Support » Plugin: WP YouTube Lyte » Security issue ? (404 cached thumb)

  • Resolved Phil

    (@magicfilou)



    Hi! Thanks for your great plugin (y)

    When I add this code in my htaccess:

    RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
    RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
    RewriteRule wp-content/plugins/(.*\.php)$ – [R=404,L]
    RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
    RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
    RewriteRule wp-content/themes/(.*\.php)$ – [R=404,L]

    The cached video thumbnail has a 404 …

    if I add # on this line :

    #RewriteRule wp-content/plugins/(.*\.php)$ – [R=404,L]

    All works fine ^^

    I love the privacy protection in caching the thumb 😉 (and speed optimization!)

    It’s not dangerous to let public access to your plugin dir ?
    the thumbnail url come from your php file :-/
    Why not copy the thumb to a dir into /uploads ?

    TIA Cheers

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Optimizing Matters

    (@optimizingmatters)

    there’s more the lyteThumbs.php then just storing/ serving the actual thumbnail; it checks if it is cached and if not automagically retrieves it and while sending it adds HTTP response headers to allow the thumbnail to be cached. so yeah, you need to have wp-content/plugins/wp-youtube-lyte/lyteThumbs.php executable 🙂

    Phil

    (@magicfilou)

    It’s not dangerous to let public access to your plugin dir ?

    Why not copy the thumb to a dir into /uploads and call the thumb from there ?

    So for now I need to deactivate this protection just for “your” cached thumb ?

    Plugin Author Optimizing Matters

    (@optimizingmatters)

    Why not copy the thumb to a dir into /uploads and call the thumb from there ?

    well, the thumbs are actually stored in wp-content/cache/lyteThumbs, it’s just the “caching proxy logic” that lives in wp-content/plugins/wp-youtube-lyte/lyteThumbs.php (see my explanation in the previous reply of what that file does).

    So for now I need to deactivate this protection just for “your” cached thumb ?

    that is entirely your choice, you can:

    1. not cache the thumbs locally, and that way lyteThumbs.php can remain blocked
    2. remove the offending line from your .htaccess
    3. amend your .htaccess to specifically allow acces to wp-content/plugins/wp-youtube-lyte/lyteThumbs.php (which I consider no security risk at all)

    hope this clarifies,
    frank

    Phil

    (@magicfilou)

    ok tks

    • This reply was modified 6 months, 4 weeks ago by  Phil.
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Security issue ? (404 cached thumb)’ is closed to new replies.