From c9306a22543751799232f69b3c4ba5dd227283b4 Mon Sep 17 00:00:00 2001
From: Mercado Pago <woocommerce.dev@mercadopago.com>
Date: Wed, 5 Jun 2024 20:17:43 +0000
Subject: [PATCH] Release v7.5.1

---
 CHANGELOG.md                   |  6 +++-
 changelog.log                  |  5 ++++
 package.json                   |  2 +-
 readme.txt                     | 10 ++-----
 src/Admin/Settings.php         |  2 +-
 src/Hooks/Scripts.php          | 10 ++-----
 src/IO/Downloader.php          | 52 ++++++++++++++++++++++++++++++++--
 src/WoocommerceMercadoPago.php |  2 +-
 woocommerce-mercadopago.php    |  2 +-
 9 files changed, 70 insertions(+), 21 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f5b9f1949..5196be535 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [7.5.1] - 2024-06-05
+### Fixed:
+- Addressed a problem where one could not change the layout to use woocommerce blocks feature, causing even some pages that use blocks beeing unable to load properly.
+- Addressed a vulnerability from prior releases that permitted authenticated attackers to access server configuration details from the seller host, ensuring enhanced security measures in the logs download endpoint.
+
 ## [7.5.0] - 2024-05-14
 ### Added:
 - Enhanced visual experience: Based on user feedback, we've refined the Credits checkout experience to make it more visually appealing and user-friendly. The modal now provides clearer information, payment methods are displayed more informatively, and tooltips are less intrusive within the store layout.
@@ -14,7 +19,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed:
 - Payment method selection bug: We've addressed a bug in the checkout pro process that prevented the selected payment methods from being respected. This ensures that buyers can consistently use their preferred payment options.
 
-
 ## [7.4.0] - 2024-04-25
 ### Added:
 - A system has been implemented to collect metrics for new sellers, with the aim of facilitating the onboarding of these first-time users. These metrics will allow us to generate ideas for improving the relationship between the plugin and the seller during the onboarding process.
diff --git a/changelog.log b/changelog.log
index bc88304dc..82b97a26c 100644
--- a/changelog.log
+++ b/changelog.log
@@ -1,6 +1,11 @@
 CHANGELOG:
 == Changelog ==
 
+= v7.5.1 (05/06/2024) =
+*Fixed:
+- Addressed a problem where one could not change the layout to use woocommerce blocks feature, causing even some pages that use blocks beeing unable to load properly.
+- Addressed a vulnerability from prior releases that permitted authenticated attackers to access server configuration details from the seller host, ensuring enhanced security measures in the logs download endpoint.
+
 = v7.5.0 (14/05/2024) =
 *Added:
 - Enhanced visual experience: Based on user feedback, we've refined the Credits checkout experience to make it more visually appealing and user-friendly. The modal now provides clearer information, payment methods are displayed more informatively, and tooltips are less intrusive within the store layout.
diff --git a/package.json b/package.json
index 98ad9b756..9a6bab757 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "woocommerce-mercadopago",
   "description": "Woocommerce MercadoPago Payment Gateway",
-  "version": "7.5.0",
+  "version": "7.5.1",
   "main": "main.js",
   "repository": {
     "type": "git",
diff --git a/readme.txt b/readme.txt
index 024766338..5367f83c7 100644
--- a/readme.txt
+++ b/readme.txt
@@ -4,7 +4,7 @@ Tags: ecommerce, mercadopago, woocommerce
 Requires at least: 6.3
 Tested up to: 6.5
 Requires PHP: 7.4
-Stable tag: 7.5.0
+Stable tag: 7.5.1
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -136,12 +136,8 @@ Check out our <a href="https://www.mercadopago.com.br/developers/pt/plugins_sdks
 
 == Changelog ==
 
-*Added:
-- Enhanced visual experience: Based on user feedback, we've refined the Credits checkout experience to make it more visually appealing and user-friendly. The modal now provides clearer information, payment methods are displayed more informatively, and tooltips are less intrusive within the store layout.
-*Changed:
-- Configurable tooltip text: We've introduced a new setting in the Credits checkout that allows sellers to customize the text displayed in the Credits tooltip. This empowers sellers to tailor the checkout experience to their specific brand and messaging.
-- Support Component: we've added a parameter to the support access link via the plugin's admin so that we can have metrics on the source of support access
 *Fixed:
-- Payment method selection bug: We've addressed a bug in the checkout pro process that prevented the selected payment methods from being respected. This ensures that buyers can consistently use their preferred payment options.
+- Addressed a problem where one could not change the layout to use woocommerce blocks feature, causing even some pages that use blocks beeing unable to load properly.
+- Addressed a vulnerability from prior releases that permitted authenticated attackers to access server configuration details from the seller host, ensuring enhanced security measures in the logs download endpoint.
 
 [See changelog for all versions](https://github.com/mercadopago/cart-woocommerce/blob/main/CHANGELOG.md).
diff --git a/src/Admin/Settings.php b/src/Admin/Settings.php
index a8457ef39..e4e88b79e 100644
--- a/src/Admin/Settings.php
+++ b/src/Admin/Settings.php
@@ -678,7 +678,7 @@ public function mercadopagoDownloadLog()
         } catch (\Exception $e) {
             $this->logs->file->error('Mercado pago gave error to download log files: ' . $e->getMessage(), __CLASS__);
             http_response_code(500);
-            header("Location: " . admin_url("admin.php?page=wc-status&tab=logs"));
+            wp_safe_redirect(admin_url("admin.php?page=wc-status&tab=logs"));
             exit;
         }
     }
diff --git a/src/Hooks/Scripts.php b/src/Hooks/Scripts.php
index 522e7be34..a6d97154e 100644
--- a/src/Hooks/Scripts.php
+++ b/src/Hooks/Scripts.php
@@ -287,13 +287,9 @@ private function registerMelidataScript(string $type, string $location, string $
      */
     public function registerPaymentBlockScript(string $name, string $file, string $version, array $deps = [], array $variables = []): void
     {
-        if (method_exists('WC_Blocks_Utils', 'has_block_in_page')) {
-            if (WC_Blocks_Utils::has_block_in_page(wc_get_page_id('checkout'), 'woocommerce/checkout')) {
-                wp_register_script($name, $file, $deps, $version, true);
-                if ($variables) {
-                    wp_localize_script($name, $name . self::SUFFIX, $variables);
-                }
-            }
+        wp_register_script($name, $file, $deps, $version, true);
+        if ($variables) {
+            wp_localize_script($name, $name . self::SUFFIX, $variables);
         }
     }
 
diff --git a/src/IO/Downloader.php b/src/IO/Downloader.php
index a11b5e686..42918f157 100644
--- a/src/IO/Downloader.php
+++ b/src/IO/Downloader.php
@@ -97,13 +97,21 @@ public function downloadLog(): void
     private function singleFileDownload(array $selectedFile): void
     {
         $filename = reset($selectedFile);
+
+        if (!$this->validateFilename($filename)) {
+            throw new \Exception('attempt to download the file ' . $filename . 'on ' .  __METHOD__);
+        }
+
         $file_path = WP_CONTENT_DIR . '/uploads/wc-logs/' . $filename;
+
         if (file_exists($file_path) && is_readable($file_path)) {
-            header('Content-Type: application/octet-stream');
             header('Content-Disposition: attachment; filename="' . $filename . '"');
+            header('Content-Type: application/octet-stream');
             header('Content-Length: ' . filesize($file_path));
             readfile($file_path);
             exit;
+        } else {
+            throw new \Exception('error to download log file ' . __METHOD__);
         }
     }
 
@@ -116,21 +124,61 @@ private function multipleFileDownload(array $selectedFiles): void
     {
         $zip = new \ZipArchive();
         $temp_file = tempnam(sys_get_temp_dir(), 'logs_');
+
         if ($zip->open($temp_file, \ZipArchive::CREATE) === true) {
             foreach ($selectedFiles as $filename) {
+                if (!$this->validateFilename($filename)) {
+                    continue;
+                }
+
                 $file_path = WP_CONTENT_DIR . '/uploads/wc-logs/' . $filename;
+
                 if (file_exists($file_path) && is_readable($file_path)) {
                     $zip->addFile($file_path, $filename);
                 }
             }
             $zip->close();
 
-            header('Content-Type: application/zip');
             header('Content-Disposition: attachment; filename="mercado-pago-logs.zip"');
+            header('Content-Type: application/zip');
             header('Content-Length: ' . filesize($temp_file));
             readfile($temp_file);
             unlink($temp_file);
             exit;
+        } else {
+            throw new \Exception('error to download log files ' . __METHOD__);
         }
     }
+
+    /**
+     * Validates a filename to prevent path traversal attempts and ensure expected format.
+     *
+     * @param string $filename The filename to be validated
+     *
+     * @return bool True if the filename is valid, false otherwise
+     */
+    private function validateFilename(string $filename): bool
+    {
+        return $this->hasAllowedExtension($filename) &&
+            $this->hasNoDisallowedCharacters($filename) &&
+            $this->containsExpectedTerms($filename);
+    }
+
+    private function hasAllowedExtension(string $filename): bool
+    {
+        $allowed_pattern = '/\.log$/';
+        return (bool)preg_match($allowed_pattern, $filename);
+    }
+
+    private function hasNoDisallowedCharacters(string $filename): bool
+    {
+        $disallowed = array('..', '/', '\\', '.php', '.ini', '.exe', '.bat', '.sh', '.js', '.py', '.pl', '.sql', '.mdb', '.sqlite', '.zip', '.tar', '.gz', '.htaccess');
+        return empty(array_intersect($disallowed, array($filename)));
+    }
+
+    private function containsExpectedTerms(string $filename): bool
+    {
+        $allowed_pattern = '/mercadopago|MercadoPago|fatal-errors/';
+        return (bool)preg_match($allowed_pattern, $filename);
+    }
 }
diff --git a/src/WoocommerceMercadoPago.php b/src/WoocommerceMercadoPago.php
index ea603f9e1..118693402 100644
--- a/src/WoocommerceMercadoPago.php
+++ b/src/WoocommerceMercadoPago.php
@@ -32,7 +32,7 @@ class WoocommerceMercadoPago
     /**
      * @const
      */
-    private const PLUGIN_VERSION = '7.5.0';
+    private const PLUGIN_VERSION = '7.5.1';
 
     /**
      * @const
diff --git a/woocommerce-mercadopago.php b/woocommerce-mercadopago.php
index a2e26db90..9eeb9b7cd 100644
--- a/woocommerce-mercadopago.php
+++ b/woocommerce-mercadopago.php
@@ -4,7 +4,7 @@
  * Plugin Name: Mercado Pago
  * Plugin URI: https://github.com/mercadopago/cart-woocommerce
  * Description: Configure the payment options and accept payments with cards, ticket and money of Mercado Pago account.
- * Version: 7.5.0
+ * Version: 7.5.1
  * Author: Mercado Pago
  * Author URI: https://developers.mercadopago.com/
  * Text Domain: woocommerce-mercadopago