Drie-en-half sterren, of ben ik te streng?
Monthly Archives: September 2020
Septemberigheid op Our Tube
September is nog steeds de mooiste maand ter wereld, dus sta me -na dat enkele jaren vergeten te zijn- toe dat te vieren met deze septemberige song van de Duitse groep Thief:
Want to test AVIF images with Autoptimize’s Image Optimization?
So AVIF is a new(ish) image format that promises even better optimization then WebP and is supported in desktop Chrome & behind a preference in Firefox; go to about:config
and set image.avif.enabled
to true.
If you are using Autoptimize to optimize your images and you want to test AVIF images, you can use below code snippet to do so;
add_filter('autoptimize_filter_imgopt_webp_js', function(){return '';});
Use the the code snippets plugin to add this (easy and safe) or if you’re adventurous add it to your theme’s functions.php.
Avif coming to Autoptimize
Likely coming with the next Autoptimize update, stay tuned :)
Gelezen: Ik, Jan Cremer.
Of het nu nog relevant is? Goh, als tijds-document misschien?
Autoptimize < 2.7.7 security vulnerabilities debrief
2.7.7 fixed two vulnerabilities, one authenticated cross-site scripting and one arbitrary file upload.
- XSS:
- Problem: administrator users were able leave JavaScript in the exclusion-fields for CSS and JS optimization, leading that JS to be executed when the page was (re-)loaded.
- Risk: This could be abused by one administrator to execute JS against another administrator.
- Solution: This was fixed by applying
esc_html
(to becomeesc_attr
in the next version as suggested by George Stephanis) to escape the JS-code and avoid it getting executed.
- Arbitrary File Upload:
- Problem: the code that processes Critical CSS settings imports did insufficient checks to ensure no malicious files were uploaded as it lacked a user capability check, did not check file extension of to uploaded file to be zip and did not check the contents of the zip-file. It did however check for a correct nonce for that specific action.
- Risk: this could lead to authenticated attackers uploading PHP-files that could be executed, but that risk was very much limited by the nonce-check (which all exploits I have seen happily ignore).
- Solution: the code has been updated to do a capability check, to make sure the file uploaded is a zip-file and most importantly to delete any unknown file found immediately after unzipping (based on an list of known-good files).
A big thank you to the two security researchers (Erin Germ for the XSS and an anonymous whitehatter for the file upload problem) who reported these vulnerabilities in a responsible manner and to the WordPress plugin team for their invaluable help in keeping our users safe.