Easy Digital Downloads version 1.1.5 was released a few minutes ago and one of the focuses for this release was improvements to file security.
A few days ago a user reported that he had found a massive security flaw in the plugin that allowed site visitors to find and browse (and download) any product download files without purchasing them. This flaw was caused primarily by a bug in the plugin, but also by an oversight on my part when I originally setup the file storage structure.
With a few simple changes, this issue has been resolved and your files are much more secure. Directory browsing is now prevented with a redundant system of .htaccess files (for apache servers) and blank index.php files for all other server types. The necessary files to protect your download files will be created when you install the 1.1.5 update.
Along with the security improvements, there were also significant enhancements made to the discount code system so that buyers can only use a discount code once, as opposed to being able to use the same code over and over again for every purchase.
Another major upgrade was added that allows you to display a list of download links on the “success” page after a user completes the purchase. This option is primarily designed for sites that process all orders as guests (where the users don’t log in). This update will allow guest buyers to download their files immediately after purchase, without having to check their email. You will find this option in Downloads > Settings > General, as shown below:
The complete change log is below:
Updated default language files
Changed “Purchase Page” label to “Checkout Page” in settings
Fixed a problem with serving download files
Fixed a bug that caused images to break when uploaded to download products
Made significant security improvements for protecting files against unauthorized downloads
Updated discounts so taht users can only use a discount code once
Download titles are now decoded for html entities in payment history
Updated payment history to fix an error notice when a user isn’t found
Added a new option for showing download links on the success page after completing a payment
Fixed a couple of undefined index errors
Added item prices to the cart widget
Added support for the Iranian Rial currency. Make sure your gateway supports it before using it
Updated the edd_remove_item_url() to use the current page URL instead of the home URL
Added new edd_get_current_page_url() function
Made the edd_payment post type not public
Updated French language files