Skip to content

Improved: hardened Proxy Speed Module, to make sure it doesn't disable plugins on non-proxy requests. #297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Dan0sz merged 5 commits into from
May 5, 2026
Merged

Improved: hardened Proxy Speed Module, to make sure it doesn't disable plugins on non-proxy requests. #297

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b397652
Improved: hardened Proxy Speed Module, to make sure it doesn't disabl…
Dan0sz May 5, 2026
0c26b94
Improved: Handle WordPress subdirectory installs in the REST-path match.
Dan0sz May 5, 2026
c6dc08a
Updated mu-plugin.
Dan0sz May 5, 2026
b2ece6a
Merge remote-tracking branch 'origin/fix_speed_module' into fix_speed…
Dan0sz May 5, 2026
4c416a3
Ignore this code.
Dan0sz May 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 31 additions & 15 deletions mu-plugin/plausible-proxy-speed-module.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,26 +4,26 @@
* Description: Speeds up Plausible Analytics' proxy for avoiding ad blockers.
* Plugin URI: https://plausible.io
* Author: Plausible HQ
* Version: 1.0.0
* Version: 1.0.1
* Author URI: https://plausible.io
*
* Text Domain: plausible-analytics
*/

class PlausibleProxySpeed {
/**
* Is current request a request to our proxy?
* Is the current request a request to our proxy?
*
* @var bool
*/
private $is_proxy_request = false;
private $is_proxy_request;

/**
* Current request URI.
*
* @var string
*/
private $request_uri = '';
private $request_uri;

/**
* Build properties.
Expand All @@ -38,27 +38,42 @@ public function __construct() {
}

/**
* Helper method to retrieve Request URI. Checks several globals.
* Helper method to retrieve Request URI.
*
* @return mixed
* @return string
*/
private function get_request_uri() {
return $_SERVER[ 'REQUEST_URI' ];
return $_SERVER['REQUEST_URI'] ?? '';
}

/**
* Check if current request is a proxy request.
* Check if the current request is a proxy request.
*
* The namespace must appear as a path segment under the REST prefix
* (e.g. /wp-json/<namespace>[/...]). Substring matches in query
* strings, fragments, or unrelated path segments are rejected.
*
* @return bool
*/
private function is_proxy_request() {
$namespace = get_option( 'plausible_analytics_proxy_resources' )[ 'namespace' ] ?? '';
$namespace = get_option( 'plausible_analytics_proxy_resources' )['namespace'] ?? '';

if ( ! $namespace ) {
return false;
}

return strpos( $this->request_uri, $namespace ) !== false;
$path = parse_url( $this->request_uri, PHP_URL_PATH );

if ( ! is_string( $path ) || $path === '' ) {
return false;
}

$expected = function_exists( 'rest_url' )
? untrailingslashit( (string) wp_parse_url( rest_url( trim( $namespace, '/' ) ), PHP_URL_PATH ) )
: '/wp-json/' . trim( $namespace, '/' );

return $path === $expected
|| str_starts_with( $path, $expected . '/' );
}

/**
Expand All @@ -73,6 +88,10 @@ private function init() {
/**
* Filter the list of active plugins for custom endpoint requests.
*
* Uses basename() exact-match comparison instead of strpos(), so a
* plugin file path can only match if its filename is exactly in the
* allowlist.
*
* @param array $active_plugins The list of active plugins.
*
* @return array The filtered list of active plugins.
Expand All @@ -86,11 +105,8 @@ public function filter_active_plugins( $active_plugins ) {
$filtered_plugins = [];

foreach ( $active_plugins as $plugin ) {
foreach ( $allowed_plugin_files as $allowed_plugin_file ) {
if ( strpos( $plugin, $allowed_plugin_file ) !== false ) {
$filtered_plugins[] = $plugin;
break;
}
if ( in_array( basename( $plugin ), $allowed_plugin_files, true ) ) {
$filtered_plugins[] = $plugin;
}
}

Expand Down
42 changes: 32 additions & 10 deletions src/Admin/Upgrades.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,9 @@ class Upgrades {
/**
* Constructor for Upgrades.
*
* @return void
* @since 1.3.0
* @access public
* @return void
*/
public function __construct() {
add_action( 'init', [ $this, 'run' ] );
Expand All @@ -38,13 +38,13 @@ public function __construct() {
* Register routines for upgrades.
* This is intended for automatic upgrade routines having less resource intensive tasks.
*
* @since 1.3.0
* @access public
* @return void
*
* @throws Exception
*
* @codeCoverageIgnore
* @since 1.3.0
* @access public
*/
public function run() {
$plausible_analytics_version = get_option( 'plausible_analytics_version' );
Expand Down Expand Up @@ -98,17 +98,21 @@ public function run() {
$this->upgrade_to_254();
}

if ( version_compare( $plausible_analytics_version, '2.5.8', '<' ) ) {
$this->upgrade_to_258();
}

// Add required upgrade routines for future versions here.
}

/**
* Upgrade routine for 1.2.5
* Cleans Custom Domain related options from database, as it was removed in this version.
*
* @return void
* @codeCoverageIgnore
* @since 1.2.5
* @access public
* @return void
* @codeCoverageIgnore
*/
public function upgrade_to_125() {
$old_settings = Helpers::get_settings();
Expand Down Expand Up @@ -138,13 +142,12 @@ public function upgrade_to_125() {
/**
* Get rid of the previous "example.com" default for self_hosted_domain.
*
* @since 1.2.6
* @return void
* @codeCoverageIgnore
* @since 1.2.6
*/
public function upgrade_to_126() {
$old_settings = Helpers::get_settings();
$new_settings = $old_settings;

if ( ! empty( $old_settings['self_hosted_domain'] ) && strpos( $old_settings['self_hosted_domain'], 'example.com' ) !== false ) {
Helpers::update_setting( 'self_hosted_domain', '' );
Expand Down Expand Up @@ -265,11 +268,11 @@ public function upgrade_to_210() {
/**
* If EDD is active and Ecommerce is enabled, create goals after updating the plugin.
*
* @since v2.3.0
*
* @return void
*
* @codeCoverageIgnore because all we'd be doing is testing the Plugins API.
* @since v2.3.0
*
*/
public function upgrade_to_230() {
$settings = Helpers::get_settings();
Expand Down Expand Up @@ -367,7 +370,7 @@ public function upgrade_to_254() {
return;
}

// Show CE notice if self-hosted domain is set, otherwise show Cloud notice.
// Show CE notice if Self-hosted Domain is set, otherwise show Cloud notice.
if ( ! empty( $self_hosted_domain ) ) {
add_action( 'admin_notices', [ $this, 'show_ce_api_token_notice' ] );

Expand All @@ -377,6 +380,25 @@ public function upgrade_to_254() {
add_action( 'admin_notices', [ $this, 'show_cloud_api_token_notice' ] );
}

/**
* Updates the Proxy Module if Proxy is enabled.
*
* @return void
*
* @codeCoverageIgnore
*/
public function upgrade_to_258() {
$proxy_enabled = Helpers::proxy_enabled();

if ( $proxy_enabled ) {
$installer = new Module();

$installer->install();
}

update_option( 'plausible_analytics_version', '2.5.8' );
}

/**
* Display a notice to CE users that haven't entered an API token yet.
*
Expand Down
Loading