IP Geo Block - Version 3.0.12.1

Version Description

Issue fix: Unexpected blocking cause by an extra slash at the end of $_SERVER['DOCUMENT_ROOT'] that might be added by server's configuration. (forum topic)
Issue fix: Human friendly error page now works properly. (forum topic)
Issue fix: Fix the conflict with WP hide & Security Enhancer. (forum topic)
Issue fix: Hotfix WordPress File Delete to Code Execution by RIPS Technologies.

Release Info

Developer	tokkonopapa
Plugin	IP Geo Block
Version	3.0.12.1
Comparing to
See all releases

Code changes from version 3.0.12 to 3.0.12.1

Files changed (7) hide show

README.txt +9 -3
admin/class-ip-geo-block-admin.php +16 -2
classes/class-ip-geo-block-opts.php +2 -2
classes/class-ip-geo-block-util.php +37 -1
classes/class-ip-geo-block.php +25 -11
ip-geo-block.php +1 -1
rewrite.php +5 -5

README.txt CHANGED Viewed

	@@ -3,8 +3,8 @@ Contributors: tokkonopapa
3	Donate link:
4	Tags: security, firewall, brute force, vulnerability, login, wp-admin, admin, ajax, xmlrpc, comment, pingback, trackback, spam, IP address, geo, geolocation, buddypress, bbPress
5	Requires at least: 3.7
6	- Tested up to: 4.9.5
7	- Stable tag: 3.0.12
8	License: GPLv3
9	License URI: https://www.gnu.org/licenses/gpl-3.0.txt
10
	@@ -242,7 +242,7 @@ or following descriptions for your best setup.
242
243	= Does the site using this plugin comply with GDPR? =
244
245	- Using this plugin itself should not be the problem, because from version 3.0.11 IP addresses in logs and cache of this plugin are encrypted by default in preparation for personal data breach. It also not only provides a way to manually erase them but also has the functionality to remove them when those are exceeded a certain amount/time. The option "Privacy friendly" helps you to restrict sending the ip address to the 3rd parties such as ~~geolocaiton~~ APIs and whois service equipped in this plugin. However, these functions are part of the requirements that GDPR requires and do not guarantee that the site is compliant with GDPR. Refer to [3.0.11 release note](http://www.ipgeoblock.com/changelog/release-3.0.11.html) for details.
246
247	= Does this plugin support multisite? =
248
	@@ -382,6 +382,12 @@ Please refer to "[How can I fix permission troubles?](http://www.ipgeoblock.com/
382
383	== Changelog ==
384






385	= 3.0.12 =
386	* Improvement: Enhance "Privacy and record settings" where "Expiration time [sec] for Logs" can be specified.
387	* Improvement: Add "Export cache" in "Statistics in IP address cache" on "Statistics" tab.


3	Donate link:
4	Tags: security, firewall, brute force, vulnerability, login, wp-admin, admin, ajax, xmlrpc, comment, pingback, trackback, spam, IP address, geo, geolocation, buddypress, bbPress
5	Requires at least: 3.7
6	+ Tested up to: 4.9.6
7	+ Stable tag: 3.0.12.1
8	License: GPLv3
9	License URI: https://www.gnu.org/licenses/gpl-3.0.txt
10

242
243	= Does the site using this plugin comply with GDPR? =
244
245	+ Using this plugin itself should not be the problem, because from version 3.0.11 IP addresses in logs and cache of this plugin are encrypted by default in preparation for personal data breach. It also not only provides a way to manually erase them but also has the functionality to remove them when those are exceeded a certain amount/time. The option "Privacy friendly" helps you to restrict sending the ip address to the 3rd parties such as geolocation APIs and whois service equipped in this plugin. However, these functions are part of the requirements that GDPR requires and do not guarantee that the site is compliant with GDPR. Refer to [3.0.11 release note](http://www.ipgeoblock.com/changelog/release-3.0.11.html) for details.
246
247	= Does this plugin support multisite? =
248

382
383	== Changelog ==
384
385	+ = 3.0.12.1 =
386	+ * Issue fix: Unexpected blocking cause by an extra slash at the end of `$_SERVER['DOCUMENT_ROOT']` that might be added by server's configuration. ([forum topic](https://wordpress.org/support/topic/wpwebinar/ "Topic: WPWebinar \| WordPress.org"))
387	+ * Issue fix: [Human friendly error page](http://www.ipgeoblock.com/codex/customizing-the-response.html#human-friendly-error-page) now works properly. ([forum topic](https://wordpress.org/support/topic/problem-with-permalinks-51/ "Topic: Problem with Permalinks \| WordPress.org"))
388	+ * Issue fix: Fix the conflict with WP hide & Security Enhancer. ([forum topic](https://wordpress.org/support/topic/problem-with-permalinks-51/ "Topic: Problem with Permalinks \| WordPress.org"))
389	+ * Issue fix: Hotfix [WordPress File Delete to Code Execution](https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/ "WARNING: WordPress File Delete to Code Execution") by RIPS Technologies.
390	+
391	= 3.0.12 =
392	* Improvement: Enhance "Privacy and record settings" where "Expiration time [sec] for Logs" can be specified.
393	* Improvement: Add "Export cache" in "Statistics in IP address cache" on "Statistics" tab.

admin/class-ip-geo-block-admin.php CHANGED Viewed

	@@ -104,7 +104,21 @@ class IP_Geo_Block_Admin {
104	*
105	*/
106	public function add_redirect_nonce( $location, $status ) {
107	- ~~return~~ ~~IP_Geo_Block_Util::rebuild_nonce(~~ ~~$location,~~ ~~FALSE~~ ~~===~~ ~~strpos(~~ ~~$location,~~ ~~wp_login_url()~~ ~~) );~~














108	}
109
110	/**
	@@ -714,7 +728,7 @@ endif;
714	</h2>
715	<p class="ip-geo-block-navi-link">[ <a id="ip-geo-block-toggle-sections" href="#!"><?php _e( 'Toggle all', 'ip-geo-block' ); ?></a> ]
716	<?php if ( 4 === $tab ) { /* Logs tab */ ?>
717	- <input id="ip-geo-block-live-update" type="checkbox"<?php checked( isset( $cookie[4][1] ) && 'o' === $cookie[4][1] ); disabled( extension_loaded( 'pdo_sqlite' ), FALSE ); ?> /><label for="ip-geo-block-live-update">
718	<dfn title="<?php _e( 'Independent of “Statistics and Logs settings”, you can see all the requests validated by this plugin in almost real time.', 'ip-geo-block' ); ?>"><?php _e( 'Live update', 'ip-geo-block' ); ?></dfn>
719	</label>
720	<?php } elseif (5 === $tab ) { /* Site List tab */ ?>


104	*
105	*/
106	public function add_redirect_nonce( $location, $status ) {
107	+ $status = TRUE; // default is `retrieve` a nonce
108	+ $urls = array( wp_login_url() );
109	+
110	+ // avoid multiple redirection caused by WP hide 1.4.9.1
111	+ if ( is_plugin_active( 'wp-hide-security-enhancer/wp-hide.php' ) )
112	+ $urls[] = 'options-permalink.php';
113	+
114	+ foreach ( $urls as $url ) {
115	+ if ( FALSE !== strpos( $location, $url ) ) {
116	+ $status = FALSE; // do not `retieve` a nonce
117	+ break;
118	+ }
119	+ }
120	+
121	+ return IP_Geo_Block_Util::rebuild_nonce( $location, $status );
122	}
123
124	/**

728	</h2>
729	<p class="ip-geo-block-navi-link">[ <a id="ip-geo-block-toggle-sections" href="#!"><?php _e( 'Toggle all', 'ip-geo-block' ); ?></a> ]
730	<?php if ( 4 === $tab ) { /* Logs tab */ ?>
731	+ <input id="ip-geo-block-live-update" type="checkbox"<?php checked( isset( $cookie[4][1] ) && 'o' === $cookie[4][1] ); disabled( $settings['validation']['reclogs'] && extension_loaded( 'pdo_sqlite' ), FALSE ); ?> /><label for="ip-geo-block-live-update">
732	<dfn title="<?php _e( 'Independent of “Statistics and Logs settings”, you can see all the requests validated by this plugin in almost real time.', 'ip-geo-block' ); ?>"><?php _e( 'Live update', 'ip-geo-block' ); ?></dfn>
733	</label>
734	<?php } elseif (5 === $tab ) { /* Site List tab */ ?>

classes/class-ip-geo-block-opts.php CHANGED Viewed

	@@ -185,8 +185,8 @@ class IP_Geo_Block_Opts {
185	),
186	// since version 3.0.10
187	'behavior' => array(
188	- 'time' => 12, // More than 10 page view in 12 seconds
189	- 'view' => 10, // More than 10 page view in 12 seconds
190	),
191	);
192


185	),
186	// since version 3.0.10
187	'behavior' => array(
188	+ 'time' => 10, // More than 10 page view in 10 seconds
189	+ 'view' => 10, // More than 10 page view in 10 seconds
190	),
191	);
192

classes/class-ip-geo-block-util.php CHANGED Viewed

@@ -736,7 +736,6 @@ class IP_Geo_Block_Util {
             	private static function kses_no_null( $string ) {
             		$string = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string );
             		$string = preg_replace( '/\\\\+0+/', '', $string );
-            -
             		return $string;
+            	}
@@ -961,4 +960,41 @@ class IP_Geo_Block_Util {
             		);
+            	}
+            }


736	private static function kses_no_null( $string ) {
737	$string = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string );
738	$string = preg_replace( '/\\\\+0+/', '', $string );

739	return $string;
740	}
741

960	);
961	}
962
963	+ /**
964	+ * Load and show theme template
965	+ *
966	+ */
967	+ private static $theme_template = NULL;
968	+
969	+ public static function show_theme_template( $type, $settings ) {
970	+ if ( ( $action = current_filter() ) /* @since 2.5.0 - FALSE, `plugins_loaded` or `wp` */ && (
971	+ file_exists( get_stylesheet_directory() . '/' . $type . '.php' ) /* child theme */ \|\|
972	+ file_exists( get_template_directory() . '/' . $type . '.php' ) /* parent theme */ ) ) {
973	+ // keep type of theme template
974	+ self::$theme_template = $type;
975	+
976	+ if ( 'wp' === $action ) // action hook `wp` is too late to include the template file directly
977	+ add_filter( 'template_include', 'IP_Geo_Block_Util::load_theme_template', $settings['priority'] );
978	+ else
979	+ add_action( 'init', 'IP_Geo_Block_Util::load_theme_template', $settings['priority'] );
980	+
981	+ return TRUE;
982	+ } else {
983	+ return FALSE;
984	+ }
985	+ }
986	+
987	+ public static function load_theme_template( $template = FALSE ) {
988	+ global $wp_query;
989	+ $wp_query->set_404(); // for stylesheet
990	+ $wp_query->is_404 = ( 404 === self::$theme_template );
991	+ status_header( self::$theme_template ); // @since 2.0.0
992	+
993	+ if ( $template ) {
994	+ return locate_template( array( self::$theme_template . '.php' ) ); // @since 2.7.0 in wp-includes/template.php
995	+ } else {
996	+ @include locate_template( array( self::$theme_template . '.php' ) );
997	+ exit;
998	+ }
999	+ }
1000	}

classes/class-ip-geo-block.php CHANGED Viewed

	@@ -15,7 +15,7 @@ class IP_Geo_Block {
15	* Unique identifier for this plugin.
16	*
17	*/
18	- const VERSION = '3.0.12';
19	const GEOAPI_NAME = 'ip-geo-api';
20	const PLUGIN_NAME = 'ip-geo-block';
21	const OPTION_NAME = 'ip_geo_block_settings';
	@@ -153,6 +153,18 @@ class IP_Geo_Block {
153	// force to redirect on logout to remove nonce, embed a nonce into pages
154	add_filter( 'wp_redirect', array( $this, 'logout_redirect' ), 20, 2 ); // logout_redirect @4.2
155	add_filter( 'http_request_args', array( $this, 'request_nonce' ), $priority, 2 ); // @since 2.7.0












156	}
157
158	/**
	@@ -408,13 +420,15 @@ class IP_Geo_Block {
408
409	// Show human readable page
410	elseif ( ! defined( 'DOING_AJAX' ) && ! defined( 'XMLRPC_REQUEST' ) ) {
411	- ~~$hook~~ = IP_Geo_Block_Util::~~is_user_logged_in~~() && ~~'admin'~~ ~~===~~ ~~$this->target_type;~~
412	- ~~FALSE~~ ~~!==~~ ( ~~@include~~ ~~get_stylesheet_directory()~~ ~~.'/'.$code.'.php'~~ ~~) or // child theme~~
413	- ~~FALSE~~ ~~!==~~ ~~( @include get_template_directory() .'/'.$code.'.php' ) or // parent theme~~
414	- ~~wp_die(~~ // ~~get_dashboard_url~~() ~~@since~~ ~~3.1.0~~
415	- ~~IP_Geo_Block_Util::kses~~( ~~$mesg~~ ~~) . ( $hook ? "\n<p><a rel='nofollow' href='" . esc_url(~~ get_dashboard_url( ~~IP_Geo_Block_Util::get_current_user_id(~~) ) ) . ~~"'>« "~~ . ~~__( 'Dashboard' ) . "</a></p>" : '' ),~~
416	- '', ~~array~~( '~~response'~~ => ~~$code,~~ '~~back_link~~' => ! ~~$hook~~ )
417	- );


418	}
419	exit;
420	}
	@@ -591,9 +605,9 @@ class IP_Geo_Block {
591
592	// list of request for specific action or page to bypass WP-ZEP
593	$list = array_merge( apply_filters( self::PLUGIN_NAME . '-bypass-admins', array(), $settings ), array(
594	- // in wp-admin js/widget.js, includes/template.php, async-upload.php, PHP Compatibility Checker
595	- 'heartbeat', 'save-widget', 'wp-compression-test', 'upload-attachment', 'imgedit-preview', 'wpephpcompat_start_test',
596	- // bbPress, Anti-Malware Security and Brute-Force Firewall, ~~jetpack~~ page & action
597	'bp_avatar_upload', 'GOTMLS_logintime', 'jetpack', 'authorize', 'jetpack_modules', 'atd_settings', 'bulk-activate', 'bulk-deactivate',
598	) );
599


15	* Unique identifier for this plugin.
16	*
17	*/
18	+ const VERSION = '3.0.12.1';
19	const GEOAPI_NAME = 'ip-geo-api';
20	const PLUGIN_NAME = 'ip-geo-block';
21	const OPTION_NAME = 'ip_geo_block_settings';

153	// force to redirect on logout to remove nonce, embed a nonce into pages
154	add_filter( 'wp_redirect', array( $this, 'logout_redirect' ), 20, 2 ); // logout_redirect @4.2
155	add_filter( 'http_request_args', array( $this, 'request_nonce' ), $priority, 2 ); // @since 2.7.0
156	+
157	+ // Hotfix: https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
158	+ add_filter( 'wp_update_attachment_metadata', array( $this, 'unlink_tempfix' ), $priority );
159	+ }
160	+
161	+ // Hotfix: WordPress File Delete to Code Execution
162	+ function unlink_tempfix( $data ) {
163	+ if( isset( $data['thumb'] ) ) {
164	+ $data['thumb'] = basename( $data['thumb'] );
165	+ }
166	+
167	+ return $data;
168	}
169
170	/**

420
421	// Show human readable page
422	elseif ( ! defined( 'DOING_AJAX' ) && ! defined( 'XMLRPC_REQUEST' ) ) {
423	+ if ( IP_Geo_Block_Util::show_theme_template( $code, $settings ) ) {
424	+ return; // continue to show at `init`
425	+ } else {
426	+ $hook = ( IP_Geo_Block_Util::is_user_logged_in() && 'admin' === $this->target_type );
427	+ wp_die( // get_dashboard_url() @since 3.1.0
428	+ IP_Geo_Block_Util::kses( $mesg ) . ( $hook ? "\n<p><a rel='nofollow' href='" . esc_url( get_dashboard_url( IP_Geo_Block_Util::get_current_user_id() ) ) . "'>« " . __( 'Dashboard' ) . "</a></p>" : '' ),
429	+ '', array( 'response' => $code, 'back_link' => ! $hook )
430	+ );
431	+ }
432	}
433	exit;
434	}

605
606	// list of request for specific action or page to bypass WP-ZEP
607	$list = array_merge( apply_filters( self::PLUGIN_NAME . '-bypass-admins', array(), $settings ), array(
608	+ // in wp-admin js/widget.js, includes/template.php, async-upload.php, plugins.php, PHP Compatibility Checker
609	+ 'heartbeat', 'save-widget', 'wp-compression-test', 'upload-attachment', 'deactivate', 'imgedit-preview', 'wpephpcompat_start_test',
610	+ // bbPress, Anti-Malware Security and Brute-Force Firewall, Jetpack page & action
611	'bp_avatar_upload', 'GOTMLS_logintime', 'jetpack', 'authorize', 'jetpack_modules', 'atd_settings', 'bulk-activate', 'bulk-deactivate',
612	) );
613

ip-geo-block.php CHANGED Viewed

	@@ -13,7 +13,7 @@
13	* Plugin Name: IP Geo Block
14	* Plugin URI: http://wordpress.org/plugins/ip-geo-block/
15	* Description: It blocks any spams, login attempts and malicious access to the admin area posted from outside your nation, and also prevents zero-day exploit.
16	- * Version: 3.0.12
17	* Author: tokkonopapa
18	* Author URI: http://www.ipgeoblock.com/
19	* Text Domain: ip-geo-block


13	* Plugin Name: IP Geo Block
14	* Plugin URI: http://wordpress.org/plugins/ip-geo-block/
15	* Description: It blocks any spams, login attempts and malicious access to the admin area posted from outside your nation, and also prevents zero-day exploit.
16	+ * Version: 3.0.12.1
17	* Author: tokkonopapa
18	* Author URI: http://www.ipgeoblock.com/
19	* Text Domain: ip-geo-block

rewrite.php CHANGED Viewed

	@@ -65,7 +65,7 @@ class IP_Geo_Block_Rewrite {
65	if ( ':' === substr( $path, 1, 1 ) )
66	$path = ucfirst( $path );
67
68	- return $path;
69	}
70
71	/**
	@@ -126,16 +126,16 @@ class IP_Geo_Block_Rewrite {
126	// @example $path = "/etc/passwd\0.php"; is_file( $path ) === true (5.2.14), false (5.4.4)
127	$path = self::realpath( str_replace( "\0", '', $path ) );
128




129	// check path if under the document root
130	// This may be meaningless because the HTTP request is always inside the document root.
131	// The only possibility is a symbolic link pointed to outside of the document root.
132	if ( 0 !== strpos( $path, "$root/" ) )
133	self::abort( $context, $validate, $settings, file_exists( $path ) );
134
135	- // check default index
136	- if ( 0 === preg_match( "/\/([^\/]+)$/", $path, $matches ) )
137	- $path .= 'index.php';
138	-
139	// check file extention
140	// if it fails, rewrite rule may be misconfigured
141	if ( FALSE === strripos( strtolower( $path ), '.php', -4 ) )


65	if ( ':' === substr( $path, 1, 1 ) )
66	$path = ucfirst( $path );
67
68	+ return rtrim( $path, '/\\' );
69	}
70
71	/**

126	// @example $path = "/etc/passwd\0.php"; is_file( $path ) === true (5.2.14), false (5.4.4)
127	$path = self::realpath( str_replace( "\0", '', $path ) );
128
129	+ // check default index
130	+ if ( FALSE === strripos( strtolower( $path ), '.php', -4 ) )
131	+ $path .= '/index.php';
132	+
133	// check path if under the document root
134	// This may be meaningless because the HTTP request is always inside the document root.
135	// The only possibility is a symbolic link pointed to outside of the document root.
136	if ( 0 !== strpos( $path, "$root/" ) )
137	self::abort( $context, $validate, $settings, file_exists( $path ) );
138




139	// check file extention
140	// if it fails, rewrite rule may be misconfigured
141	if ( FALSE === strripos( strtolower( $path ), '.php', -4 ) )