Experimenting with JS-based feature-detection for Avif image format (if Avif is available the code does not even test for webp, hence the undefined).
Likely coming with the next Autoptimize update, stay tuned 🙂
lang:en
Blogposts on blog.futtta.be in English (mostly because these posts are republished in a non-Dutch-speaking context).
Autoptimize < 2.7.7 security vulnerabilities debrief
With Autoptimize 2.7.7 released on August the 23rd and having been pushed to all sites that were still on 2.7.0-2.7.6 by the WordPress plugins team on Aug. 30th and 31th, resulting in just under one million downloads in 8 days time, it is now the moment for a small debrief of the security issues that were fixed in this version.
2.7.7 fixed two vulnerabilities, one authenticated cross-site scripting and one arbitrary file upload.
- XSS:
- Problem: administrator users were able leave JavaScript in the exclusion-fields for CSS and JS optimization, leading that JS to be executed when the page was (re-)loaded.
- Risk: This could be abused by one administrator to execute JS against another administrator.
- Solution: This was fixed by applying
esc_html(to becomeesc_attrin the next version as suggested by George Stephanis) to escape the JS-code and avoid it getting executed.
- Arbitrary File Upload:
- Problem: the code that processes Critical CSS settings imports did insufficient checks to ensure no malicious files were uploaded as it lacked a user capability check, did not check file extension of to uploaded file to be zip and did not check the contents of the zip-file. It did however check for a correct nonce for that specific action.
- Risk: this could lead to authenticated attackers uploading PHP-files that could be executed, but that risk was very much limited by the nonce-check (which all exploits I have seen happily ignore).
- Solution: the code has been updated to do a capability check, to make sure the file uploaded is a zip-file and most importantly to delete any unknown file found immediately after unzipping (based on an list of known-good files).
A big thank you to the two security researchers (Erin Germ for the XSS and an anonymous whitehatter for the file upload problem) who reported these vulnerabilities in a responsible manner and to the WordPress plugin team for their invaluable help in keeping our users safe.
Autoptimize 2.7.7 fixes 2 security issues, please upgrade.
Autoptimize 2.7.7, which was release earlier today, has misc. improvements, but more importantly comes with 2 security fixes (one XSS, one malicious file upload, both for authenticated users), so please upgrade sooner rather then later.
Music from our Tube: Bon Iver’s PDLIF
Generally I don’t really like sound effects on vocals, but I cannot but make an exception for Bon Iver. His latest “Please Don’t Live In Fear” is no exception!
Don’t take free & open source for granted; donate to Mozilla!
Do you ❤️ the free and open web and do you want to ensure a non-profit can continue to play an important role? Do you use Firefox or use MDN (Mozilla Developer Network) to check up on JS or CSS or HTML syntax?
We do too and as from today Optimizing Matters will donate $20 monthly. If you use Autoptimize or Async JavaScript or WP YouTube Lyte then please, pretty please, consider donating at https://donate.mozilla.org too.
Music from Our Tube: Rone – Nouveau Monde
Just heard this in PBB (Laurent Garnier’s 24/7 non-stop radio station). The music reminds me of Jon Hopkins’ work, but it was the video, shot during Mardi Gras in HaĂŻti, which left me flabbergasted. Enjoy!
Interview at WP Founders
I got interviewed at WP Founders; https://wpfounders.com/wordpress-plugin/frank-goossens-autoptimize/
Autoptimize 2.7.5; known issues
Update June 28th: 2.7.6 was released, all is (or should be) fine … 🙂
There currently are 2 known issues in Autoptimize 2.7.5 that will be fixed in the next release;
- when “inline & defer CSS” and “also aggregate inline CSS” are active then for logged in users the top “admin bar” might become invisible. unticking “also aggregate inline CSS” is a confirmed workaround.
- when “inline & defer CSS” is active, CSS-files that are not aggregated (excluded or 3rd party) and that do not have a media-attribute will not be deferred.
If you want you can download the beta of what will become 2.7.6 here and install that instead of 2.7.5 to get rid of these known issues.
Autoptimize code; blacklist/whitelist becoming blocklist/ allowlist
As of the soon-to-be-released Autoptimize 2.7.4, all occurrences of “blacklist” and “whitelist” in the code will be changed into “blocklist” and “allowlist”. There is no impact for users of Autoptimize, everything will work as before.
If however you are using Autoptimize’s API, there are two (to my knowledge rarely used) filters that are now deprecated and will be removed at a later stage. `autoptimize_filter_js_whitelist` and `autoptimize_filter_css_whitelist` still work in 2.7.4 but if you’re using them switch to `autoptimize_filter_js_allowlist` and `autoptimize_filter_css_allowlist` to avoid problems when they are removed in the release after 2.7.4.
Small post-publishing clarification dd. 22/07/2020: this post is just an announcement, I feel no urge to discuss the change and am not really interested in arguments pro or contra. Don’t fret over this change, fretting is useless, instead enjoy the summer, kiss your lover, read a good book, … 🙂
Music from our Tube; Lianne gets Weird Fishes
I get eaten by the worms and … For 2 seconds the drums seem to announce this is just a cover but then the beat changes drastically and you’re left wondering what happened while the different vibe grows on you. You (almost) have goosebumps when the bridge happens and you stop breathing to hear it all and then, after that bridge, everything comes together and you’re floating on those familiar minor 9th chord arpeggio’s and those fabulous voices until all fades out and you hit repeat.
