IP Geo Block - Version 3.0.12.1

Version Description

  • Issue fix: Unexpected blocking cause by an extra slash at the end of $_SERVER['DOCUMENT_ROOT'] that might be added by server's configuration. (forum topic)
  • Issue fix: Human friendly error page now works properly. (forum topic)
  • Issue fix: Fix the conflict with WP hide & Security Enhancer. (forum topic)
  • Issue fix: Hotfix WordPress File Delete to Code Execution by RIPS Technologies.
Download this release

Release Info

Developer tokkonopapa
Plugin Icon 128x128 IP Geo Block
Version 3.0.12.1
Comparing to
See all releases

Code changes from version 3.0.12 to 3.0.12.1

README.txt CHANGED
@@ -3,8 +3,8 @@ Contributors: tokkonopapa
3
Donate link:
4
Tags: security, firewall, brute force, vulnerability, login, wp-admin, admin, ajax, xmlrpc, comment, pingback, trackback, spam, IP address, geo, geolocation, buddypress, bbPress
5
Requires at least: 3.7
6
- Tested up to: 4.9.5
7
- Stable tag: 3.0.12
8
License: GPLv3
9
License URI: https://www.gnu.org/licenses/gpl-3.0.txt
10
@@ -242,7 +242,7 @@ or following descriptions for your best setup.
242
243
= Does the site using this plugin comply with GDPR? =
244
245
- Using this plugin itself should not be the problem, because from version 3.0.11 IP addresses in logs and cache of this plugin are encrypted by default in preparation for personal data breach. It also not only provides a way to manually erase them but also has the functionality to remove them when those are exceeded a certain amount/time. The option "Privacy friendly" helps you to restrict sending the ip address to the 3rd parties such as geolocaiton APIs and whois service equipped in this plugin. However, these functions are part of the requirements that GDPR requires and do not guarantee that the site is compliant with GDPR. Refer to [3.0.11 release note](http://www.ipgeoblock.com/changelog/release-3.0.11.html) for details.
246
247
= Does this plugin support multisite? =
248
@@ -382,6 +382,12 @@ Please refer to "[How can I fix permission troubles?](http://www.ipgeoblock.com/
382
383
== Changelog ==
384
385
= 3.0.12 =
386
* **Improvement:** Enhance "Privacy and record settings" where "Expiration time [sec] for Logs" can be specified.
387
* **Improvement:** Add "Export cache" in "Statistics in IP address cache" on "Statistics" tab.
3
Donate link:
4
Tags: security, firewall, brute force, vulnerability, login, wp-admin, admin, ajax, xmlrpc, comment, pingback, trackback, spam, IP address, geo, geolocation, buddypress, bbPress
5
Requires at least: 3.7
6
+ Tested up to: 4.9.6
7
+ Stable tag: 3.0.12.1
8
License: GPLv3
9
License URI: https://www.gnu.org/licenses/gpl-3.0.txt
10
242
243
= Does the site using this plugin comply with GDPR? =
244
245
+ Using this plugin itself should not be the problem, because from version 3.0.11 IP addresses in logs and cache of this plugin are encrypted by default in preparation for personal data breach. It also not only provides a way to manually erase them but also has the functionality to remove them when those are exceeded a certain amount/time. The option "Privacy friendly" helps you to restrict sending the ip address to the 3rd parties such as geolocation APIs and whois service equipped in this plugin. However, these functions are part of the requirements that GDPR requires and do not guarantee that the site is compliant with GDPR. Refer to [3.0.11 release note](http://www.ipgeoblock.com/changelog/release-3.0.11.html) for details.
246
247
= Does this plugin support multisite? =
248
382
383
== Changelog ==
384
385
+ = 3.0.12.1 =
386
+ * **Issue fix:** Unexpected blocking cause by an extra slash at the end of `$_SERVER['DOCUMENT_ROOT']` that might be added by server's configuration. ([forum topic](https://wordpress.org/support/topic/wpwebinar/ "Topic: WPWebinar | WordPress.org"))
387
+ * **Issue fix:** [Human friendly error page](http://www.ipgeoblock.com/codex/customizing-the-response.html#human-friendly-error-page) now works properly. ([forum topic](https://wordpress.org/support/topic/problem-with-permalinks-51/ "Topic: Problem with Permalinks | WordPress.org"))
388
+ * **Issue fix:** Fix the conflict with WP hide & Security Enhancer. ([forum topic](https://wordpress.org/support/topic/problem-with-permalinks-51/ "Topic: Problem with Permalinks | WordPress.org"))
389
+ * **Issue fix:** Hotfix [WordPress File Delete to Code Execution](https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/ "WARNING: WordPress File Delete to Code Execution") by RIPS Technologies.
390
+
391
= 3.0.12 =
392
* **Improvement:** Enhance "Privacy and record settings" where "Expiration time [sec] for Logs" can be specified.
393
* **Improvement:** Add "Export cache" in "Statistics in IP address cache" on "Statistics" tab.
admin/class-ip-geo-block-admin.php CHANGED
@@ -104,7 +104,21 @@ class IP_Geo_Block_Admin {
104
*
105
*/
106
public function add_redirect_nonce( $location, $status ) {
107
- return IP_Geo_Block_Util::rebuild_nonce( $location, FALSE === strpos( $location, wp_login_url() ) );
108
}
109
110
/**
@@ -714,7 +728,7 @@ endif;
714
</h2>
715
<p class="ip-geo-block-navi-link">[ <a id="ip-geo-block-toggle-sections" href="#!"><?php _e( 'Toggle all', 'ip-geo-block' ); ?></a> ]
716
<?php if ( 4 === $tab ) { /* Logs tab */ ?>
717
- <input id="ip-geo-block-live-update" type="checkbox"<?php checked( isset( $cookie[4][1] ) && 'o' === $cookie[4][1] ); disabled( extension_loaded( 'pdo_sqlite' ), FALSE ); ?> /><label for="ip-geo-block-live-update">
718
<dfn title="<?php _e( 'Independent of &#8220;Statistics and Logs settings&#8221;, you can see all the requests validated by this plugin in almost real time.', 'ip-geo-block' ); ?>"><?php _e( 'Live update', 'ip-geo-block' ); ?></dfn>
719
</label>
720
<?php } elseif (5 === $tab ) { /* Site List tab */ ?>
104
*
105
*/
106
public function add_redirect_nonce( $location, $status ) {
107
+ $status = TRUE; // default is `retrieve` a nonce
108
+ $urls = array( wp_login_url() );
109
+
110
+ // avoid multiple redirection caused by WP hide 1.4.9.1
111
+ if ( is_plugin_active( 'wp-hide-security-enhancer/wp-hide.php' ) )
112
+ $urls[] = 'options-permalink.php';
113
+
114
+ foreach ( $urls as $url ) {
115
+ if ( FALSE !== strpos( $location, $url ) ) {
116
+ $status = FALSE; // do not `retieve` a nonce
117
+ break;
118
+ }
119
+ }
120
+
121
+ return IP_Geo_Block_Util::rebuild_nonce( $location, $status );
122
}
123
124
/**
728
</h2>
729
<p class="ip-geo-block-navi-link">[ <a id="ip-geo-block-toggle-sections" href="#!"><?php _e( 'Toggle all', 'ip-geo-block' ); ?></a> ]
730
<?php if ( 4 === $tab ) { /* Logs tab */ ?>
731
+ <input id="ip-geo-block-live-update" type="checkbox"<?php checked( isset( $cookie[4][1] ) && 'o' === $cookie[4][1] ); disabled( $settings['validation']['reclogs'] && extension_loaded( 'pdo_sqlite' ), FALSE ); ?> /><label for="ip-geo-block-live-update">
732
<dfn title="<?php _e( 'Independent of &#8220;Statistics and Logs settings&#8221;, you can see all the requests validated by this plugin in almost real time.', 'ip-geo-block' ); ?>"><?php _e( 'Live update', 'ip-geo-block' ); ?></dfn>
733
</label>
734
<?php } elseif (5 === $tab ) { /* Site List tab */ ?>
classes/class-ip-geo-block-opts.php CHANGED
@@ -185,8 +185,8 @@ class IP_Geo_Block_Opts {
185
),
186
// since version 3.0.10
187
'behavior' => array(
188
- 'time' => 12, // More than 10 page view in 12 seconds
189
- 'view' => 10, // More than 10 page view in 12 seconds
190
),
191
);
192
185
),
186
// since version 3.0.10
187
'behavior' => array(
188
+ 'time' => 10, // More than 10 page view in 10 seconds
189
+ 'view' => 10, // More than 10 page view in 10 seconds
190
),
191
);
192
classes/class-ip-geo-block-util.php CHANGED
@@ -736,7 +736,6 @@ class IP_Geo_Block_Util {
736
private static function kses_no_null( $string ) {
737
$string = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string );
738
$string = preg_replace( '/\\\\+0+/', '', $string );
739
-
740
return $string;
741
}
742
@@ -961,4 +960,41 @@ class IP_Geo_Block_Util {
961
);
962
}
963
964
}
736
private static function kses_no_null( $string ) {
737
$string = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string );
738
$string = preg_replace( '/\\\\+0+/', '', $string );
739
return $string;
740
}
741
960
);
961
}
962
963
+ /**
964
+ * Load and show theme template
965
+ *
966
+ */
967
+ private static $theme_template = NULL;
968
+
969
+ public static function show_theme_template( $type, $settings ) {
970
+ if ( ( $action = current_filter() ) /* @since 2.5.0 - FALSE, `plugins_loaded` or `wp` */ && (
971
+ file_exists( get_stylesheet_directory() . '/' . $type . '.php' ) /* child theme */ ||
972
+ file_exists( get_template_directory() . '/' . $type . '.php' ) /* parent theme */ ) ) {
973
+ // keep type of theme template
974
+ self::$theme_template = $type;
975
+
976
+ if ( 'wp' === $action ) // action hook `wp` is too late to include the template file directly
977
+ add_filter( 'template_include', 'IP_Geo_Block_Util::load_theme_template', $settings['priority'] );
978
+ else
979
+ add_action( 'init', 'IP_Geo_Block_Util::load_theme_template', $settings['priority'] );
980
+
981
+ return TRUE;
982
+ } else {
983
+ return FALSE;
984
+ }
985
+ }
986
+
987
+ public static function load_theme_template( $template = FALSE ) {
988
+ global $wp_query;
989
+ $wp_query->set_404(); // for stylesheet
990
+ $wp_query->is_404 = ( 404 === self::$theme_template );
991
+ status_header( self::$theme_template ); // @since 2.0.0
992
+
993
+ if ( $template ) {
994
+ return locate_template( array( self::$theme_template . '.php' ) ); // @since 2.7.0 in wp-includes/template.php
995
+ } else {
996
+ @include locate_template( array( self::$theme_template . '.php' ) );
997
+ exit;
998
+ }
999
+ }
1000
}
classes/class-ip-geo-block.php CHANGED
@@ -15,7 +15,7 @@ class IP_Geo_Block {
15
* Unique identifier for this plugin.
16
*
17
*/
18
- const VERSION = '3.0.12';
19
const GEOAPI_NAME = 'ip-geo-api';
20
const PLUGIN_NAME = 'ip-geo-block';
21
const OPTION_NAME = 'ip_geo_block_settings';
@@ -153,6 +153,18 @@ class IP_Geo_Block {
153
// force to redirect on logout to remove nonce, embed a nonce into pages
154
add_filter( 'wp_redirect', array( $this, 'logout_redirect' ), 20, 2 ); // logout_redirect @4.2
155
add_filter( 'http_request_args', array( $this, 'request_nonce' ), $priority, 2 ); // @since 2.7.0
156
}
157
158
/**
@@ -408,13 +420,15 @@ class IP_Geo_Block {
408
409
// Show human readable page
410
elseif ( ! defined( 'DOING_AJAX' ) && ! defined( 'XMLRPC_REQUEST' ) ) {
411
- $hook = IP_Geo_Block_Util::is_user_logged_in() && 'admin' === $this->target_type;
412
- FALSE !== ( @include get_stylesheet_directory() .'/'.$code.'.php' ) or // child theme
413
- FALSE !== ( @include get_template_directory() .'/'.$code.'.php' ) or // parent theme
414
- wp_die( // get_dashboard_url() @since 3.1.0
415
- IP_Geo_Block_Util::kses( $mesg ) . ( $hook ? "\n<p><a rel='nofollow' href='" . esc_url( get_dashboard_url( IP_Geo_Block_Util::get_current_user_id() ) ) . "'>&laquo; " . __( 'Dashboard' ) . "</a></p>" : '' ),
416
- '', array( 'response' => $code, 'back_link' => ! $hook )
417
- );
418
}
419
exit;
420
}
@@ -591,9 +605,9 @@ class IP_Geo_Block {
591
592
// list of request for specific action or page to bypass WP-ZEP
593
$list = array_merge( apply_filters( self::PLUGIN_NAME . '-bypass-admins', array(), $settings ), array(
594
- // in wp-admin js/widget.js, includes/template.php, async-upload.php, PHP Compatibility Checker
595
- 'heartbeat', 'save-widget', 'wp-compression-test', 'upload-attachment', 'imgedit-preview', 'wpephpcompat_start_test',
596
- // bbPress, Anti-Malware Security and Brute-Force Firewall, jetpack page & action
597
'bp_avatar_upload', 'GOTMLS_logintime', 'jetpack', 'authorize', 'jetpack_modules', 'atd_settings', 'bulk-activate', 'bulk-deactivate',
598
) );
599
15
* Unique identifier for this plugin.
16
*
17
*/
18
+ const VERSION = '3.0.12.1';
19
const GEOAPI_NAME = 'ip-geo-api';
20
const PLUGIN_NAME = 'ip-geo-block';
21
const OPTION_NAME = 'ip_geo_block_settings';
153
// force to redirect on logout to remove nonce, embed a nonce into pages
154
add_filter( 'wp_redirect', array( $this, 'logout_redirect' ), 20, 2 ); // logout_redirect @4.2
155
add_filter( 'http_request_args', array( $this, 'request_nonce' ), $priority, 2 ); // @since 2.7.0
156
+
157
+ // Hotfix: https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
158
+ add_filter( 'wp_update_attachment_metadata', array( $this, 'unlink_tempfix' ), $priority );
159
+ }
160
+
161
+ // Hotfix: WordPress File Delete to Code Execution
162
+ function unlink_tempfix( $data ) {
163
+ if( isset( $data['thumb'] ) ) {
164
+ $data['thumb'] = basename( $data['thumb'] );
165
+ }
166
+
167
+ return $data;
168
}
169
170
/**
420
421
// Show human readable page
422
elseif ( ! defined( 'DOING_AJAX' ) && ! defined( 'XMLRPC_REQUEST' ) ) {
423
+ if ( IP_Geo_Block_Util::show_theme_template( $code, $settings ) ) {
424
+ return; // continue to show at `init`
425
+ } else {
426
+ $hook = ( IP_Geo_Block_Util::is_user_logged_in() && 'admin' === $this->target_type );
427
+ wp_die( // get_dashboard_url() @since 3.1.0
428
+ IP_Geo_Block_Util::kses( $mesg ) . ( $hook ? "\n<p><a rel='nofollow' href='" . esc_url( get_dashboard_url( IP_Geo_Block_Util::get_current_user_id() ) ) . "'>&laquo; " . __( 'Dashboard' ) . "</a></p>" : '' ),
429
+ '', array( 'response' => $code, 'back_link' => ! $hook )
430
+ );
431
+ }
432
}
433
exit;
434
}
605
606
// list of request for specific action or page to bypass WP-ZEP
607
$list = array_merge( apply_filters( self::PLUGIN_NAME . '-bypass-admins', array(), $settings ), array(
608
+ // in wp-admin js/widget.js, includes/template.php, async-upload.php, plugins.php, PHP Compatibility Checker
609
+ 'heartbeat', 'save-widget', 'wp-compression-test', 'upload-attachment', 'deactivate', 'imgedit-preview', 'wpephpcompat_start_test',
610
+ // bbPress, Anti-Malware Security and Brute-Force Firewall, Jetpack page & action
611
'bp_avatar_upload', 'GOTMLS_logintime', 'jetpack', 'authorize', 'jetpack_modules', 'atd_settings', 'bulk-activate', 'bulk-deactivate',
612
) );
613
ip-geo-block.php CHANGED
@@ -13,7 +13,7 @@
13
* Plugin Name: IP Geo Block
14
* Plugin URI: http://wordpress.org/plugins/ip-geo-block/
15
* Description: It blocks any spams, login attempts and malicious access to the admin area posted from outside your nation, and also prevents zero-day exploit.
16
- * Version: 3.0.12
17
* Author: tokkonopapa
18
* Author URI: http://www.ipgeoblock.com/
19
* Text Domain: ip-geo-block
13
* Plugin Name: IP Geo Block
14
* Plugin URI: http://wordpress.org/plugins/ip-geo-block/
15
* Description: It blocks any spams, login attempts and malicious access to the admin area posted from outside your nation, and also prevents zero-day exploit.
16
+ * Version: 3.0.12.1
17
* Author: tokkonopapa
18
* Author URI: http://www.ipgeoblock.com/
19
* Text Domain: ip-geo-block
rewrite.php CHANGED
@@ -65,7 +65,7 @@ class IP_Geo_Block_Rewrite {
65
if ( ':' === substr( $path, 1, 1 ) )
66
$path = ucfirst( $path );
67
68
- return $path;
69
}
70
71
/**
@@ -126,16 +126,16 @@ class IP_Geo_Block_Rewrite {
126
// @example $path = "/etc/passwd\0.php"; is_file( $path ) === true (5.2.14), false (5.4.4)
127
$path = self::realpath( str_replace( "\0", '', $path ) );
128
129
// check path if under the document root
130
// This may be meaningless because the HTTP request is always inside the document root.
131
// The only possibility is a symbolic link pointed to outside of the document root.
132
if ( 0 !== strpos( $path, "$root/" ) )
133
self::abort( $context, $validate, $settings, file_exists( $path ) );
134
135
- // check default index
136
- if ( 0 === preg_match( "/\/([^\/]+)#x2F;", $path, $matches ) )
137
- $path .= 'index.php';
138
-
139
// check file extention
140
// if it fails, rewrite rule may be misconfigured
141
if ( FALSE === strripos( strtolower( $path ), '.php', -4 ) )
65
if ( ':' === substr( $path, 1, 1 ) )
66
$path = ucfirst( $path );
67
68
+ return rtrim( $path, '/\\' );
69
}
70
71
/**
126
// @example $path = "/etc/passwd\0.php"; is_file( $path ) === true (5.2.14), false (5.4.4)
127
$path = self::realpath( str_replace( "\0", '', $path ) );
128
129
+ // check default index
130
+ if ( FALSE === strripos( strtolower( $path ), '.php', -4 ) )
131
+ $path .= '/index.php';
132
+
133
// check path if under the document root
134
// This may be meaningless because the HTTP request is always inside the document root.
135
// The only possibility is a symbolic link pointed to outside of the document root.
136
if ( 0 !== strpos( $path, "$root/" ) )
137
self::abort( $context, $validate, $settings, file_exists( $path ) );
138
139
// check file extention
140
// if it fails, rewrite rule may be misconfigured
141
if ( FALSE === strripos( strtolower( $path ), '.php', -4 ) )