Easy Digital Downloads version 1.1.5 was released a few minutes ago and one of the focuses for this release was improvements to file security.
A few days ago a user reported that he had found a massive security flaw in the plugin that allowed site visitors to find and browse (and download) any product download files without purchasing them. This flaw was caused primarily by a bug in the plugin, but also by an oversight on my part when I originally setup the file storage structure.
With a few simple changes, this issue has been resolved and your files are much more secure. Directory browsing is now prevented with a redundant system of .htaccess files (for apache servers) and blank index.php files for all other server types. The necessary files to protect your download files will be created when you install the 1.1.5 update.
Along with the security improvements, there were also significant enhancements made to the discount code system so that buyers can only use a discount code once, as opposed to being able to use the same code over and over again for every purchase.
Another major upgrade was added that allows you to display a list of download links on the “success” page after a user completes the purchase. This option is primarily designed for sites that process all orders as guests (where the users don’t log in). This update will allow guest buyers to download their files immediately after purchase, without having to check their email. You will find this option in Downloads > Settings > General, as shown below:
The complete change log is below:
- Updated default language files
- Changed “Purchase Page” label to “Checkout Page” in settings
- Fixed a problem with serving download files
- Fixed a bug that caused images to break when uploaded to download products
- Made significant security improvements for protecting files against unauthorized downloads
- Updated discounts so taht users can only use a discount code once
- Download titles are now decoded for html entities in payment history
- Updated payment history to fix an error notice when a user isn’t found
- Added a new option for showing download links on the success page after completing a payment
- Fixed a couple of undefined index errors
- Added item prices to the cart widget
- Added support for the Iranian Rial currency. Make sure your gateway supports it before using it
- Updated the edd_remove_item_url() to use the current page URL instead of the home URL
- Added new edd_get_current_page_url() function
- Made the edd_payment post type not public
- Updated French language files