? - it sets the permissions to same as parent. Isn't that better?
+        // or perhaps not... - Because we need write permissions in the config dir.
+        if (!is_dir($configDir)) {
+            @mkdir($configDir, 0775);
+            @chmod($configDir, 0775);
+
+            self::doCreateIndexPHPInConfigDirIfMissing();
+            self::doCreateHTAccessInConfigDirIfMissing();
+
         }
         return is_dir($configDir);
@@ -456 +521 @@
     public static function getConfigFileName()
     {
+        // Use randomized filename to prevent predictable access on Nginx (CVE-2025-11379 fix)
+        $hash = self::getConfigHash();
+        return self::getConfigDirAbs() . '/config.' . $hash . '.json';
+    }
+
+    public static function getWodOptionsFileName()
+    {
+        // Use randomized filename to prevent predictable access on Nginx (CVE-2025-11379 fix)
+        $hash = self::getConfigHash();
+        return self::getConfigDirAbs() . '/wod-options.' . $hash . '.json';
+    }
+
+    /**
+     * Get old predictable config filename for migration purposes
+     */
+    public static function getOldConfigFileName()
+    {
         return self::getConfigDirAbs() . '/config.json';
     }
 
-    public static function getWodOptionsFileName()
+    /**
+     * Get old predictable wod-options filename for migration purposes
+     */
+    public static function getOldWodOptionsFileName()
     {
         return self::getConfigDirAbs() . '/wod-options.json';

webp-express/trunk/lib/classes/WodConfigLoader.php

@@ -183 +183 @@
     protected static function loadConfig() {
 
+        $hash = self::getEnvPassedInRewriteRule('HASH');
+        if ($hash === false) {
+            // Passed in QS?
+            if (isset($_GET['hash'])) {
+                $hash = $_GET['hash'];
+            } else {
+                // In case above fails, fall back to standard location
+                $hash = '';
+            }
+        }
+        $filename = '';
+
+        if ($hash == '') {
+            $filename = 'wod-options.json';
+        } else {
+            $filename = 'wod-options.' . $hash . '.json';
+        }
+
         $usingDocRoot = !(
             isset($_GET['xwp-content-rel-to-we-plugin-dir']) ||
@@ -218 +236 @@
         self::$checking = 'config file';
 
-        $configFilename = self::$webExpressContentDirAbs . '/config/wod-options.json';
+        $configFilename = self::$webExpressContentDirAbs . '/config/' . $filename;
         if (!file_exists($configFilename)) {
-            throw new \Exception('Configuration file was not found (wod-options.json)');
+            throw new \Exception('Configuration file was not found (wod-options.some-hash.json)');
         }
 

webp-express/trunk/webp-express.php

@@ -4 +4 @@
  * Plugin URI: https://github.com/rosell-dk/webp-express
  * Description: Serve autogenerated WebP images instead of jpeg/png to browsers that supports WebP. Works on anything (media library images, galleries, theme images etc).
- * Version: 0.25.9
+ * Version: 0.25.10
  * Author: Bjørn Rosell
  * Author URI: https://www.bitwise-it.dk
@@ -31 +31 @@
 
 if (is_admin()) {
+    // Initialize admin hooks
     \WebPExpress\AdminInit::init();
 }