Version Description
- Fix: Two-factor authentication can be bypassed by user with no role.
- Improvement: Enhanced two-factor authentication protection across multisites.
Download this release
Release Info
Developer | jdailey |
Plugin | Defender Security – Malware Scanner, Login Security & Firewall |
Version | 1.7.3 |
Comparing to | |
See all releases |
Code changes from version 1.7.2 to 1.7.3
- app/module/advanced-tools/component/auth-api.php +21 -3
- app/module/advanced-tools/controller/main.php +4 -1
- changelog.txt +5 -0
- languages/wpdef-default.pot +5 -5
- readme.txt +7 -4
- wp-defender.php +1 -1
app/module/advanced-tools/component/auth-api.php
CHANGED
@@ -6,6 +6,7 @@
|
|
6 |
namespace WP_Defender\Module\Advanced_Tools\Component;
|
7 |
|
8 |
use Hammer\Base\Component;
|
|
|
9 |
use WP_Defender\Module\Advanced_Tools\Model\Auth_Settings;
|
10 |
|
11 |
class Auth_API extends Component {
|
@@ -150,10 +151,27 @@ class Auth_API extends Component {
|
|
150 |
if ( ! $user instanceof \WP_User ) {
|
151 |
return false;
|
152 |
}
|
153 |
-
$settings
|
154 |
-
|
|
|
|
|
155 |
|
156 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
157 |
}
|
158 |
|
159 |
/**
|
6 |
namespace WP_Defender\Module\Advanced_Tools\Component;
|
7 |
|
8 |
use Hammer\Base\Component;
|
9 |
+
use WP_Defender\Behavior\Utils;
|
10 |
use WP_Defender\Module\Advanced_Tools\Model\Auth_Settings;
|
11 |
|
12 |
class Auth_API extends Component {
|
151 |
if ( ! $user instanceof \WP_User ) {
|
152 |
return false;
|
153 |
}
|
154 |
+
$settings = Auth_Settings::instance();
|
155 |
+
if ( 0 === count( $user->roles ) ) {
|
156 |
+
return true;
|
157 |
+
}
|
158 |
|
159 |
+
if ( Utils::instance()->isActivatedSingle() ) {
|
160 |
+
$allowedForThisRole = array_intersect( $settings->userRoles, $user->roles );
|
161 |
+
|
162 |
+
return count( $allowedForThisRole ) > 0;
|
163 |
+
} else {
|
164 |
+
$blogs = get_blogs_of_user( $user->ID );
|
165 |
+
$userRoles = array();
|
166 |
+
foreach ( $blogs as $blog ) {
|
167 |
+
//get user roles for this blog
|
168 |
+
$u = new \WP_User( $user->ID, '', $blog->userblog_id );
|
169 |
+
$userRoles = array_merge( $u->roles, $userRoles );
|
170 |
+
}
|
171 |
+
$allowedForThisRole = array_intersect( $settings->userRoles, $userRoles );
|
172 |
+
|
173 |
+
return count( $allowedForThisRole ) > 0;
|
174 |
+
}
|
175 |
}
|
176 |
|
177 |
/**
|
app/module/advanced-tools/controller/main.php
CHANGED
@@ -292,7 +292,8 @@ class Main extends Controller {
|
|
292 |
$login_token = HTTP_Helper::retrieve_post( 'login_token' );
|
293 |
$query = new \WP_User_Query( array(
|
294 |
'meta_key' => 'defOTPLoginToken',
|
295 |
-
'meta_value' => $login_token
|
|
|
296 |
) );
|
297 |
$res = $query->get_results();
|
298 |
if ( empty( $res ) ) {
|
@@ -312,6 +313,7 @@ class Main extends Controller {
|
|
312 |
delete_user_meta( $user->ID, 'defOTPLoginToken' );
|
313 |
wp_set_current_user( $user->ID, $user->user_login );
|
314 |
wp_set_auth_cookie( $user->ID, true );
|
|
|
315 |
wp_redirect( $redirect );
|
316 |
exit;
|
317 |
} else {
|
@@ -321,6 +323,7 @@ class Main extends Controller {
|
|
321 |
delete_user_meta( $user->ID, 'defenderBackupCode' );
|
322 |
wp_set_current_user( $user->ID, $user->user_login );
|
323 |
wp_set_auth_cookie( $user->ID, true );
|
|
|
324 |
wp_redirect( $redirect );
|
325 |
exit;
|
326 |
} else {
|
292 |
$login_token = HTTP_Helper::retrieve_post( 'login_token' );
|
293 |
$query = new \WP_User_Query( array(
|
294 |
'meta_key' => 'defOTPLoginToken',
|
295 |
+
'meta_value' => $login_token,
|
296 |
+
'blog_id' => 0
|
297 |
) );
|
298 |
$res = $query->get_results();
|
299 |
if ( empty( $res ) ) {
|
313 |
delete_user_meta( $user->ID, 'defOTPLoginToken' );
|
314 |
wp_set_current_user( $user->ID, $user->user_login );
|
315 |
wp_set_auth_cookie( $user->ID, true );
|
316 |
+
$redirect = apply_filters( 'login_redirect', $redirect, isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '', $user );
|
317 |
wp_redirect( $redirect );
|
318 |
exit;
|
319 |
} else {
|
323 |
delete_user_meta( $user->ID, 'defenderBackupCode' );
|
324 |
wp_set_current_user( $user->ID, $user->user_login );
|
325 |
wp_set_auth_cookie( $user->ID, true );
|
326 |
+
$redirect = apply_filters( 'login_redirect', $redirect, isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '', $user );
|
327 |
wp_redirect( $redirect );
|
328 |
exit;
|
329 |
} else {
|
changelog.txt
CHANGED
@@ -4,6 +4,11 @@ Tested up to: 4.7.4
|
|
4 |
|
5 |
Change Log:
|
6 |
|
|
|
|
|
|
|
|
|
|
|
7 |
1.7.2 - 2017-09-10
|
8 |
----------------------------------------------------------------------
|
9 |
- Improvement: Improvement: IPv6 support for both whitelisting and blacklisting, requires IPv6 support on the server.
|
4 |
|
5 |
Change Log:
|
6 |
|
7 |
+
1.7.3 - 2017-14-10
|
8 |
+
----------------------------------------------------------------------
|
9 |
+
- Fix: Two-factor authentication can be bypassed by user with no role.
|
10 |
+
- Improvement: Enhanced two-factor authentication protection across multisites.
|
11 |
+
|
12 |
1.7.2 - 2017-09-10
|
13 |
----------------------------------------------------------------------
|
14 |
- Improvement: Improvement: IPv6 support for both whitelisting and blacklisting, requires IPv6 support on the server.
|
languages/wpdef-default.pot
CHANGED
@@ -2,9 +2,9 @@
|
|
2 |
# This file is distributed under the GNU General Public License (Version 2 - GPLv2).
|
3 |
msgid ""
|
4 |
msgstr ""
|
5 |
-
"Project-Id-Version: WP Defender Pro 1.7.
|
6 |
"Report-Msgid-Bugs-To: https://wpmudev.org\n"
|
7 |
-
"POT-Creation-Date: 2017-10-
|
8 |
"MIME-Version: 1.0\n"
|
9 |
"Content-Type: text/plain; charset=utf-8\n"
|
10 |
"Content-Transfer-Encoding: 8bit\n"
|
@@ -305,7 +305,7 @@ msgid "Defender%s"
|
|
305 |
msgstr ""
|
306 |
|
307 |
#: app/module/advanced-tools/behavior/at-widget.php:17
|
308 |
-
#: app/module/advanced-tools/controller/main.php:
|
309 |
#: app/module/advanced-tools/view/layouts/layout.php:5
|
310 |
msgid "Advanced Tools"
|
311 |
msgstr ""
|
@@ -396,11 +396,11 @@ msgstr ""
|
|
396 |
msgid "Some error happen"
|
397 |
msgstr ""
|
398 |
|
399 |
-
#: app/module/advanced-tools/controller/main.php:
|
400 |
msgid "Whoops, the passcode you entered was incorrect or expired."
|
401 |
msgstr ""
|
402 |
|
403 |
-
#: app/module/advanced-tools/controller/main.php:
|
404 |
#: app/module/audit/controller/main.php:196
|
405 |
#: app/module/ip-lockout/controller/main.php:665
|
406 |
#: app/module/scan/controller/main.php:305
|
2 |
# This file is distributed under the GNU General Public License (Version 2 - GPLv2).
|
3 |
msgid ""
|
4 |
msgstr ""
|
5 |
+
"Project-Id-Version: WP Defender Pro 1.7.3\n"
|
6 |
"Report-Msgid-Bugs-To: https://wpmudev.org\n"
|
7 |
+
"POT-Creation-Date: 2017-10-14 05:15:14+00:00\n"
|
8 |
"MIME-Version: 1.0\n"
|
9 |
"Content-Type: text/plain; charset=utf-8\n"
|
10 |
"Content-Transfer-Encoding: 8bit\n"
|
305 |
msgstr ""
|
306 |
|
307 |
#: app/module/advanced-tools/behavior/at-widget.php:17
|
308 |
+
#: app/module/advanced-tools/controller/main.php:396
|
309 |
#: app/module/advanced-tools/view/layouts/layout.php:5
|
310 |
msgid "Advanced Tools"
|
311 |
msgstr ""
|
396 |
msgid "Some error happen"
|
397 |
msgstr ""
|
398 |
|
399 |
+
#: app/module/advanced-tools/controller/main.php:330
|
400 |
msgid "Whoops, the passcode you entered was incorrect or expired."
|
401 |
msgstr ""
|
402 |
|
403 |
+
#: app/module/advanced-tools/controller/main.php:461
|
404 |
#: app/module/audit/controller/main.php:196
|
405 |
#: app/module/ip-lockout/controller/main.php:665
|
406 |
#: app/module/scan/controller/main.php:305
|
readme.txt
CHANGED
@@ -1,13 +1,13 @@
|
|
1 |
=== Defender Security, Monitoring, and Hack Protection ===
|
2 |
Plugin Name: Defender Security, Monitoring, and Hack Protection
|
3 |
-
Version: 1.7.
|
4 |
Author: WPMU DEV
|
5 |
Author URI: http://premium.wpmudev.org/
|
6 |
Contributors: WPMUDEV
|
7 |
Tags: Security, Security Tweaks, Hardening, IP lockout, Monitoring, Blacklist, Site Protection, Hacked, Security Scan
|
8 |
-
Requires at least:
|
9 |
-
Tested up to: 4.
|
10 |
-
Stable tag: 1.7.
|
11 |
License: GPL v2 - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
|
12 |
|
13 |
Protect WordPress from hackers with security tweaks, code scans, 2-Step Verification, IP lockouts, and monitoring.
|
@@ -110,6 +110,9 @@ Hackers and bot attacks are not the only threat to your site. No matter what se
|
|
110 |
|
111 |
|
112 |
== Changelog ==
|
|
|
|
|
|
|
113 |
|
114 |
= 1.7.2 =
|
115 |
* Improvement: Improvement: IPv6 support for both whitelisting and blacklisting, requires IPv6 support on the server.
|
1 |
=== Defender Security, Monitoring, and Hack Protection ===
|
2 |
Plugin Name: Defender Security, Monitoring, and Hack Protection
|
3 |
+
Version: 1.7.3
|
4 |
Author: WPMU DEV
|
5 |
Author URI: http://premium.wpmudev.org/
|
6 |
Contributors: WPMUDEV
|
7 |
Tags: Security, Security Tweaks, Hardening, IP lockout, Monitoring, Blacklist, Site Protection, Hacked, Security Scan
|
8 |
+
Requires at least: 4.6
|
9 |
+
Tested up to: 4.9
|
10 |
+
Stable tag: 1.7.3
|
11 |
License: GPL v2 - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
|
12 |
|
13 |
Protect WordPress from hackers with security tweaks, code scans, 2-Step Verification, IP lockouts, and monitoring.
|
110 |
|
111 |
|
112 |
== Changelog ==
|
113 |
+
= 1.7.3 =
|
114 |
+
* Fix: Two-factor authentication can be bypassed by user with no role.
|
115 |
+
* Improvement: Enhanced two-factor authentication protection across multisites.
|
116 |
|
117 |
= 1.7.2 =
|
118 |
* Improvement: Improvement: IPv6 support for both whitelisting and blacklisting, requires IPv6 support on the server.
|
wp-defender.php
CHANGED
@@ -3,7 +3,7 @@
|
|
3 |
/**
|
4 |
* Plugin Name: WP Defender
|
5 |
* Plugin URI: https://premium.wpmudev.org/project/wp-defender/
|
6 |
-
* Version: 1.7.
|
7 |
* Description: Get regular security scans, vulnerability reports, safety recommendations and customized hardening for your site in just a few clicks. Defender is the analyst and enforcer who never sleeps.
|
8 |
* Author: WPMU DEV
|
9 |
* Author URI: http://premium.wpmudev.org/
|
3 |
/**
|
4 |
* Plugin Name: WP Defender
|
5 |
* Plugin URI: https://premium.wpmudev.org/project/wp-defender/
|
6 |
+
* Version: 1.7.3
|
7 |
* Description: Get regular security scans, vulnerability reports, safety recommendations and customized hardening for your site in just a few clicks. Defender is the analyst and enforcer who never sleeps.
|
8 |
* Author: WPMU DEV
|
9 |
* Author URI: http://premium.wpmudev.org/
|