Restricted Site Access - Version 7.3.2

Version Description

Drops support for versions of WordPress prior to 5.7. Drops support for versions of PHP prior to 7.4.

Release Info

Developer	10up
Plugin	Restricted Site Access
Version	7.3.2
Comparing to
See all releases

Code changes from version 7.3.1 to 7.3.2

Files changed (2) hide show

readme.txt +64 -10
restricted_site_access.php +90 -14

readme.txt CHANGED Viewed

@@ -2,10 +2,10 @@
             Contributors:      10up, jakemgold, rcbth, thinkoomph, tlovett1, jeffpaul, nomnom99
             Donate link:       https://10up.com/plugins/restricted-site-access-wordpress/
             Tags:              privacy, restricted, restrict, privacy, limited, permissions, security, block
-            -
            Requires at least: 5.0
             Tested up to:      6.0
-            -
            Stable tag:        7.3.1
-            -
            Requires PHP:      5.6
             License:           GPLv2 or later
             License URI:       http://www.gnu.org/licenses/gpl-2.0.html
@@ -64,6 +64,51 @@ Visitors that are not logged in or allowed by IP address will not be able to bro
             Restricted Site Access is not meant to be a top secret data safe, but simply a reliable and convenient way to handle unwanted visitors.
             = I received a warning about page caching. What does it mean? =
             Page caching plugins often hook into WordPress to quickly serve the last cached output of a page before we can check to see if a visitor’s access should be restricted. Not all page caching plugins behave the same way, but several solutions - including external solutions we might not detect - can cause restricted pages to be publicly served regardless of your settings.
@@ -153,6 +198,13 @@ Please note that setting `RSA_FORCE_RESTRICTION` will override `RSA_FORBID_RESTR
             == Changelog ==
             = 7.3.1 - 2022-06-30 =
             * **Added:** PHP8 compatibility check GitHub Action (props [@Sidsector9](https://github.com/Sidsector9), [dkotter](https://github.com/dkotter)).
             * **Added:** Dependency security scanning GitHub Action (props [@jeffpaul](https://github.com/jeffpaul)).
@@ -315,13 +367,9 @@ __Note: There is currently an edge case bug affecting IP whitelisting. This bug
             == Upgrade Notice ==
-            -
            = 5.1 =
-            -
            Drops support for versions of WordPress prior to 3.5.
-            -
-            -
            = 4.0 =
-            -
            This update improves performance, refines the user interface, and adds support for showing restricted visitors a specific page. Please be advised that this udpate is specifically designed for WordPress 3.2+, and like WordPress 3.2, <strong>no longer supports PHP < 5.2.4</strong>.
-            -
-            -
            == Upgrade Notice ==
             = 6.2.1 =
             IMPORTANT MULTISITE FUNCTIONALITY CHANGE: User access is now checked against their role on a given site in multisite. To restore previous behavior, use the new restricted_site_access_user_can_access filter.
@@ -331,3 +379,9 @@ IMPORTANT MULTISITE FUNCTIONALITY CHANGE: User access is now checked against the
             = 6.1.0 =
             * Important: version 6.1 improves testing visitors for allowed IP addresses ("Unrestricted IP addresses"). We recommend testing IP based restrictions after updating.


2	Contributors: 10up, jakemgold, rcbth, thinkoomph, tlovett1, jeffpaul, nomnom99
3	Donate link: https://10up.com/plugins/restricted-site-access-wordpress/
4	Tags: privacy, restricted, restrict, privacy, limited, permissions, security, block
5	+ Requires at least: 5.7
6	Tested up to: 6.0
7	+ Stable tag: 7.3.2
8	+ Requires PHP: 7.4
9	License: GPLv2 or later
10	License URI: http://www.gnu.org/licenses/gpl-2.0.html
11

64
65	Restricted Site Access is not meant to be a top secret data safe, but simply a reliable and convenient way to handle unwanted visitors.
66
67	+ In 7.3.2, two new filters have been added that can be utilized to help prevent IP spoofing attacks. The first filter allows you to set up a list of approved proxy IP addresses and the second allows you to set up a list of approved HTTP headers. By default, these filters will not change existing behavior. It is recommended to review these filters and utilize them appropriately for your site to secure things further.
68	+
69	+ If your site is not running behind a proxy, we recommend doing the following:
70	+
71	+ `
72	+ add_filter( 'rsa_trusted_headers', '__return_empty_array' );
73	+ `
74	+
75	+ This will then only use the `REMOTE_ADDR` HTTP header to determine the IP address of the visitor. This header can't be spoofed, so this will increase security.
76	+
77	+ If your site is running behind a proxy (like a CDN), you can't rely on the `REMOTE_ADDR` HTTP header, as this will contain the IP address of the proxy, not the user. If your proxy uses static IP addresses, we recommend using the `rsa_trusted_proxies` filter to set those trusted IP addresses:
78	+
79	+ `
80	+ add_filter( 'rsa_trusted_proxies', 'my_rsa_trusted_proxies' );
81	+
82	+ function my_rsa_trusted_proxies( $trusted_proxies = array() ) {
83	+ // Set one or more trusted proxy IP addresses.
84	+ $proxy_ips = array(
85	+ '10.0.0.0/24',
86	+ '10.0.0.0/32',
87	+ );
88	+ $trusted_proxies = array_merge( $trusted_proxies, $proxy_ips );
89	+
90	+ return array_unique( $trusted_proxies );
91	+ }
92	+ `
93	+
94	+ And then use the `rsa_trusted_headers` filter to set which HTTP headers you want to trust. Consult with your proxy provider to determine which header(s) they use to hold the original client IP:
95	+
96	+ `
97	+ add_filter( 'rsa_trusted_headers', 'my_rsa_trusted_headers' );
98	+
99	+ function my_rsa_trusted_headers( $trusted_headers = array() ) {
100	+ // Set one or more trusted HTTP headers.
101	+ $headers = array(
102	+ 'HTTP_X_FORWARDED',
103	+ 'HTTP_FORWARDED',
104	+ );
105	+
106	+ return $headers;
107	+ }
108	+ `
109	+
110	+ If your proxy does not use static IP addresses, you can still utilize the `rsa_trusted_headers` filter to change which HTTP headers you want to trust.
111	+
112	= I received a warning about page caching. What does it mean? =
113
114	Page caching plugins often hook into WordPress to quickly serve the last cached output of a page before we can check to see if a visitor’s access should be restricted. Not all page caching plugins behave the same way, but several solutions - including external solutions we might not detect - can cause restricted pages to be publicly served regardless of your settings.

198
199	== Changelog ==
200
201	+ = 7.3.2 - 2022-08-29 =
202	+ * Added: New filter - `rsa_get_client_ip_address_filter_flags` to modify the range of accepted IP addresses.
203	+ * Changed: Avoid disjointed plugin settings (props [@helen](https://github.com/helen), [@peterwilsoncc](https://github.com/peterwilsoncc), [@Sidsector9](https://github.com/Sidsector9)).
204	+ * Changed: Bump minimum WordPress version from 5.0 to 5.7 (props [@vikrampm1](https://github.com/vikrampm1), [@Sidsector9](https://github.com/Sidsector9), [@faisal-alvi](https://github.com/faisal-alvi)).
205	+ * Changed: Bump minimum PHP version from 5.6 to 7.4 (props [@vikrampm1](https://github.com/vikrampm1), [@Sidsector9](https://github.com/Sidsector9), [@faisal-alvi](https://github.com/faisal-alvi)).
206	+ * Security: New filters - `rsa_trusted_proxies` and `rsa_trusted_headers` have been added to help prevent IP spoofing attacks.
207	+
208	= 7.3.1 - 2022-06-30 =
209	* Added: PHP8 compatibility check GitHub Action (props [@Sidsector9](https://github.com/Sidsector9), [dkotter](https://github.com/dkotter)).
210	* Added: Dependency security scanning GitHub Action (props [@jeffpaul](https://github.com/jeffpaul)).

367
368	== Upgrade Notice ==
369
370	+ = 7.3.2 =
371	+ Drops support for versions of WordPress prior to 5.7.
372	+ Drops support for versions of PHP prior to 7.4.




373
374	= 6.2.1 =
375	IMPORTANT MULTISITE FUNCTIONALITY CHANGE: User access is now checked against their role on a given site in multisite. To restore previous behavior, use the new restricted_site_access_user_can_access filter.

379
380	= 6.1.0 =
381	* Important: version 6.1 improves testing visitors for allowed IP addresses ("Unrestricted IP addresses"). We recommend testing IP based restrictions after updating.
382	+
383	+ = 5.1 =
384	+ Drops support for versions of WordPress prior to 3.5.
385	+
386	+ = 4.0 =
387	+ This update improves performance, refines the user interface, and adds support for showing restricted visitors a specific page. Please be advised that this udpate is specifically designed for WordPress 3.2+, and like WordPress 3.2, <strong>no longer supports PHP < 5.2.4</strong>.

restricted_site_access.php CHANGED Viewed

@@ -3,9 +3,9 @@
              * Plugin Name:       Restricted Site Access
              * Plugin URI:        https://10up.com/plugins/restricted-site-access-wordpress/
              * Description:       <strong>Limit access your site</strong> to visitors who are logged in or accessing the site from a set of specific IP addresses. Send restricted visitors to the log in page, redirect them, or display a message or page. <strong>Powerful control over redirection</strong>, including <strong>SEO friendly redirect headers</strong>. Great solution for Extranets, publicly hosted Intranets, or parallel development sites.
-            -
             * Version:           7.3.1
-            -
             * Requires at least: 5.0
-            -
             * Requires PHP:      5.6
              * Author:            Jake Goldman, 10up, Oomph
              * Author URI:        https://10up.com
              * License:           GPL v2 or later
@@ -13,7 +13,7 @@
              * Text Domain:       restricted-site-access
              */
-            -
            define( 'RSA_VERSION', '7.3.1' );
             /**
              * Class responsible for all plugin funcitonality.
@@ -372,7 +372,7 @@ class Restricted_Site_Access {
             			// iterate through the allow list.
             			foreach ( $allowed_ips as $line ) {
-            -
            				if ( self::ip_in_range( $remote_ip, $line ) ) {
             					/**
             					 * Fires when an ip address match occurs.
@@ -542,7 +542,7 @@ class Restricted_Site_Access {
             		// settings for restricted site access.
             		register_setting( self::$settings_page, 'rsa_options', array( __CLASS__, 'sanitize_options' ) ); // array of fundamental options including ID and caching info.
-            -
            		add_settings_section( 'restricted-site-access', '', '__return_empty_string', self::$settings_page );
             		// Limit when additional settings fields show up.
             		if (
@@ -955,7 +955,7 @@ class Restricted_Site_Access {
             		$screen->add_help_tab(
             			array(
             				'id'      => 'restricted-site-access',
-            -
            				'title'   => esc_html_x( 'Restricted Site Acccess', 'help screen title', 'restricted-site-access' ),
             				'content' => implode( PHP_EOL, $content ),
+            			)
             		);
@@ -1529,8 +1529,51 @@ class Restricted_Site_Access {
             	 * @return string
             	 */
             	public static function get_client_ip_address() {
-            -
            		$ip      = '';
-            -
            		$headers = array(
             			'HTTP_CF_CONNECTING_IP',
             			'HTTP_CLIENT_IP',
             			'HTTP_X_FORWARDED_FOR',
@@ -1538,21 +1581,54 @@ class Restricted_Site_Access {
             			'HTTP_X_CLUSTER_CLIENT_IP',
             			'HTTP_FORWARDED_FOR',
             			'HTTP_FORWARDED',
-            -
            			'REMOTE_ADDR',
             		);
-            -
            		foreach ( $headers as $key ) {
-            -
            			if ( ! isset( $_SERVER[ $key ] ) ) {
             				continue;
+            			}
             			foreach ( explode(
             				',',
-            -
            				sanitize_text_field( wp_unslash( $_SERVER[ $key ] ) )
             			) as $ip ) {
             				$ip = trim( $ip ); // just to be safe.
-            -
            				if ( filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE ) !== false ) {
             					return $ip;
+            				}
+            			}


3	* Plugin Name: Restricted Site Access
4	* Plugin URI: https://10up.com/plugins/restricted-site-access-wordpress/
5	* Description: <strong>Limit access your site</strong> to visitors who are logged in or accessing the site from a set of specific IP addresses. Send restricted visitors to the log in page, redirect them, or display a message or page. <strong>Powerful control over redirection</strong>, including <strong>SEO friendly redirect headers</strong>. Great solution for Extranets, publicly hosted Intranets, or parallel development sites.
6	+ * Version: 7.3.2
7	+ * Requires at least: 5.7
8	+ * Requires PHP: 7.4
9	* Author: Jake Goldman, 10up, Oomph
10	* Author URI: https://10up.com
11	* License: GPL v2 or later

13	* Text Domain: restricted-site-access
14	*/
15
16	+ define( 'RSA_VERSION', '7.3.2' );
17
18	/**
19	* Class responsible for all plugin funcitonality.

372
373	// iterate through the allow list.
374	foreach ( $allowed_ips as $line ) {
375	+ if ( $remote_ip && self::ip_in_range( $remote_ip, $line ) ) {
376
377	/**
378	* Fires when an ip address match occurs.

542
543	// settings for restricted site access.
544	register_setting( self::$settings_page, 'rsa_options', array( __CLASS__, 'sanitize_options' ) ); // array of fundamental options including ID and caching info.
545	+ add_settings_section( 'restricted-site-access', __( 'Restricted Site Access', 'restricted-site-access' ), '__return_empty_string', self::$settings_page );
546
547	// Limit when additional settings fields show up.
548	if (

955	$screen->add_help_tab(
956	array(
957	'id' => 'restricted-site-access',
958	+ 'title' => esc_html_x( 'Restricted Site Access', 'help screen title', 'restricted-site-access' ),
959	'content' => implode( PHP_EOL, $content ),
960	)
961	);

1529	* @return string
1530	*/
1531	public static function get_client_ip_address() {
1532	+ // REMOTE_ADDR IP address.
1533	+ $remote_addr_header_ip = isset( $_SERVER['REMOTE_ADDR'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) ) : false;
1534	+
1535	+ // Return if REMOTE_ADDR is not set.
1536	+ if ( empty( $remote_addr_header_ip ) ) {
1537	+ return '';
1538	+ }
1539	+
1540	+ /**
1541	+ * Filter hook to set array of trusted proxies.
1542	+ *
1543	+ * Some reverse proxies (like AWS Elastic Load Balancing) don't have
1544	+ * a static IP address or even a range that you can target with the CIDR notation.
1545	+ * In this case, you'll need to - very carefully - trust all proxies by setting
1546	+ * $trusted_proxies to an empty array - (default behaviour).
1547	+ *
1548	+ * In case your reverse proxy uses static IP addresses, then you can add those
1549	+ * addresses to the $trusted_proxies array.
1550	+ *
1551	+ * @param string[] $trusted_proxies The IP addresses of the proxy we want to trust.
1552	+ */
1553	+ $trusted_proxies = apply_filters( 'rsa_trusted_proxies', array() );
1554	+
1555	+ if ( ! empty( $trusted_proxies ) ) {
1556	+ foreach ( $trusted_proxies as $trusted_proxy ) {
1557	+ // If REMOTE_ADDR is found in our trusted proxy, get IP from headers.
1558	+ if ( self::ip_in_range( $remote_addr_header_ip, $trusted_proxy ) ) {
1559	+ return self::get_ip_from_headers();
1560	+ }
1561	+ }
1562	+
1563	+ return '';
1564	+ } else {
1565	+ return self::get_ip_from_headers();
1566	+ }
1567	+ }
1568	+
1569	+ /**
1570	+ * Returns the first matched IP from the list of array of headers.
1571	+ *
1572	+ * @return string
1573	+ */
1574	+ public static function get_ip_from_headers() {
1575	+ $ip = '';
1576	+ $trusted_headers = array(
1577	'HTTP_CF_CONNECTING_IP',
1578	'HTTP_CLIENT_IP',
1579	'HTTP_X_FORWARDED_FOR',

1581	'HTTP_X_CLUSTER_CLIENT_IP',
1582	'HTTP_FORWARDED_FOR',
1583	'HTTP_FORWARDED',

1584	);

1585
1586	+ /**
1587	+ * Filter hook to set array of trusted IP address headers.
1588	+ *
1589	+ * Most CDN providers will set the IP address of the client in a number
1590	+ * of headers. This allows the plugin to detect the IP address of the client
1591	+ * even if it is behind a proxy.
1592	+ *
1593	+ * Use this hook to modify the permitted proxy headers. For sites without a
1594	+ * CDN (or local proxy) it is recommended to add a filter to this hook to
1595	+ * return an empty array.
1596	+ *
1597	+ * add_filter( 'rsa_trusted_headers', '__return_empty_array' );
1598	+ *
1599	+ * By default, the following headers are trusted:
1600	+ * - HTTP_CF_CONNECTING_IP
1601	+ * - HTTP_CLIENT_IP
1602	+ * - HTTP_X_FORWARDED_FOR
1603	+ * - HTTP_X_FORWARDED
1604	+ * - HTTP_X_CLUSTER_CLIENT_IP
1605	+ * - HTTP_FORWARDED_FOR
1606	+ * - HTTP_FORWARDED
1607	+ *
1608	+ * To allow for CDNs, these headers take priority over the REMOTE_ADDR value.
1609	+ *
1610	+ * @param string[] $trusted_proxies Array of trusted IP Address headers.
1611	+ */
1612	+ $trusted_headers = apply_filters( 'rsa_trusted_headers', $trusted_headers );
1613	+
1614	+ // Add the REMOTE_ADDR value to the end of the array.
1615	+ $trusted_headers[] = 'REMOTE_ADDR';
1616	+
1617	+ foreach ( array_unique( $trusted_headers ) as $header ) {
1618	+ if ( ! isset( $_SERVER[ $header ] ) ) {
1619	continue;
1620	}
1621
1622	foreach ( explode(
1623	',',
1624	+ sanitize_text_field( wp_unslash( $_SERVER[ $header ] ) )
1625	) as $ip ) {
1626	$ip = trim( $ip ); // just to be safe.
1627
1628	+ /** Hook to filter IP flags. */
1629	+ $filter_flags = apply_filters( 'rsa_get_client_ip_address_filter_flags', FILTER_FLAG_NO_PRIV_RANGE \| FILTER_FLAG_NO_RES_RANGE );
1630	+
1631	+ if ( filter_var( $ip, FILTER_VALIDATE_IP, $filter_flags ) !== false ) {
1632	return $ip;
1633	}
1634	}