Merge branch 'develop'

CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [4.23.6] - 2024-01-31
+### Changed
+* Error information is suppressed for feeds with local address URLs. This improves the previous fix for CVE-2024-0628.
+
 ## [4.23.5] - 2024-01-24
 ### Fixed
 * Error messages no longer reveal information about potentially inaccessible resources. (CVE-2024-0628) 

includes/admin-metaboxes.php

@@ -503,11 +503,8 @@ function wprss_preview_meta_box_callback()
 
         // Check if failed to fetch the feed
         if (is_wp_error($feed)) {
-            // Log the error
-            printf(
-                '<span class="invalid-feed-url">%s</span>',
-                __('The URL is invalid or is not a URL to an RSS feed.', 'wprss')
-            );
+            $message = wprss_rewrite_feed_error($feed_url, $feed->get_error_message());
+            printf( '<span class="invalid-feed-url">%s</span>', $message);
 
             echo wpautop(
                 sprintf(

includes/feed-importing.php

@@ -270,10 +270,12 @@ function wprss_get_feed_items( $feed_url, $source, $force_feed = FALSE ) {
     $feed = wprss_fetch_feed( $feed_url, $source, $force_feed );
 
     if (is_wp_error($feed)) {
-        wpra_get_logger($source)->error('Failed to fetch the RSS feed. {1}', [
-            $feed_url,
-            wprss_rewrite_feed_error($feed->get_error_message())
-        ]);
+        if ($source !== null) {
+            wpra_get_logger($source)->error('Failed to fetch the RSS feed. {1}', [
+                $feed_url,
+                wprss_rewrite_feed_error($feed_url, $feed->get_error_message())
+            ]);
+        }
 
         return NULL;
     }
@@ -420,13 +422,6 @@ function wprss_fetch_feed($url, $source = null, $param_force_feed = false)
 
     // Convert the feed error into a WP_Error, if applicable
     if ($feed->error()) {
-        if ($source !== null) {
-            $msg = sprintf(
-                __('Failed to fetch the RSS feed. Error: %s', 'wprss'),
-                wprss_rewrite_feed_error($feed->error())
-            );
-            update_post_meta($source, 'wprss_error_last_import', $msg);
-        }
         return new WP_Error('simplepie-error', $feed->error(), array('feed' => $feed));
     }
     // If no error, return the feed and remove any error meta
@@ -1192,8 +1187,17 @@ function wpra_parse_url($url)
     return $parsed;
 }
 
-function wprss_rewrite_feed_error(string $error)
+function wprss_rewrite_feed_error(string $feed_url, string $error)
 {
+    // Check if it's a local address
+    $host = parse_url($feed_url, PHP_URL_HOST);
+    $host = strtolower(trim($host));
+
+    if ($host === 'localhost' || $host === '127.0.0.1' ||
+        $host === '0.0.0.0' || $host === '::1') {
+        return __('Kindly double-check the feed URL.', 'wprss');
+    }
+
     if (str_contains($error, 'invalid XML')) {
         return __('The feed is not a valid XML document', 'wprss');
     }

wp-rss-aggregator.php

@@ -4,7 +4,7 @@
  * Plugin Name: WP RSS Aggregator
  * Plugin URI: https://www.wprssaggregator.com/#utm_source=wpadmin&utm_medium=plugin&utm_campaign=wpraplugin
  * Description: Imports and aggregates multiple RSS Feeds.
- * Version: 4.23.5
+ * Version: 4.23.6
  * Author: RebelCode
  * Author URI: https://www.wprssaggregator.com
  * Text Domain: wprss
@@ -78,7 +78,7 @@
 
 // Set the version number of the plugin.
 if( !defined( 'WPRSS_VERSION' ) )
-    define( 'WPRSS_VERSION', '4.23.5' );
+    define( 'WPRSS_VERSION', '4.23.6' );
 
 if( !defined( 'WPRSS_WP_MIN_VERSION' ) )
     define( 'WPRSS_WP_MIN_VERSION', '4.8' );