[Plugin: WP Download Codes] Patch for security and direct downloads

  • Hi.

    I have just spent a couple of hours making some modifications to this plugin I thought I’d share with you. There are a few things in this patch linked to below:

    1. Changed database queries to protect against SQL injection attacks – There were some unquoted strings coming from the outside world
    2. Added a download count display for a specific code – if you leave this translation blank, it won’t come up, but you can specify the format in the config
    3. Added configurable secret salt to the MD5 hash for the leases you were using
    4. Removed the MD5 calculation for every code in the database (could get slow when it gets big)
    5. Provided a more secure, encrypted leases (where available) based on the user’s IP and the secret salt
    6. Allowed the code to be pre-filled in a post, eg. [download-code code="MYCODE123"] just shows the download section
    7. Moved the download record insertion to until the file has finished streaming, to prevent incomplete downloads from using up the available downloads

    https://wvr.me.uk/wp-download-codes-security.patch

    Hope this helps.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter wivlaro

    (@wivlaro)

    Actually – that encryption stuff doesn’t work as well as I thought it did at 1am last night ??

    Plugin Author misanthrop

    (@misanthrop)

    Thank you very much, this will really help.

    As the initiating developer for this plugin it am not able to spend as much time as I want on this (not even 10 minutes in the last 10 months), so valuable help like yours is always appreciated.

    As you have announced problems with the encryption, I did not want to include your changes at once, and also I had to update the plugin with a minor patch for version 2.1.1.

    But it would be great if you could sent me another update or I could enable you for direct communit if you would be interested to support development on the plugin.

    Thread Starter wivlaro

    (@wivlaro)

    Hiya. I’ve just updated the patch to fix that previous encryption problem. It was just that I was encrypting the release ID and assuming I was decrypting the code. Now it’s just the code that gets en/decrypted and it seems to work and fail correctly.

    https://wvr.me.uk/wp-download-codes-security2.patch

    Hi,

    I’m not sure how to apply this patch. And also, will it allow larger zip files to download? It will download 10MB zip files, but not 70MB. I just sold a bunch after doing a test with smaller files, now my fans are reporting that they can’t download and I can’t figure out how to change it so that they can. (My sites are hosted on DreamHost if that makes a difference.)

    Thanks for any help!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘[Plugin: WP Download Codes] Patch for security and direct downloads’ is closed to new replies.