v2.2.3

Author: JulioPotier

assets/admin/js/secupress-modules.js

@@ -1624,6 +1624,9 @@ function secupressDisplayAjaxSuccess( $button, text, ajaxID ) {
 // Regenerate keys button ====================
 (function($, d, w, undefined) {
 	$( '#secupress-regen-keys' ).on( 'click', function(e) {
+		if ( $(this).attr('href') == '#' ) {
+			return false;
+		}
 		var _this = this;
 		e.preventDefault();
 		swal2( $.extend( {}, SecuPress.swal2Defaults, SecuPress.swal2ConfirmDefaults, {

defines.php

@@ -1,9 +1,7 @@
 <?php
 defined( 'ABSPATH' ) or die( 'Something went wrong.' );
 
-define( 'SECUPRESS_VERSION'                   , '2.2' );
+define( 'SECUPRESS_VERSION'                   , '2.2.3' );
 define( 'SECUPRESS_MAJOR_VERSION'             , '2.2' );
 define( 'SECUPRESS_PATH'                      , realpath( dirname( SECUPRESS_FILE ) ) . DIRECTORY_SEPARATOR );
 define( 'SECUPRESS_INC_PATH'                  , SECUPRESS_PATH . 'free' . DIRECTORY_SEPARATOR );
-! defined( 'SECUPRESS_API' ) ?
-define( 'SECUPRESS_API'                       , 'ab4f63f9ac65152575886860dde480a1' ) : false;

free/admin/ajax-post-callbacks.php

@@ -879,7 +879,7 @@ function secupress_regen_hash_key_admin_post_cb() {
 	$options['hash_key'] = secupress_generate_key( 64 );
 	secupress_update_options( $options );
 
-	secupress_auto_login( 'Admin_User' );
+	secupress_auto_login( 'Salt_Keys' );
 }
 
 add_action( 'admin_post_secupress_accept_notification', 'secupress_accept_notification_admin_post_cb' );

free/admin/functions/admin.php

@@ -288,23 +288,3 @@ function secupress_print_pro_advantages() {
 	</div>
 	<?php
 }
-
-/**
- * Redirect the user on a specific URL to be autologged-in
- *
- * @since 2.0
- * @author Julio Potier
- *
- * @param (string) $module The SecuPress module to be redirected
- **/
-function secupress_auto_login( $module ) {
-	$current_user = wp_get_current_user();
-	if ( ! $current_user ) {
-		return;
-	}
-	$token = md5( time() . $module );
-	secupress_set_site_transient( 'secupress_auto_login_' . $token, array( $current_user->user_login, $module ), MINUTE_IN_SECONDS );
-
-	wp_safe_redirect( esc_url_raw( add_query_arg( 'secupress_auto_login_token', $token ) ) );
-	die();
-}

free/admin/settings.php

@@ -980,31 +980,6 @@ function secupress_scanners_template() {
 }
 
 
-/**
- * Get a scan or fix status, formatted with icon and human readable text.
- *
- * @since 1.0
- *
- * @param (string) $status The status code.
- *
- * @return (string) Formatted status.
- */
-function secupress_status( $status ) {
-	switch ( $status ) :
-		case 'bad':
-			return __( 'Bad', 'secupress' );
-		case 'good':
-			return __( 'Good', 'secupress' );
-		case 'warning':
-			return __( 'Warning', 'secupress' );
-		case 'cantfix':
-			return __( 'Error', 'secupress' );
-		default:
-			return __( 'New', 'secupress' );
-	endswitch;
-}
-
-
 /**
  * Print a box with title.
  *

free/admin/upgrader.php

@@ -207,7 +207,7 @@ function secupress_new_upgrade( $secupress_version, $actual_version ) {
 	if ( version_compare( $actual_version, '2.0', '<' ) ) {
 		// Cannot use secupress_is_submodule_active() here because these are not modules yet (< 2.0...)
 		if ( defined( 'SECUPRESS_SALT_KEYS_ACTIVE' ) ) {
-			secupress_set_site_transient( 'secupress-add-salt-muplugin', array( 'ID' => $current_user->ID, 'username' => $current_user->user_login ) );
+			secupress_set_site_transient( 'secupress-add-salt-muplugin', array( 'ID' => $current_user->ID ) );
 		}
 		if ( defined( 'COOKIEHASH' ) && COOKIEHASH !== md5( get_site_option( 'siteurl' ) ) ) {
 			secupress_set_site_transient( 'secupress-add-cookiehash-muplugin', array( 'ID' => $current_user->ID, 'username' => $current_user->user_login ) );

free/classes/scanners/class-secupress-scan-bad-usernames.php

@@ -42,7 +42,7 @@ protected function init() {
 		$this->more     = __( 'Some usernames are known to be used for malicious usage, or created by bots.', 'secupress' );
 		$this->more_fix = sprintf(
 			__( 'Activate the option %1$s in the %2$s module.', 'secupress' ),
-			'<em>' . __( 'Forbid usernames', 'secupress' ) . '</em>',
+			'<em>' . __( 'Forbid Usernames', 'secupress' ) . '</em>',
 			'<a href="' . esc_url( secupress_admin_url( 'modules', 'users-login' ) ) . '#row-blacklist-logins_activated">' . __( 'Users & Login', 'secupress' ) . '</a>'
 		);
 	}

free/classes/scanners/class-secupress-scan-db-prefix.php

@@ -29,6 +29,12 @@ class SecuPress_Scan_DB_Prefix extends SecuPress_Scan implements SecuPress_Scan_
 	 */
 	protected static $_instance;
 
+	/**
+	 * Tells if a scanner is fixable by SecuPress. The value "pro" means it's fixable only with the version PRO.
+	 *
+	 * @var (bool|string)
+	 */
+	protected $fixable = 'pro';
 
 	/** Init and messages. ====================================================================== */
 

free/classes/scanners/class-secupress-scan-salt-keys.php

@@ -129,8 +129,9 @@ public function scan() {
 			204 => [],
 			205 => [],
 		];
-
-		preg_match_all( '/' . implode( '|', $keys ) . '/', $wp_config_content, $matches );
+		$pattern  = "'" . implode( "'|'", $keys ) . "'|";
+		$pattern .= '"' . implode( '"|"', $keys ) . '"';
+		preg_match_all( '/' . $pattern . '/', $wp_config_content, $matches );
 
 		if ( ! empty( $matches[0] ) ) {
 			// Hardcoded.

free/classes/settings/class-secupress-settings.php

@@ -632,8 +632,7 @@ protected function field( $args ) {
 
 			case 'wpeditor' :
 			case 'textarea' :
-
-				$value       = esc_textarea( html_entity_decode( implode( "\n" , (array) $value ), ENT_QUOTES ) );
+				$value       = esc_textarea( html_entity_decode( implode( "\n", (array) explode( ',', $value ) ), ENT_QUOTES ) );
 				$attributes .= empty( $args['attributes']['cols'] ) ? ' cols="50"' : '';
 				$attributes .= empty( $args['attributes']['rows'] ) ? ' rows="5"'  : '';
 

free/common.php

@@ -158,8 +158,8 @@ function secupress_check_ban_ips_maybe_send_unban_email( $ip ) {
 	}
 
 	// Send message.
-	$url     = esc_url_raw( wp_nonce_url( home_url( '?action=secupress_self-unban-ip' ), 'secupress_self-unban-ip-' . $ip ) );
-	$message = '<p>' . sprintf(
+	$url     = str_replace( '&amp;', '&', esc_url_raw( wp_nonce_url( home_url( '?action=secupress_self-unban-ip' ), 'secupress_self-unban-ip-' . $ip ) ) );
+	$message = sprintf(
 		/** Translators: %s is a "unlock yourself" link. */
 		__( 'You got yourself locked out?
 
@@ -168,8 +168,8 @@ function secupress_check_ban_ips_maybe_send_unban_email( $ip ) {
 Regards,
 All at ###SITENAME###
 ###SITEURL###', 'secupress' ),
-		'<a href="' . $url . '">' . __( 'unlock yourself', 'secupress' ) . '</a> (' . $url . ')'
-	) . '</p>';
+		__( 'unlock yourself', 'secupress' ) . ' ( ' . $url . ' )'
+	);
 
 	$subject = sprintf( __( 'Unban yourself from %s', 'secupress' ), home_url() );
 	/**
@@ -511,7 +511,6 @@ function secupress_add_cookiehash_muplugin() {
 	secupress_auto_login( 'WP_Config' );
 }
 
-
 add_action( 'plugins_loaded', 'secupress_add_salt_muplugin', 50 );
 /**
  * Will create a mu plugin to early set the salt keys.
@@ -535,7 +534,7 @@ function secupress_add_salt_muplugin() {
 		return;
 	}
 
-	if ( ! is_array( $data ) || ! isset( $data['ID'], $data['username'] ) ) {
+	if ( ! is_array( $data ) || ! isset( $data['ID'] ) ) {
 		secupress_delete_site_transient( 'secupress-add-salt-muplugin' );
 		return;
 	}
@@ -546,15 +545,8 @@ function secupress_add_salt_muplugin() {
 
 	secupress_delete_site_transient( 'secupress-add-salt-muplugin' );
 
-	// Make sure we find the `wp-config.php` file.
-	$wpconfig_filepath = secupress_is_wpconfig_writable();
-
-	if ( ! $wpconfig_filepath ) {
-		return;
-	}
-
 	// Create the MU plugin.
-	if ( ! defined( 'SECUPRESS_SALT_KEYS_MODULE_ACTIVE' ) ) {
+	if ( ! defined( 'SECUPRESS_SALT_KEYS_MODULE_EXISTS' ) ) {
 		$alicia_keys = file_get_contents( SECUPRESS_INC_PATH . 'data/salt-keys.phps' );
 		$args        = array(
 			'{{PLUGIN_NAME}}' => SECUPRESS_PLUGIN_NAME,
@@ -571,48 +563,45 @@ function secupress_add_salt_muplugin() {
 		}
 	}
 
-	/**
-	 * Remove old secret keys from the `wp-config.php` file and add a comment.
-	 * We have to make sure the comment is added, only once, only if one or more keys are found, even if some secret keys are missing, and do not create useless empty lines.
-	 */
-	$wp_filesystem    = secupress_get_filesystem();
-	$wpconfig_content = $wp_filesystem->get_contents( $wpconfig_filepath );
-	$keys             = array( 'AUTH_KEY', 'SECURE_AUTH_KEY', 'LOGGED_IN_KEY', 'NONCE_KEY', 'AUTH_SALT', 'SECURE_AUTH_SALT', 'LOGGED_IN_SALT', 'NONCE_SALT' );
-	$comment_added    = false;
-	$comment          = '/** If you want to add secret keys back in wp-config.php, get new ones at https://api.wordpress.org/secret-key/1.1/salt, then delete this file. */';
-	$placeholder      = '/** SecuPress salt placeholder. */';
-
-	foreach ( $keys as $i => $constant ) {
-		$pattern = '@define\s*\(\s*([\'"])' . $constant . '\1.*@';
-
-		if ( preg_match( $pattern, $wpconfig_content, $matches ) ) {
-			$replace          = $comment_added ? $placeholder : $comment;
-			$wpconfig_content = str_replace( $matches[0], $replace, $wpconfig_content );
-			$comment_added    = true;
-		}
-	}
-
-	if ( $comment_added ) {
-		$wpconfig_content = str_replace( $placeholder . "\n", '', $wpconfig_content );
-
-		$wp_filesystem->put_contents( $wpconfig_filepath, $wpconfig_content, FS_CHMOD_FILE );
-	}
-
+	$keys = array( 'AUTH_KEY', 'SECURE_AUTH_KEY', 'LOGGED_IN_KEY', 'NONCE_KEY', 'AUTH_SALT', 'SECURE_AUTH_SALT', 'LOGGED_IN_SALT', 'NONCE_SALT' );
 	// Remove old secret keys from the database.
 	foreach ( $keys as $constant ) {
 		delete_site_option( $constant );
 	}
 
-	// Destroy the user session.
-	wp_clear_auth_cookie();
-	if ( function_exists( 'wp_destroy_current_session' ) ) { // WP 4.0 min.
-		wp_destroy_current_session();
-	}
+	// Make sure we find the `wp-config.php` file.
+	$wpconfig_filepath = secupress_is_wpconfig_writable();
+
+
+	if ( $wpconfig_filepath ) {
+		/**
+		 * Remove old secret keys from the `wp-config.php` file and add a comment.
+		 * We have to make sure the comment is added, only once, only if one or more keys are found, even if some secret keys are missing, and do not create useless empty lines.
+		 */
+		$wp_filesystem    = secupress_get_filesystem();
+		$wpconfig_content = $wp_filesystem->get_contents( $wpconfig_filepath );
+		$comment_added    = false;
+		$comment          = '/** If you want to add secret keys back in wp-config.php, get new ones at https://api.wordpress.org/secret-key/1.1/salt, then delete this file. */';
+		$placeholder      = '/** SecuPress salt placeholder. */';
+
+		foreach ( $keys as $i => $constant ) {
+			$pattern = '@define\s*\(\s*([\'"])' . $constant . '\1.*@';
+
+			if ( preg_match( $pattern, $wpconfig_content, $matches ) ) {
+				$replace          = $comment_added ? $placeholder : $comment;
+				$wpconfig_content = str_replace( $matches[0], $replace, $wpconfig_content );
+				$comment_added    = true;
+			}
+		}
 
-	$token = md5( time() );
-	secupress_set_site_transient( 'secupress_auto_login_' . $token, array( $data['username'], 'Salt_Keys' ), MINUTE_IN_SECONDS );
+		if ( $comment_added ) {
+			$wpconfig_content = str_replace( $placeholder . "\n", '', $wpconfig_content );
 
-	wp_safe_redirect( esc_url_raw( add_query_arg( 'secupress_auto_login_token', $token, secupress_get_current_url( 'raw' ) ) ) );
+			$wp_filesystem->put_contents( $wpconfig_filepath, $wpconfig_content, FS_CHMOD_FILE );
+		}
+	}
+
+	secupress_auto_login( 'Salt_Keys' );
 	die();
 }
 
@@ -743,3 +732,49 @@ function secupress_get_php_versions() {
 if ( is_admin() ) {
 	add_action( 'user_register', array( 'SecuPress_Admin_Pointers', 'dismiss_pointers_for_new_users' ) );
 }
+
+
+/**
+ * Redirect the user on a specific URL to be autologged-in
+ *
+ * @since 2.0
+ * @author Julio Potier
+ *
+ * @param (string)      $module The SecuPress module to be redirected
+ * @param (WP_User|int) $user The user to be logged in
+ **/
+function secupress_auto_login( $module, $user = null ) {
+	if( is_int( $user ) ) {
+		$user = new WP_User( $user );
+	}
+	if ( is_a( $user, 'WP_User' ) ) {
+		$current_user = $user;
+	} else {
+		$current_user = wp_get_current_user();
+	}
+	if ( ! $current_user ) {
+		return;
+	}
+	$token = md5( time() . $module );
+	secupress_set_site_transient( 'secupress_auto_login_' . $token, array( $current_user->user_login, $module ), MINUTE_IN_SECONDS );
+
+	wp_safe_redirect( esc_url_raw( add_query_arg( 'secupress_auto_login_token', $token ) ) );
+	die();
+}
+
+add_filter( 'authenticate', 'secupress_authenticate_cookie', 0 );
+function secupress_authenticate_cookie( $user ) {
+	$data = secupress_get_site_transient( 'secupress-auto-login' );
+
+	if ( ! $data ) {
+		return $user;
+	}
+
+	secupress_delete_site_transient( 'secupress-auto-login' );
+
+	if ( ! is_array( $data ) || ! isset( $data['ID'] ) ) {
+		return $user;
+	}
+	
+	secupress_auto_login( 'Salt_Keys', $user );
+}

free/data/salt-keys.phps

@@ -11,13 +11,12 @@
 
 defined( 'ABSPATH' ) or die( 'Something went wrong.' );
 
-define( 'SECUPRESS_SALT_KEYS_MODULE_ACTIVE', true );
-
-
 if ( ! get_site_option( 'secupress_active_submodule_wp-config-constant-saltkeys' ) ) {
 	return;
 }
 
+define( 'SECUPRESS_SALT_KEYS_MODULE_ACTIVE', true );
+
 global $blog_id;
 
 $hash_1     = '{{HASH1}}';

free/functions/3rdparty.php

@@ -39,7 +39,7 @@ function secupress_3rd_compat__unikname_connect( $activated ) {
 // https://plugins.svn.wordpress.org/two-factor-authentication/trunk/two-factor-login.php .
 add_filter( 'secupress.scan.SecuPress_Scan_Easy_Login.activated', 'secupress_3rd_compat__two_factor_authentication' );
 function secupress_3rd_compat__two_factor_authentication( $activated ) {
-	if ( ! $activated && defined( 'SIMBA_TFA_PLUGIN_DIR' ) ) {
+	if ( ! $activated && defined( 'SIMBA_TFA_TEXT_DOMAIN' ) ) {
 		return 'Two Factor Authentication';
 	}
 	return $activated;

free/functions/common.php

@@ -1648,4 +1648,24 @@ function secupress_time_limit( $seconds ) {
 		return true;
 	}
 	return false;
-}
+}
+
+
+/**
+ * Get a scan or fix status, formatted with icon and human readable text.
+ *
+ * @since 1.0
+ *
+ * @param (string) $status The status code.
+ * @return (string) Formatted status.
+ */
+function secupress_status( $status ) {
+	$statuses            = [];
+	$statuses['bad']     = __( 'Bad', 'secupress' );
+	$statuses['good']    = __( 'Good', 'secupress' );
+	$statuses['warning'] = __( 'Warning', 'secupress' );
+	$statuses['cantfix'] = __( 'Error', 'secupress' );
+
+	return isset( $statuses[ $status ] ) ? $statuses[ $status ] : __( 'New', 'secupress' );
+}
+