Merge pull request #69 from xxsimoxx/secured

Secured
xxsimoxx · Sep 15, 2021 · 8d922c7 · 8d922c7
2 parents e59cb0e + a1529be
commit 8d922c7
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -36,9 +36,10 @@ To setup a plugin to work with the Update Manager, the following general steps a
 ### Adding the Update Client file to a Plugin
 
 1. Copy the `UpdateClient.class.php` file (from the Update Manager plugin) into your plugin's file structure.
-1. Set `namespace` to a unique value; line 25.
-1. Set `UPDATE_SERVER` to the URL where your _Update Manager_ plugin is installed; line 28.
-1. Set `UPDATE_TYPE` to 'plugin'; line 31.
+1. Set `namespace` to a unique value; line 22.
+1. Set `UPDATE_SERVER` to the URL where your _Update Manager_ plugin is installed; line 25.
+1. Set `SECURE_SOURCE` to the starting part of the URL of the updated zip file if you want to add an extra layer of security; line 30. See line 236 to understand how check is done.
+1. Set `UPDATE_TYPE` to 'plugin'; line 33.
 1. Use `require_once('/path/to/UpdateClient.class.php')` in your plugin's primary PHP file to run the update client.
 
 ### Creating an Update Endpoint for a Plugin

diff --git a/classes/UpdateClient.class.php b/classes/UpdateClient.class.php
@@ -6,7 +6,7 @@
  * Author: John Alarcon
  * Author URI: https://codepotent.com
  * API Version: 2.0.0
- * Last modified on Update Manager release: 2.3.0
+ * Last modified on Update Manager release: 2.4.0
  * -----------------------------------------------------------------------------
  * This is free software released under the terms of the General Public License,
  * version 2, or later. It is distributed WITHOUT ANY WARRANTY; without even the
@@ -24,6 +24,11 @@
 // EDIT: URL where Update Manager is installed; with trailing slash!
 const UPDATE_SERVER = 'https://software.gieffeedizioni.it/';
 
+// EDIT: Comment this out and fill with the first part of the url
+//       of your Download link to make sure that updates
+//       are served from your trusted source.
+// const SECURE_SOURCE = 'https://github.com/xxsimoxx/codepotent-update-manager/';
+
 // EDIT: plugin or theme?
 const UPDATE_TYPE = 'plugin';
 
@@ -227,6 +232,12 @@ public function filter_component_update_transient($value) {
 			// Iterate over installed components.
 			foreach($components as $component=>$data) {
 
+				// If necessary check if the new package come from the right source.
+				if (defined(__NAMESPACE__.'\SECURE_SOURCE') && isset($data['package']) && strpos($data['package'], SECURE_SOURCE) !== 0) {
+					unset($value->response[$component]);
+					continue;
+				}
+
 				// Is there a new version?
 				if (isset($data['id'], $data['new_version'], $data['package'])) {
 

diff --git a/codepotent-update-manager.php b/codepotent-update-manager.php
@@ -4,7 +4,7 @@
  * -----------------------------------------------------------------------------
  * Plugin Name: Update Manager
  * Description: Painlessly push updates to your ClassicPress plugin users! Serve updates from GitHub, your own site, or somewhere in the cloud. 100% integrated with the ClassicPress update process; slim and performant.
- * Version: 2.3.0
+ * Version: 2.4.0
  * Author: Simone Fioravanti
  * Author URI: https://software.gieffeedizioni.it
  * Plugin URI: https://software.gieffeedizioni.it