Merge pull request #362 from mercadopago/release/7.5.1

Release v7.5.1

CHANGELOG.md

@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [7.5.1] - 2024-06-05
+### Fixed:
+- Addressed a problem where one could not change the layout to use woocommerce blocks feature, causing even some pages that use blocks beeing unable to load properly.
+- Addressed a vulnerability from prior releases that permitted authenticated attackers to access server configuration details from the seller host, ensuring enhanced security measures in the logs download endpoint.
+
 ## [7.5.0] - 2024-05-14
 ### Added:
 - Enhanced visual experience: Based on user feedback, we've refined the Credits checkout experience to make it more visually appealing and user-friendly. The modal now provides clearer information, payment methods are displayed more informatively, and tooltips are less intrusive within the store layout.
@@ -14,7 +19,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed:
 - Payment method selection bug: We've addressed a bug in the checkout pro process that prevented the selected payment methods from being respected. This ensures that buyers can consistently use their preferred payment options.
 
-
 ## [7.4.0] - 2024-04-25
 ### Added:
 - A system has been implemented to collect metrics for new sellers, with the aim of facilitating the onboarding of these first-time users. These metrics will allow us to generate ideas for improving the relationship between the plugin and the seller during the onboarding process.

changelog.log

@@ -1,6 +1,11 @@
 CHANGELOG:
 == Changelog ==
 
+= v7.5.1 (05/06/2024) =
+*Fixed:
+- Addressed a problem where one could not change the layout to use woocommerce blocks feature, causing even some pages that use blocks beeing unable to load properly.
+- Addressed a vulnerability from prior releases that permitted authenticated attackers to access server configuration details from the seller host, ensuring enhanced security measures in the logs download endpoint.
+
 = v7.5.0 (14/05/2024) =
 *Added:
 - Enhanced visual experience: Based on user feedback, we've refined the Credits checkout experience to make it more visually appealing and user-friendly. The modal now provides clearer information, payment methods are displayed more informatively, and tooltips are less intrusive within the store layout.

package.json

@@ -1,7 +1,7 @@
 {
   "name": "woocommerce-mercadopago",
   "description": "Woocommerce MercadoPago Payment Gateway",
-  "version": "7.5.0",
+  "version": "7.5.1",
   "main": "main.js",
   "repository": {
     "type": "git",

readme.txt

@@ -4,7 +4,7 @@ Tags: ecommerce, mercadopago, woocommerce
 Requires at least: 6.3
 Tested up to: 6.5
 Requires PHP: 7.4
-Stable tag: 7.5.0
+Stable tag: 7.5.1
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -136,12 +136,8 @@ Check out our <a href="https://www.mercadopago.com.br/developers/pt/plugins_sdks
 
 == Changelog ==
 
-*Added:
-- Enhanced visual experience: Based on user feedback, we've refined the Credits checkout experience to make it more visually appealing and user-friendly. The modal now provides clearer information, payment methods are displayed more informatively, and tooltips are less intrusive within the store layout.
-*Changed:
-- Configurable tooltip text: We've introduced a new setting in the Credits checkout that allows sellers to customize the text displayed in the Credits tooltip. This empowers sellers to tailor the checkout experience to their specific brand and messaging.
-- Support Component: we've added a parameter to the support access link via the plugin's admin so that we can have metrics on the source of support access
 *Fixed:
-- Payment method selection bug: We've addressed a bug in the checkout pro process that prevented the selected payment methods from being respected. This ensures that buyers can consistently use their preferred payment options.
+- Addressed a problem where one could not change the layout to use woocommerce blocks feature, causing even some pages that use blocks beeing unable to load properly.
+- Addressed a vulnerability from prior releases that permitted authenticated attackers to access server configuration details from the seller host, ensuring enhanced security measures in the logs download endpoint.
 
 [See changelog for all versions](https://github.com/mercadopago/cart-woocommerce/blob/main/CHANGELOG.md).

src/Admin/Settings.php

@@ -678,7 +678,7 @@ public function mercadopagoDownloadLog()
         } catch (\Exception $e) {
             $this->logs->file->error('Mercado pago gave error to download log files: ' . $e->getMessage(), __CLASS__);
             http_response_code(500);
-            header("Location: " . admin_url("admin.php?page=wc-status&tab=logs"));
+            wp_safe_redirect(admin_url("admin.php?page=wc-status&tab=logs"));
             exit;
         }
     }

src/Hooks/Scripts.php

@@ -287,13 +287,9 @@ private function registerMelidataScript(string $type, string $location, string $
      */
     public function registerPaymentBlockScript(string $name, string $file, string $version, array $deps = [], array $variables = []): void
     {
-        if (method_exists('WC_Blocks_Utils', 'has_block_in_page')) {
-            if (WC_Blocks_Utils::has_block_in_page(wc_get_page_id('checkout'), 'woocommerce/checkout')) {
-                wp_register_script($name, $file, $deps, $version, true);
-                if ($variables) {
-                    wp_localize_script($name, $name . self::SUFFIX, $variables);
-                }
-            }
+        wp_register_script($name, $file, $deps, $version, true);
+        if ($variables) {
+            wp_localize_script($name, $name . self::SUFFIX, $variables);
         }
     }
 

src/IO/Downloader.php

@@ -97,13 +97,21 @@ public function downloadLog(): void
     private function singleFileDownload(array $selectedFile): void
     {
         $filename = reset($selectedFile);
+
+        if (!$this->validateFilename($filename)) {
+            throw new \Exception('attempt to download the file ' . $filename . 'on ' .  __METHOD__);
+        }
+
         $file_path = WP_CONTENT_DIR . '/uploads/wc-logs/' . $filename;
+
         if (file_exists($file_path) && is_readable($file_path)) {
-            header('Content-Type: application/octet-stream');
             header('Content-Disposition: attachment; filename="' . $filename . '"');
+            header('Content-Type: application/octet-stream');
             header('Content-Length: ' . filesize($file_path));
             readfile($file_path);
             exit;
+        } else {
+            throw new \Exception('error to download log file ' . __METHOD__);
         }
     }
 
@@ -116,21 +124,61 @@ private function multipleFileDownload(array $selectedFiles): void
     {
         $zip = new \ZipArchive();
         $temp_file = tempnam(sys_get_temp_dir(), 'logs_');
+
         if ($zip->open($temp_file, \ZipArchive::CREATE) === true) {
             foreach ($selectedFiles as $filename) {
+                if (!$this->validateFilename($filename)) {
+                    continue;
+                }
+
                 $file_path = WP_CONTENT_DIR . '/uploads/wc-logs/' . $filename;
+
                 if (file_exists($file_path) && is_readable($file_path)) {
                     $zip->addFile($file_path, $filename);
                 }
             }
             $zip->close();
 
-            header('Content-Type: application/zip');
             header('Content-Disposition: attachment; filename="mercado-pago-logs.zip"');
+            header('Content-Type: application/zip');
             header('Content-Length: ' . filesize($temp_file));
             readfile($temp_file);
             unlink($temp_file);
             exit;
+        } else {
+            throw new \Exception('error to download log files ' . __METHOD__);
         }
     }
+
+    /**
+     * Validates a filename to prevent path traversal attempts and ensure expected format.
+     *
+     * @param string $filename The filename to be validated
+     *
+     * @return bool True if the filename is valid, false otherwise
+     */
+    private function validateFilename(string $filename): bool
+    {
+        return $this->hasAllowedExtension($filename) &&
+            $this->hasNoDisallowedCharacters($filename) &&
+            $this->containsExpectedTerms($filename);
+    }
+
+    private function hasAllowedExtension(string $filename): bool
+    {
+        $allowed_pattern = '/\.log$/';
+        return (bool)preg_match($allowed_pattern, $filename);
+    }
+
+    private function hasNoDisallowedCharacters(string $filename): bool
+    {
+        $disallowed = array('..', '/', '\\', '.php', '.ini', '.exe', '.bat', '.sh', '.js', '.py', '.pl', '.sql', '.mdb', '.sqlite', '.zip', '.tar', '.gz', '.htaccess');
+        return empty(array_intersect($disallowed, array($filename)));
+    }
+
+    private function containsExpectedTerms(string $filename): bool
+    {
+        $allowed_pattern = '/mercadopago|MercadoPago|fatal-errors/';
+        return (bool)preg_match($allowed_pattern, $filename);
+    }
 }

src/WoocommerceMercadoPago.php

@@ -32,7 +32,7 @@ class WoocommerceMercadoPago
     /**
      * @const
      */
-    private const PLUGIN_VERSION = '7.5.0';
+    private const PLUGIN_VERSION = '7.5.1';
 
     /**
      * @const

woocommerce-mercadopago.php

@@ -4,7 +4,7 @@
  * Plugin Name: Mercado Pago
  * Plugin URI: https://github.com/mercadopago/cart-woocommerce
  * Description: Configure the payment options and accept payments with cards, ticket and money of Mercado Pago account.
- * Version: 7.5.0
+ * Version: 7.5.1
  * Author: Mercado Pago
  * Author URI: https://developers.mercadopago.com/
  * Text Domain: woocommerce-mercadopago