v2.2.5.2

Author: JulioPotier

defines.php

@@ -1,7 +1,7 @@
 <?php
 defined( 'ABSPATH' ) or die( 'Something went wrong.' );
 
-define( 'SECUPRESS_VERSION'                   , '2.2.5.1' );
+define( 'SECUPRESS_VERSION'                   , '2.2.5.2' );
 define( 'SECUPRESS_MAJOR_VERSION'             , '2.2' );
 define( 'SECUPRESS_PATH'                      , realpath( dirname( SECUPRESS_FILE ) ) . DIRECTORY_SEPARATOR );
 define( 'SECUPRESS_INC_PATH'                  , SECUPRESS_PATH . 'free' . DIRECTORY_SEPARATOR );

free/functions/common.php

@@ -1216,17 +1216,19 @@ function secupress_is_affected_role( $module, $submodule, $user ) {
 /**
  * This will be used with the filter hook 'nonce_user_logged_out' to create nonces for disconnected users.
  *
+ * @since 2.2.5.2 hash( 'crc32b' )
+ * @author Julio Potier
+ * 
  * @since 1.0
- *
+ * @author Grégory Viguier
+ * 
  * @param (int) $uid A userID.
+ * @param (string) $action The action.
  *
  * @return (int)
  */
-function secupress_modify_userid_for_nonces( $uid ) {
-	if ( $uid ) {
-		return $uid;
-	}
-	return isset( $_GET['userid'] ) ? (int) $_GET['userid'] : 0;
+function secupress_modify_userid_for_nonces( $uid = 0, $action = '' ) {
+	return hash( 'crc32b', $uid . $action . secupress_get_ip() );
 }
 
 

free/modules/sensitive-data/plugins/blackhole.php

@@ -9,11 +9,11 @@
 
 defined( 'SECUPRESS_VERSION' ) or die( 'Something went wrong.' );
 
-
 add_filter( 'robots_txt', 'secupress_blackhole_robots_txt' );
 /**
  * Add forbidden URI in `robots.txt` file.
  *
+ * @author Grégory Viguier
  * @since 1.0
  *
  * @param (string) $output File content.
@@ -41,7 +41,11 @@ function secupress_blackhole_robots_txt( $output ) {
 /**
  * Use a custom template for our trap.
  *
+ * @since 2.2.5.2 Manage the ban from here with a nonce now
+ * @author Julio Potier
+ *
  * @since 1.0
+ * @author Grégory Viguier
  *
  * @param (string) $template Template path.
  *
@@ -55,48 +59,49 @@ function secupress_blackhole_please_click_me( $template ) {
 	$url     = trailingslashit( secupress_get_current_url() );
 	$dirname = secupress_get_hashed_folder_name( 'blackhole' );
 
+	if ( isset( $_GET['token'] ) && wp_verify_nonce( $_GET['token'], 'ban_me_please-' . date( 'ymdhi' ) ) ) {
+		$ip      = secupress_get_ip();
+		$ban_ips = get_site_option( SECUPRESS_BAN_IP );
+
+		if ( ! is_array( $ban_ips ) ) {
+			$ban_ips = array();
+		}
+
+		$ban_ips[ $ip ] = time() + MONTH_IN_SECONDS;
+
+		update_site_option( SECUPRESS_BAN_IP, $ban_ips );
+
+		/* This hook is documented in /inc/functions/admin.php */
+		do_action( 'secupress.ban.ip_banned', $ip, $ban_ips );
+
+		secupress_log_attack( 'bad_robots' );
+
+		wp_die( 'Something went wrong.' ); // Do not use secupress_die() here.
+	}
+
+	add_filter( 'nonce_user_logged_out', 'secupress_modify_userid_for_nonces', 10, 2 );
+
 	if ( substr( $url, - strlen( $dirname ) ) === $dirname ) {
 		return dirname( __FILE__ ) . '/inc/php/blackhole/warning-template.php';
 	}
 
 	return $template;
 }
 
-
-add_action( 'admin_post_nopriv_secupress-ban-me-please', 'secupress_blackhole_ban_ip' );
 /**
- * Ban an IP address and die.
- *
+ * @since 2.2.5.2 Deprecated
  * @since 2.0 use REMOTE_ADDR + do not print anything
- * @author Julio Potier
  * @since 1.0
  */
 function secupress_blackhole_ban_ip() {
-	if ( secupress_blackhole_is_whitelisted() ) {
-		return;
-	}
-
-	$ip      = secupress_get_ip( 'REMOTE_ADDR' );
-	$ban_ips = get_site_option( SECUPRESS_BAN_IP );
-
-	if ( ! is_array( $ban_ips ) ) {
-		$ban_ips = array();
-	}
-
-	$ban_ips[ $ip ] = time() + MONTH_IN_SECONDS;
-
-	update_site_option( SECUPRESS_BAN_IP, $ban_ips );
-
-	/* This hook is documented in /inc/functions/admin.php */
-	do_action( 'secupress.ban.ip_banned', $ip, $ban_ips );
-
-	die();
+	_deprecated_function( __FUNCTION__, '2.2.5.2' );
 }
 
 
 /**
  * Tell if the current user is whitelisted.
  *
+ * @author Grégory Viguier
  * @since 1.0
  *
  * @return (bool) True if whitelisted, false otherwize.

free/modules/sensitive-data/plugins/inc/php/blackhole/warning-template.php

@@ -1,23 +1,77 @@
 <?php
+/**
+ * SecuPress Template Name: Warning Template
+ * 
+ * @since 2.2.5.2 Julio Potier
+ * @since 1.0 Grégory Viguier
+ * 
+ * @see secupress_blackhole_please_click_me()
+*/
 defined( 'SECUPRESS_VERSION' ) or die( 'Something went wrong.' );
 
+define( 'DONOTCACHEPAGE', true );
+
+$title = __( 'Warning - Deceptive content', 'secupress' );
+
 ?><!DOCTYPE html>
 <html <?php language_attributes(); ?>>
 	<head>
 		<meta charset="<?php echo esc_attr( strtolower( get_bloginfo( 'charset' ) ) ); ?>" />
-		<title><?php esc_html_e( 'STOP', 'secupress' ); ?></title>
+		<title><?php echo $title; ?></title>
 		<meta content="noindex,nofollow" name="robots" />
 		<meta content="initial-scale=1.0" name="viewport" />
-	</head>
-	<body>
+	    <style>
+	        body {
+	            margin: 0;
+	            padding: 0;
+	            font-family: sans-serif;
+	            background-color: #C44;
+	            display: flex;
+	            justify-content: center;
+	            align-items: center;
+	            height: 50vh;
+	        }
+
+	        .warning {
+	            text-align: center;
+	            background-color: #fee;
+	            padding: 40px;
+	            border-radius: 12px;
+	            box-shadow: 0 4px 12px rgba(0, 0, 0, 0.4);
+	        }
+
+	        .warning h1 {
+	            color: #db4437;
+	            margin-bottom: 10px;
+	        }
+
+	        .warning p {
+	            color: #333;
+	            font-size: 16px;
+	            margin-top: 10px;
+	            line-height: 2em;
+	        }
+
+	      blink {
+	         animation: blinker-two 1s linear infinite;
+	       }
+	       @keyframes blinker-two {  
+	         100% { opacity: 0; }
+	       }
+       </style>
+</head>
+<body>
+    <div class="warning">
+        <h1><blink><?php echo $title; ?></blink></h1>
 		<p><?php
 		printf(
 			/** Translators: 1 is a file name, 2 is a "click here" link. */
-			__( 'The aim of this page is to catch robots that don’t respect the rules set in the %1$s file. <strong>Don’t %2$s or you will be banned from this site.</strong>', 'secupress' ),
+			__( 'The purpose of this page is to detect robots that do not adhere to the rules outlined in the %1$s file.<br><strong>%2$s, or you will be banned from this site.</strong>', 'secupress' ),
 			'<code>robots.txt</code>',
-			'<a href="' . esc_url( admin_url( 'admin-post.php?action=secupress-ban-me-please' ) ) . '">' . __( 'click this link', 'secupress' ) . '</a>'
+			'<a href="' . esc_url( wp_nonce_url( '', 'ban_me_please-' . date( 'ymdhi' ), 'token' ) ) . '">' . __( 'DO NOT CLICK THIS LINK', 'secupress' ) . '</a>'
 		);
 		?></p>
-	</body>
+    </div>
+</body>
 </html><?php
-die();
+die();