diff --git a/README.md b/README.md index 825f8e8..ebdf625 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,16 @@ # Advanced Custom Fields: Image Crop Add-on # -Contributors: andersthorborg +Contributors: andersthorborg, nickkeenan Tags: afc, advanced custom fields, image crop, image, crop Requires at least: 3.5 -Tested up to: 4.6 -Stable tag: 1.4.12 +Tested up to: 6.9.1 +Stable tag: 1.4.13 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html An image field making it possible/required for the user to crop the selected image to the specified image size or dimensions +This is a maintained fork of the abandoned [original plugin](https://github.com/andersthorborg/ACF-Image-Crop) by Anders Thorborg. + ## Description ## ACF image crop is an extended version of the native Image-field in ACF. @@ -58,9 +60,19 @@ function my_register_fields() 5. The image is cropped to the desired format, using the restrictions set under field options 6. The new format is shown using the specified preview size. The original image is kept with the field, so the image can be re-cropped at any time. +## Credits ## + +Originally developed by [Anders Thorborg](http://thorb.org). +This fork maintained by [Nick Keenan / Gameflow Interactive](https://gameflowinteractive.com) +with security patches applied. All credit for the original plugin goes to Anders. ## Changelog ## +### 1.4.13 ### +**Security fix applied:** CVE-2023-22676 / PSID ae467650d1f0 +Adds `upload_files` capability check to `perform_crop()` to prevent +subscriber-level users from modifying media library images. + ### 1.4.12 ### * Fix compatibility with ACF Pro 5.6.0 diff --git a/acf-image-crop-v5.php b/acf-image-crop-v5.php index fd3fcae..8f70aa8 100644 --- a/acf-image-crop-v5.php +++ b/acf-image-crop-v5.php @@ -2,7 +2,7 @@ class acf_field_image_crop extends acf_field_image { - + var $options; /* * initialize * @@ -495,6 +495,10 @@ function input_admin_enqueue_scripts() { } function perform_crop(){ + if ( ! current_user_can( 'upload_files' ) ) { + wp_send_json_error( 'Unauthorized', 403 ); + wp_die(); + } $targetWidth = $_POST['target_width']; $targetHeight = $_POST['target_height']; @@ -1240,4 +1244,4 @@ function delete_field( $field ) { // create field new acf_field_image_crop(); -?> \ No newline at end of file +?> diff --git a/acf-image-crop.php b/acf-image-crop.php index 578a0f8..a1f8751 100644 --- a/acf-image-crop.php +++ b/acf-image-crop.php @@ -1,10 +1,10 @@