Showing maps via FILE_URL no longer works

  • Resolved hsmeets

    (@hsmeets)


    7 months ago

    Since update to WP 6.8 and/or to the latest Waymark version: maps shown via a shortcode using [waymark file_url=<to gpx file elsewhere on my server>] are no longer shown.

    The .gpx data was normally loaded into the HTML of the webpage but is at the moment not present. The map viewer starts but has gray content.

    Your own website suffers from the same: last map at the bottem of the page.
    https://www.waymark.dev/docs/shortcode/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter hsmeets

    (@hsmeets)

    7 months ago

    I’ve reverted back to the .2 release seeing the .3 release note (assuming this explains my issue)…..why did you remove this functionality?

    Update: Okay I see, security issue 🙁

    I hope you can solve this and bring back the function.

    • This reply was modified 7 months ago by hsmeets.
    • This reply was modified 7 months ago by hsmeets.
    Plugin Author Joe

    (@morehawes)

    7 months ago

    Hi @hsmeets,

    Thanks for reaching out. Yes a Server Side Request Forgery (SSRF) vulnerability was reported for this feature. The issue is that this triggers a server-side request to the file URL.

    File checks and sanitization were in-place, so I’m not exactly sure where lies the vulnerability, but this will take a fair bit of time to delve into, so at the moment the simplest thing to do was to remove it. It’s hard to know how many people use it, but if there is enough support for the feature then I may revisit it in the future.

    Please consider supporting the continued development of the plugin through sponsorship.

    I do apologise for removing this feature without warning like this, I understand that it breaks Maps for some users which is definitely not something I want to do.

    Thanks,

    Joe

    Thread Starter hsmeets

    (@hsmeets)

    7 months ago

    No harm done Joe, for the foreseeable time I’ll stick with the .2 release, it does all we need for our club site.

    Regards,
    Huib

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Showing maps via FILE_URL no longer works’ is closed to new replies.

  • 4 replies
  • 2 participants
  • Last reply from: hsmeets
  • Last activity: 7 months ago
  • Status: resolved