V2.2.5.1

Author: JulioPotier

defines.php

@@ -1,7 +1,7 @@
 <?php
 defined( 'ABSPATH' ) or die( 'Something went wrong.' );
 
-define( 'SECUPRESS_VERSION'                   , '2.2.4.1' );
+define( 'SECUPRESS_VERSION'                   , '2.2.5.1' );
 define( 'SECUPRESS_MAJOR_VERSION'             , '2.2' );
 define( 'SECUPRESS_PATH'                      , realpath( dirname( SECUPRESS_FILE ) ) . DIRECTORY_SEPARATOR );
 define( 'SECUPRESS_INC_PATH'                  , SECUPRESS_PATH . 'free' . DIRECTORY_SEPARATOR );

free/admin/functions/admin.php

@@ -287,56 +287,4 @@ function secupress_print_pro_advantages() {
 		</div>
 	</div>
 	<?php
-}
-
-
-/**
- * Retrieve messages by their ID and format them by wrapping them in `<ul>` and `<li>` tags.
- *
- * @since 1.0
- *
- * @param (array)  $msgs      An array of messages.
- * @param (string) $test_name The scanner name.
- *
- * @return (string) An HTML list of formatted messages.
- */
-function secupress_format_message( $msgs, $test_name ) {
-	$classname = 'SecuPress_Scan_' . $test_name;
-	$messages  = $classname::get_instance()->get_messages();
-
-	$output = array();
-
-	if ( empty( $msgs ) ) {
-		return implode( '<br/>', $output );
-	}
-
-	foreach ( $msgs as $id => $atts ) {
-
-		if ( ! isset( $messages[ $id ] ) ) {
-
-			$string = __( 'Fix done.', 'secupress' );
-
-		} elseif ( is_array( $messages[ $id ] ) ) {
-
-			$count  = array_shift( $atts );
-			$string = translate_nooped_plural( $messages[ $id ], $count );
-
-		} else {
-
-			$string = $messages[ $id ];
-
-		}
-
-		if ( $atts ) {
-			foreach ( $atts as $i => $att ) {
-				if ( is_array( $att ) ) {
-					$atts[ $i ] = wp_sprintf_l( '%l', $att );
-				}
-			}
-		}
-
-		$output[] = ! empty( $atts ) ? vsprintf( $string, $atts ) : $string;
-	}
-
-	return implode( '<br/>', $output );
-}
+}

free/admin/settings.php

@@ -511,12 +511,19 @@ function secupress_scanners() {
 												<?php _e( 'Good', 'secupress' ); ?>
 												<span class="secupress-count-good"></span>
 											</li>
+											<?php if ( $counts['warning'] > 0 ) : ?>
+											<li class="status-warning" data-status="warning">
+												<span class="secupress-carret"></span>
+												<?php _e( 'Pending', 'secupress' ); ?>
+												<span class="secupress-count-warning"></span>
+											</li>
+											<?php endif; ?>
 											<li class="status-bad" data-status="bad">
 												<span class="secupress-carret"></span>
 												<?php _e( 'Bad', 'secupress' ); ?>
 												<span class="secupress-count-bad"></span>
 											</li>
-											<?php if ( $counts['notscannedyet'] ) : ?>
+											<?php if ( $counts['notscannedyet'] > 0 ) : ?>
 											<li class="status-notscannedyet" data-status="notscannedyet">
 												<span class="secupress-carret"></span>
 												<?php _e( 'New Scan', 'secupress' ); ?>

free/classes/scanners/class-secupress-scan-bad-vuln-plugins.php

@@ -86,6 +86,7 @@ public static function get_messages( $message_id = null ) {
 			104 => __( 'No plugins selected for deactivation.', 'secupress' ),
 			105 => _n_noop( 'Selected plugin has been deactivated (but some are still there).', 'All selected plugins have been deactivated (but some are still there).', 'secupress' ),
 			106 => _n_noop( 'Sorry, the following plugin could not be deactivated: %s.', 'Sorry, the following plugins could not be deactivated: %s.', 'secupress' ),
+			107 => __( 'Your installation may contain vulnerable plugins. The PRO version will be more accurate.', 'secupress' ),
 			// "bad"
 			/** Translators: 1 is a number, 2 is a plugin name (or a list of plugin names). */
 			200 => _n_noop( '<strong>%1$d plugin</strong> is known to be vulnerable: %2$s.', '<strong>%1$d plugins</strong> are known to be vulnerable: %2$s.', 'secupress' ),
@@ -94,7 +95,6 @@ public static function get_messages( $message_id = null ) {
 			203 => _n_noop( 'Sorry, this plugin could not be deleted.', 'Sorry, those plugins could not be deleted.', 'secupress' ),
 			204 => _n_noop( 'The following plugin should be deactivated if you don’t need it: %s.', 'The following plugins should be deactivated if you don’t need them: %s.', 'secupress' ),
 			205 => _n_noop( 'Sorry, this plugin could not be deactivated.', 'Sorry, those plugins could not be deactivated.', 'secupress' ),
-			206 => __( 'Your installation may contain vulnerable plugins. The PRO version will be more accurate.', 'secupress' ),
 			// "cantfix"
 			/** Translators: %d is a number. */
 			300 => _n_noop( '<strong>%d</strong> plugin can be <strong>deleted</strong>.', '<strong>%d</strong> plugins can be <strong>deleted</strong>.', 'secupress' ),
@@ -152,7 +152,7 @@ public function scan() {
 			$bad_plugins = $this->get_installed_plugins_vulnerables();
 
 			if ( is_numeric( $bad_plugins ) ) {
-				$this->add_message( 206 );
+				$this->add_message( 107 );
 			} elseif ( $count = count( $bad_plugins ) ) {
 				// "bad"
 				$this->add_message( 200, array( $count, $count, self::wrap_in_tag( $bad_plugins ) ) );

free/classes/scanners/class-secupress-scan-discloses.php

@@ -167,6 +167,7 @@ public function scan() {
 
 		if ( $has_response ) {
 			$powered_by = wp_remote_retrieve_header( $response, 'x-powered-by' );
+			$powered_by = is_array( $powered_by ) ? reset( $powered_by ) : $powered_by;
 			$body       = wp_remote_retrieve_body( $response );
 		}
 
@@ -289,6 +290,14 @@ public function fix() {
 
 		if ( $has_response ) {
 			$powered_by = wp_remote_retrieve_header( $response, 'x-powered-by' );
+			if ( is_array( $powered_by ) ) {
+				foreach( $powered_by as $p ) {
+					if ( strpos( $p, 'PHP/' ) === 0 ) {
+						$powered_by = $p;
+						break;
+					}
+				}
+			}
 			$body       = wp_remote_retrieve_body( $response );
 		}
 

free/classes/scanners/class-secupress-scan-https.php

@@ -148,7 +148,7 @@ public static function get_messages( $message_id = null ) {
 			// "bad"
 			200 => __( 'Your site is not totally using HTTPS/SSL: %s', 'secupress' ),
 			201 => __( 'Your site does not use HTTPS/SSL. Error: %s', 'secupress' ),
-			202   => __( 'Your website seems to run under maintenance mode, rescan this later when you set it off.', 'secupress' ),
+			202   => __( 'Your website seems to run under maintenance mode, relaunch the HTTPS scanner later when you set it off.', 'secupress' ),
 			// "cantfix"
 			300 => __( 'Cannot be fixed automatically. You have to contact you host provider to ask him to <strong>upgrade your site with HTTPS/SSL</strong>.', 'secupress' ),
 			301 => __( 'Update your HOME url and SITE url with <code>https://</code>.', 'secupress' ),

free/classes/settings/class-secupress-settings.php

@@ -1554,8 +1554,8 @@ protected function print_sideads() {
 				if ( 'secupress_ad_before' !== $sidead['hook'] ) {
 					continue;
 				}
-				if ( ( 'free' === $sidead['when'] && ! secupress_is_pro() )
-					|| ( 'pro' === $sidead['when'] && secupress_is_pro() )
+				if ( ( 'free' === $sidead['when'] && ! secupress_has_pro() )
+					|| ( 'pro' === $sidead['when'] && secupress_has_pro() )
 					|| 'both' === $sidead['when']
 				 ) {
 				 	$content_locale = 'content-' . get_user_locale();

free/functions/common.php

@@ -369,6 +369,7 @@ function secupress_die( $message = '', $title = '', $args = array() ) {
 	$message         = '<h1>' . SECUPRESS_PLUGIN_NAME . '</h1>' . $message;
 	$url             = secupress_get_current_url( 'raw' );
 	$force_die       = ! empty( $args['force_die'] );
+	$context         = ! empty( $args['context'] ) ? $args['context'] : '';
 	$is_scan_request = secupress_is_scan_request(); // Used to bypass the whitelist for scans.
 
 	/**
@@ -381,7 +382,7 @@ function secupress_die( $message = '', $title = '', $args = array() ) {
 	 * @param (array)  $args            Facultative arguments.
 	 * @param (bool)   $is_scan_request Tell if the request comes from one of our scans.
 	 */
-	$message = apply_filters( 'secupress.die.message', $message, $url, $args, $is_scan_request );
+	$message = apply_filters( 'secupress.die.message', $message, $url, $args, $is_scan_request, $context );
 
 	/**
 	 * Fires right before `wp_die()`.
@@ -393,7 +394,7 @@ function secupress_die( $message = '', $title = '', $args = array() ) {
 	 * @param (array)  $args            Facultative arguments.
 	 * @param (bool)   $is_scan_request Tell if the request comes from one of our scans.
 	 */
-	do_action( 'secupress.before.die', $message, $url, $args, $is_scan_request );
+	do_action( 'secupress.before.die', $message, $url, $args, $is_scan_request, $context );
 
 	if ( $force_die || $is_scan_request ) {
 		// Die.
@@ -1663,9 +1664,60 @@ function secupress_status( $status ) {
 	$statuses            = [];
 	$statuses['bad']     = __( 'Bad', 'secupress' );
 	$statuses['good']    = __( 'Good', 'secupress' );
-	$statuses['warning'] = __( 'Warning', 'secupress' );
+	$statuses['warning'] = __( 'Pending', 'secupress' );
 	$statuses['cantfix'] = __( 'Error', 'secupress' );
 
 	return isset( $statuses[ $status ] ) ? $statuses[ $status ] : __( 'New', 'secupress' );
 }
 
+
+/**
+ * Retrieve messages by their ID and format them by wrapping them in `<ul>` and `<li>` tags.
+ *
+ * @since 1.0
+ *
+ * @param (array)  $msgs      An array of messages.
+ * @param (string) $test_name The scanner name.
+ *
+ * @return (string) An HTML list of formatted messages.
+ */
+function secupress_format_message( $msgs, $test_name ) {
+	$classname = 'SecuPress_Scan_' . $test_name;
+	$messages  = $classname::get_instance()->get_messages();
+
+	$output = array();
+
+	if ( empty( $msgs ) ) {
+		return implode( '<br/>', $output );
+	}
+
+	foreach ( $msgs as $id => $atts ) {
+
+		if ( ! isset( $messages[ $id ] ) ) {
+
+			$string = __( 'Fix done.', 'secupress' );
+
+		} elseif ( is_array( $messages[ $id ] ) ) {
+
+			$count  = array_shift( $atts );
+			$string = translate_nooped_plural( $messages[ $id ], $count );
+
+		} else {
+
+			$string = $messages[ $id ];
+
+		}
+
+		if ( $atts ) {
+			foreach ( $atts as $i => $att ) {
+				if ( is_array( $att ) ) {
+					$atts[ $i ] = wp_sprintf_l( '%l', $att );
+				}
+			}
+		}
+
+		$output[] = ! empty( $atts ) ? vsprintf( $string, $atts ) : $string;
+	}
+
+	return implode( '<br/>', $output );
+}

free/functions/ip.php

@@ -34,7 +34,7 @@ function secupress_get_ip() {
  *
  * @return (bool) True is valid IP
  */
-function secupress_ip_is_valid( $ip, $range_format = false , $flag = null ) {
+function secupress_ip_is_valid( $ip, $range_format = false , $flag = 0 ) {
 	if ( ! $ip || ! is_string( $ip ) ) {
 		return false;
 	}
@@ -891,7 +891,7 @@ function secupress_ban_ip( $time_ban = 5, $ip = null, $die = true ) {
 			_n( 'Your IP address %1$s has been banned for %2$s minute, please do not retry until then.', 'Your IP address %1$s has been banned for %2$s minutes, please do not retry until then.', $time_ban, 'secupress' ),
 			'<code>' . esc_html( $ip ) . '</code>',
 			'<strong>' . number_format_i18n( $time_ban ) . '</strong>'
-		), array( 'force_die' => true ) );
+		), array( 'force_die' => true, 'context' => 'ban_ip' ) );
 	}
 }
 

free/modules/antispam/plugins/fightspam.php

@@ -771,8 +771,8 @@ function secupress_fightspam_dont_comment_too_soon_timer() {
 	if ( ! secupress_get_module_option( 'antispam_comment-delay', 1, 'antispam' ) ) {
 		return;
 	}
-	// Only do this if we are on a post type page which supports comments with a non logged in user
-	if ( is_user_logged_in() || ! get_post_type() || ! post_type_supports( get_post_type(), 'comments' ) ) {
+	// Only do this if we are on a singular page which supports comments and where comments are open with a non logged in user
+	if ( ! is_singular() || is_user_logged_in() || post_type_supports( get_post_type(), 'comments' ) || comments_open() ) {
 		return;
 	}
 	// Set our timer in PHP with a filter

free/modules/firewall/plugins/request-methods-header.php

@@ -14,6 +14,18 @@
 	* @since 2.0 Allow all requests methods but customs and TRACE.
 	*/
 	$methods = array( 'GET' => true, 'POST' => true, 'HEAD' => true, 'PUT' => true, 'PATCH' => true, 'DELETE' => true, 'CONNECT' => true, 'OPTIONS' => true );
+	if ( ! function_exists( 'is_plugin_active' ) ) {
+		require ABSPATH . 'wp-admin/includes/plugin.php';
+	}
+	if ( is_plugin_active( 'matomo/matomo.php' ) && isset( $_SERVER['REQUEST_METHOD'] ) && ! array_key_exists( $_SERVER['REQUEST_METHOD'], $methods ) ) {
+		$methods[ $_SERVER['REQUEST_METHOD'] ] = true;
+	}
+	/**
+	 * Filters the methods array
+	 * @param (array) $methods
+	 * @since 2.2.5
+	 * **/
+	$methods = apply_filters( 'secupress.plugins.bbrm.methods', $methods );
 
 	if ( ! isset( $methods[ $_SERVER['REQUEST_METHOD'] ] ) ) {
 		secupress_block( 'RMHM', [ 'code' => 405, 'b64' => [ 'data' => $_SERVER['REQUEST_METHOD'] ] ] );

free/modules/firewall/tools.php

@@ -59,7 +59,7 @@ function secupress_firewall_bbq_host_content_bad_contents_list_default() {
  */
 function secupress_firewall_bbq_referer_content_bad_contents_list_default() {
 	return  apply_filters( 'secupress.bad_referer_contents.list',
-			'semalt.com, todaperfeita, ambien, blue spill, cialis, cocaine, ejaculat, erectile, erections, hoodia, huronriveracres, impotence, levitra, libido, lipitor, phentermin, sandyauer, tramadol, troyhamby, ultram, unicauca, valium, viagra, vicodin, xanax, ypxaieo'
+			'semalt.com, todaperfeita, ambien, blue spill, cocaine, ejaculat, erectile, erections, hoodia, huronriveracres, impotence, levitra, libido, lipitor, phentermin, sandyauer, tramadol, troyhamby, ultram, unicauca, valium, viagra, vicodin, xanax, ypxaieo'
 			);
 }
 

free/modules/plugins-themes/callbacks.php

@@ -31,17 +31,7 @@ function secupress_plugins_themes_settings_callback( $settings ) {
 	// Uploads.
 	secupress_uploads_settings_callback( $modulenow, $activate );
 
-	/**
-	 * Filter the settings before saving.
-	 *
-	 * @since 1.4.9
-	 *
-	 * @param (array)      $settings The module settings.
-	 * @param (array\bool) $activate Contains the activation rules for the different modules
-	 */
-	$settings = apply_filters( "secupress_{$modulenow}_settings_callback", $settings, $activate );
-
-	return $settings;
+	return array( 'sanitized' => 1 );
 }
 
 

free/modules/users-login/plugins/limitloginattempts.php

@@ -21,6 +21,7 @@
  * @return (null|object)
  */
 function secupress_limitloginattempts( $raw_user, $username ) {
+	global $wpdb;
 	static $done = false;
 
 	if ( $done ) {
@@ -37,15 +38,66 @@ function secupress_limitloginattempts( $raw_user, $username ) {
 	}
 
 	$max_attempts  = secupress_get_module_option( 'login-protection_number_attempts', 10, 'users-login' );
-	$user_attempts = (int) get_user_meta( $uid, '_secupress_limitloginattempts', true );
+
+	// Adding initial Value
+	$wpdb->query(
+		$wpdb->prepare(
+			"
+			INSERT INTO {$wpdb->usermeta} (user_id, meta_key, meta_value)
+			SELECT * FROM (SELECT %d, '_secupress_limitloginattempts', 0) as tmp
+			WHERE NOT EXISTS (
+				SELECT * FROM {$wpdb->usermeta}
+				WHERE user_id = %d 
+				AND meta_key = '_secupress_limitloginattempts'
+			);
+		",
+		$uid,
+		$uid
+		)
+	);
+
+	// Start transaction
+	$wpdb->query("START TRANSACTION");
+
+	// Removed in 2.2.5, TOCTOU flaw
+	// $user_attempts = (int) get_user_meta( $uid, '_secupress_limitloginattempts', true );
+
+	// Get the number of attempts (line lock with FOR UPDATE)
+	$user_attempts = $wpdb->get_var(
+		$wpdb->prepare(
+						"
+						SELECT meta_value FROM {$wpdb->usermeta}
+                        WHERE {$wpdb->usermeta}.meta_key = '_secupress_limitloginattempts'
+                        AND {$wpdb->usermeta}.user_id = %d
+                        LIMIT 1 FOR UPDATE
+						",
+						$uid
+		)
+	);
+
 	++$user_attempts;
 
 	if ( $user_attempts >= $max_attempts ) {
 		delete_user_meta( $uid, '_secupress_limitloginattempts' );
 		secupress_ban_ip( (int) secupress_get_module_option( 'login-protection_time_ban', 5, 'users-login' ) );
 	}
 
-	update_user_meta( $uid, '_secupress_limitloginattempts', $user_attempts );
+	//  Removed in 2.2.5, TOCTOU flaw
+	// update_user_meta( $uid, '_secupress_limitloginattempts', $user_attempts );
+
+	// Update number of attempts
+	$wpdb->query(
+		$wpdb->prepare(
+			"UPDATE {$wpdb->usermeta} SET meta_value = %d WHERE user_id = %d and meta_key = '_secupress_limitloginattempts'",
+			$user_attempts,
+			$uid
+		)
+	);
+	
+	// End transaction with a COMMIT command
+	$wpdb->query("COMMIT");
+
+
 	$user_attempts_left = $max_attempts - $user_attempts;
 
 	if ( $user_attempts_left <= 3 ) {