Health Check - Version 1.2.6

Version Description

Download this release

Release Info

Developer Clorith
Plugin Icon 128x128 Health Check
Version 1.2.6
Comparing to
See all releases

Code changes from version 1.2.5 to 1.2.6

Files changed (3) hide show
  1. health-check.php +2 -2
  2. includes/class-health-check-files-integrity.php +73 -60
  3. readme.txt +6 -3
health-check.php CHANGED
@@ -9,7 +9,7 @@
9
  * Plugin URI: https://wordpress.org/plugins/health-check/
10
  * Description: Checks the health of your WordPress install.
11
  * Author: The WordPress.org community
12
- * Version: 1.2.5
13
  * Author URI: https://wordpress.org/plugins/health-check/
14
  * Text Domain: health-check
15
  */
@@ -35,7 +35,7 @@ define( 'HEALTH_CHECK_MYSQL_MIN_VERSION', '5.0' );
35
  define( 'HEALTH_CHECK_MYSQL_REC_VERSION', '5.6' );
36
 
37
  // Set the plugin version.
38
- define( 'HEALTH_CHECK_PLUGIN_VERSION', '1.2.5' );
39
 
40
  // Set the absolute path for the plugin.
41
  define( 'HEALTH_CHECK_PLUGIN_DIRECTORY', plugin_dir_path( __FILE__ ) );
9
  * Plugin URI: https://wordpress.org/plugins/health-check/
10
  * Description: Checks the health of your WordPress install.
11
  * Author: The WordPress.org community
12
+ * Version: 1.2.6
13
  * Author URI: https://wordpress.org/plugins/health-check/
14
  * Text Domain: health-check
15
  */
35
  define( 'HEALTH_CHECK_MYSQL_REC_VERSION', '5.6' );
36
 
37
  // Set the plugin version.
38
+ define( 'HEALTH_CHECK_PLUGIN_VERSION', '1.2.6' );
39
 
40
  // Set the absolute path for the plugin.
41
  define( 'HEALTH_CHECK_PLUGIN_DIRECTORY', plugin_dir_path( __FILE__ ) );
includes/class-health-check-files-integrity.php CHANGED
@@ -28,18 +28,18 @@ class Health_Check_Files_Integrity {
28
  }
29
 
30
  /**
31
- * Calls the WordPress API on the checksums endpoint
32
- *
33
- * @uses get_bloginfo()
34
- * @uses get_locale()
35
- * @uses ABSPATH
36
- * @uses wp_remote_get()
37
- * @uses get_bloginfo()
38
- * @uses strpos()
39
- * @uses unset()
40
- *
41
- * @return array
42
- */
43
  static function call_checksum_api() {
44
  // Setup variables.
45
  $wpversion = get_bloginfo( 'version' );
@@ -51,6 +51,8 @@ class Health_Check_Files_Integrity {
51
  // Encode the API response body.
52
  $checksumapibody = json_decode( wp_remote_retrieve_body( $checksumapi ), true );
53
 
 
 
54
  // Remove the wp-content/ files from checking
55
  foreach ( $checksumapibody['checksums'] as $file => $checksum ) {
56
  if ( false !== strpos( $file, 'wp-content/' ) ) {
@@ -62,16 +64,16 @@ class Health_Check_Files_Integrity {
62
  }
63
 
64
  /**
65
- * Parses the results from the WordPress API call
66
- *
67
- * @uses file_exists()
68
- * @uses md5_file()
69
- * @uses ABSPATH
70
- *
71
- * @param array $checksums
72
- *
73
- * @return array
74
- */
75
  static function parse_checksum_results( $checksums ) {
76
  $filepath = ABSPATH;
77
  $files = array();
@@ -90,16 +92,16 @@ class Health_Check_Files_Integrity {
90
  }
91
 
92
  /**
93
- * Generates the response
94
- *
95
- * @uses wp_send_json_success()
96
- * @uses wp_die()
97
- * @uses ABSPATH
98
- *
99
- * @param null|array $files
100
- *
101
- * @return void
102
- */
103
  static function create_the_response( $files ) {
104
  $filepath = ABSPATH;
105
  $output = '';
@@ -146,20 +148,20 @@ class Health_Check_Files_Integrity {
146
  }
147
 
148
  /**
149
- * Generates Diff view
150
- *
151
- * @uses get_bloginfo()
152
- * @uses wp_remote_get()
153
- * @uses wp_remote_retrieve_body()
154
- * @uses wp_send_json_success()
155
- * @uses wp_die()
156
- * @uses ABSPATH
157
- * @uses FILE_USE_INCLUDE_PATH
158
- * @uses wp_text_diff()
159
- *
160
- *
161
- * @return void
162
- */
163
  static function view_file_diff() {
164
  check_ajax_referer( 'health-check-view-file-diff' );
165
 
@@ -172,7 +174,18 @@ class Health_Check_Files_Integrity {
172
  $wpversion = get_bloginfo( 'version' );
173
 
174
  if ( 0 !== validate_file( $filepath . $file ) ) {
175
- wp_send_json_error();
 
 
 
 
 
 
 
 
 
 
 
176
  }
177
 
178
  $local_file_body = file_get_contents( $filepath . $file, FILE_USE_INCLUDE_PATH );
@@ -208,20 +221,20 @@ class Health_Check_Files_Integrity {
208
  ob_start();
209
  ?>
210
 
211
- <div>
212
- <p>
213
  <?php _e( 'The File Integrity checks all the core files with the <code>checksums</code> provided by the WordPress API to see if they are intact. If there are changes you will be able to make a Diff between the files hosted on WordPress.org and your installation to see what has been changed.', 'health-check' ); ?>
214
- </p>
215
- <form action="#" id="health-check-file-integrity" method="POST">
216
- <p>
217
- <input type="submit" class="button button-primary" value="<?php esc_html_e( 'Check the Files Integrity', 'health-check' ); ?>">
218
- </p>
219
- </form>
220
-
221
- <div id="tools-file-integrity-response-holder">
222
- <span class="spinner"></span>
223
- </div>
224
- </div>
225
 
226
  <?php
227
  $tab_content = ob_get_clean();
28
  }
29
 
30
  /**
31
+ * Calls the WordPress API on the checksums endpoint
32
+ *
33
+ * @uses get_bloginfo()
34
+ * @uses get_locale()
35
+ * @uses ABSPATH
36
+ * @uses wp_remote_get()
37
+ * @uses get_bloginfo()
38
+ * @uses strpos()
39
+ * @uses unset()
40
+ *
41
+ * @return array
42
+ */
43
  static function call_checksum_api() {
44
  // Setup variables.
45
  $wpversion = get_bloginfo( 'version' );
51
  // Encode the API response body.
52
  $checksumapibody = json_decode( wp_remote_retrieve_body( $checksumapi ), true );
53
 
54
+ set_transient( 'health-check-checksums', $checksumapibody, 2 * HOUR_IN_SECONDS );
55
+
56
  // Remove the wp-content/ files from checking
57
  foreach ( $checksumapibody['checksums'] as $file => $checksum ) {
58
  if ( false !== strpos( $file, 'wp-content/' ) ) {
64
  }
65
 
66
  /**
67
+ * Parses the results from the WordPress API call
68
+ *
69
+ * @uses file_exists()
70
+ * @uses md5_file()
71
+ * @uses ABSPATH
72
+ *
73
+ * @param array $checksums
74
+ *
75
+ * @return array
76
+ */
77
  static function parse_checksum_results( $checksums ) {
78
  $filepath = ABSPATH;
79
  $files = array();
92
  }
93
 
94
  /**
95
+ * Generates the response
96
+ *
97
+ * @uses wp_send_json_success()
98
+ * @uses wp_die()
99
+ * @uses ABSPATH
100
+ *
101
+ * @param null|array $files
102
+ *
103
+ * @return void
104
+ */
105
  static function create_the_response( $files ) {
106
  $filepath = ABSPATH;
107
  $output = '';
148
  }
149
 
150
  /**
151
+ * Generates Diff view
152
+ *
153
+ * @uses get_bloginfo()
154
+ * @uses wp_remote_get()
155
+ * @uses wp_remote_retrieve_body()
156
+ * @uses wp_send_json_success()
157
+ * @uses wp_die()
158
+ * @uses ABSPATH
159
+ * @uses FILE_USE_INCLUDE_PATH
160
+ * @uses wp_text_diff()
161
+ *
162
+ *
163
+ * @return void
164
+ */
165
  static function view_file_diff() {
166
  check_ajax_referer( 'health-check-view-file-diff' );
167
 
174
  $wpversion = get_bloginfo( 'version' );
175
 
176
  if ( 0 !== validate_file( $filepath . $file ) ) {
177
+ wp_send_json_error( array( 'message' => esc_html__( 'You do not have access to this file.' , 'health-check' ) ) );
178
+ }
179
+
180
+ $allowed_files = get_transient( 'health-check-checksums' );
181
+ if ( false === $allowed_files ) {
182
+ Health_Check_Files_Integrity::call_checksum_api();
183
+
184
+ $allowed_files = get_transient( 'health-check-checksums' );
185
+ }
186
+
187
+ if ( ! isset( $allowed_files['checksums'][ $file ] ) ) {
188
+ wp_send_json_error( array( 'message' => esc_html__( 'You do not have access to this file.' , 'health-check' ) ) );
189
  }
190
 
191
  $local_file_body = file_get_contents( $filepath . $file, FILE_USE_INCLUDE_PATH );
221
  ob_start();
222
  ?>
223
 
224
+ <div>
225
+ <p>
226
  <?php _e( 'The File Integrity checks all the core files with the <code>checksums</code> provided by the WordPress API to see if they are intact. If there are changes you will be able to make a Diff between the files hosted on WordPress.org and your installation to see what has been changed.', 'health-check' ); ?>
227
+ </p>
228
+ <form action="#" id="health-check-file-integrity" method="POST">
229
+ <p>
230
+ <input type="submit" class="button button-primary" value="<?php esc_html_e( 'Check the Files Integrity', 'health-check' ); ?>">
231
+ </p>
232
+ </form>
233
+
234
+ <div id="tools-file-integrity-response-holder">
235
+ <span class="spinner"></span>
236
+ </div>
237
+ </div>
238
 
239
  <?php
240
  $tab_content = ob_get_clean();
readme.txt CHANGED
@@ -2,8 +2,8 @@
2
  Tags: health check
3
  Contributors: wordpressdotorg, westi, pento, Clorith
4
  Requires at least: 4.0
5
- Tested up to: 5.0
6
- Stable tag: 1.2.5
7
  License: GPLv2
8
  License URI: https://www.gnu.org/licenses/gpl-2.0.html
9
 
@@ -39,7 +39,10 @@ Are you unfamiliar with how to clear your cookies? No worries, you may also clos
39
 
40
  == Changelog ==
41
 
42
- = v1.2.5=
 
 
 
43
  * Fix: Ensure the REST API status test runs as intended.
44
  * Fix: Remove warning on plugin screens when premium plugins are used.
45
  * Fix: Backup reminder would not remain dismissed in all scenarios after the recent update.
2
  Tags: health check
3
  Contributors: wordpressdotorg, westi, pento, Clorith
4
  Requires at least: 4.0
5
+ Tested up to: 5.1
6
+ Stable tag: 1.2.6
7
  License: GPLv2
8
  License URI: https://www.gnu.org/licenses/gpl-2.0.html
9
 
39
 
40
  == Changelog ==
41
 
42
+ = v1.2.6 =
43
+ * Security: Harden the consistency checker, further limiting what files can be looked up to only include core files. Independently reported by Julien Legras of [Synacktiv](https://synacktiv.com) and Tim Coen of [Tim Coen IT Security & Development](https://security-consulting.icu/).
44
+
45
+ = v1.2.5 =
46
  * Fix: Ensure the REST API status test runs as intended.
47
  * Fix: Remove warning on plugin screens when premium plugins are used.
48
  * Fix: Backup reminder would not remain dismissed in all scenarios after the recent update.