Version Description
Download this release
Release Info
Developer | xknown |
Plugin | VaultPress |
Version | 1.3.7 |
Comparing to | |
See all releases |
Version 1.3.7
- class.vaultpress-database.php +140 -0
- class.vaultpress-filesystem.php +217 -0
- class.vaultpress-hotfixes.php +837 -0
- class.vaultpress-ixr-ssl-client.php +132 -0
- cron-tasks.php +152 -0
- readme.txt +53 -0
- vaultpress.php +1912 -0
- vp-scanner.php +139 -0
class.vaultpress-database.php
ADDED
@@ -0,0 +1,140 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
<?php
|
2 |
+
|
3 |
+
class VaultPress_Database {
|
4 |
+
|
5 |
+
var $table = null;
|
6 |
+
var $pks = null;
|
7 |
+
|
8 |
+
function VaultPress_Database() {
|
9 |
+
$this->__construct();
|
10 |
+
}
|
11 |
+
|
12 |
+
function __construct() {
|
13 |
+
}
|
14 |
+
|
15 |
+
function attach( $table ) {
|
16 |
+
$this->table=$table;
|
17 |
+
}
|
18 |
+
|
19 |
+
function get_tables( $filter=null ) {
|
20 |
+
global $wpdb;
|
21 |
+
$rval = $wpdb->get_col( 'SHOW TABLES' );
|
22 |
+
if ( $filter )
|
23 |
+
$rval = preg_grep( $filter, $rval );
|
24 |
+
return $rval;
|
25 |
+
}
|
26 |
+
|
27 |
+
function show_create() {
|
28 |
+
global $wpdb;
|
29 |
+
if ( !$this->table )
|
30 |
+
return false;
|
31 |
+
$table = $wpdb->escape( $this->table );
|
32 |
+
$results = $wpdb->get_row( "SHOW CREATE TABLE `$table`" );
|
33 |
+
$want = 'Create Table';
|
34 |
+
if ( $results )
|
35 |
+
$results = $results->$want;
|
36 |
+
return $results;
|
37 |
+
}
|
38 |
+
|
39 |
+
function explain() {
|
40 |
+
global $wpdb;
|
41 |
+
if ( !$this->table )
|
42 |
+
return false;
|
43 |
+
$table = $wpdb->escape( $this->table );
|
44 |
+
return $wpdb->get_results( "EXPLAIN `$table`" );
|
45 |
+
}
|
46 |
+
|
47 |
+
function diff( $signatures ) {
|
48 |
+
global $wpdb;
|
49 |
+
if ( !is_array( $signatures ) || !count( $signatures ) )
|
50 |
+
return false;
|
51 |
+
if ( !$this->table )
|
52 |
+
return false;
|
53 |
+
$table = $wpdb->escape( $this->table );
|
54 |
+
$diff = array();
|
55 |
+
foreach ( $signatures as $where => $signature ) {
|
56 |
+
$pksig = md5( $where );
|
57 |
+
unset( $wpdb->queries );
|
58 |
+
$row = $wpdb->get_row( "SELECT * FROM `$table` WHERE $where" );
|
59 |
+
if ( !$row ) {
|
60 |
+
$diff[$pksig] = array ( 'change' => 'deleted', 'where' => $where );
|
61 |
+
continue;
|
62 |
+
}
|
63 |
+
$row = serialize( $row );
|
64 |
+
$hash = md5( $row );
|
65 |
+
if ( $hash != $signature )
|
66 |
+
$diff[$pksig] = array( 'change' => 'modified', 'where' => $where, 'signature' => $hash, 'row' => $row );
|
67 |
+
}
|
68 |
+
return $diff;
|
69 |
+
}
|
70 |
+
|
71 |
+
function count( $columns ) {
|
72 |
+
global $wpdb;
|
73 |
+
if ( !is_array( $columns ) || !count( $columns ) )
|
74 |
+
return false;
|
75 |
+
if ( !$this->table )
|
76 |
+
return false;
|
77 |
+
$table = $wpdb->escape( $this->table );
|
78 |
+
$column = $wpdb->escape( array_shift( $columns ) );
|
79 |
+
return $wpdb->get_var( "SELECT COUNT( $column ) FROM `$table`" );
|
80 |
+
}
|
81 |
+
|
82 |
+
function wpdb( $query, $function='get_results' ) {
|
83 |
+
global $wpdb;
|
84 |
+
|
85 |
+
if ( !is_callable( array( $wpdb, $function ) ) )
|
86 |
+
return false;
|
87 |
+
|
88 |
+
$res = $wpdb->$function( $query );
|
89 |
+
if ( !$res )
|
90 |
+
return $res;
|
91 |
+
switch ( $function ) {
|
92 |
+
case 'get_results':
|
93 |
+
foreach ( $res as $idx => $row ) {
|
94 |
+
if ( isset( $row->option_name ) && $row->option_name == 'cron' )
|
95 |
+
$res[$idx]->option_value = serialize( array() );
|
96 |
+
}
|
97 |
+
break;
|
98 |
+
case 'get_row':
|
99 |
+
if ( isset( $res->option_name ) && $res->option_name == 'cron' )
|
100 |
+
$res->option_value = serialize( array() );
|
101 |
+
break;
|
102 |
+
}
|
103 |
+
return $res;
|
104 |
+
}
|
105 |
+
|
106 |
+
function get_cols( $columns, $limit=false, $offset=false, $where=false ) {
|
107 |
+
global $wpdb;
|
108 |
+
if ( !is_array( $columns ) || !count( $columns ) )
|
109 |
+
return false;
|
110 |
+
if ( !$this->table )
|
111 |
+
return false;
|
112 |
+
$table = $wpdb->escape( $this->table );
|
113 |
+
$limitsql = '';
|
114 |
+
$offsetsql = '';
|
115 |
+
$wheresql = '';
|
116 |
+
if ( $limit )
|
117 |
+
$limitsql = ' LIMIT ' . intval( $limit );
|
118 |
+
if ( $offset )
|
119 |
+
$offsetsql = ' OFFSET ' . intval( $offset );
|
120 |
+
if ( $where )
|
121 |
+
$wheresql = ' WHERE ' . base64_decode($where);
|
122 |
+
$rval = array();
|
123 |
+
foreach ( $wpdb->get_results( "SELECT * FROM `$this->table` $wheresql $limitsql $offsetsql" ) as $row ) {
|
124 |
+
// We don't need to actually record a real cron option value, just an empty array
|
125 |
+
if ( isset( $row->option_name ) && $row->option_name == 'cron' )
|
126 |
+
$row->option_value = serialize( array() );
|
127 |
+
$keys = array();
|
128 |
+
$vals = array();
|
129 |
+
foreach ( get_object_vars( $row ) as $i => $v ) {
|
130 |
+
$keys[] = sprintf( "`%s`", $wpdb->escape( $i ) );
|
131 |
+
$vals[] = sprintf( "'%s'", $wpdb->escape( $v ) );
|
132 |
+
if ( !in_array( $i, $columns ) )
|
133 |
+
unset( $row->$i );
|
134 |
+
}
|
135 |
+
$row->hash = md5( sprintf( "(%s) VALUES(%s)", implode( ',',$keys ), implode( ',',$vals ) ) );
|
136 |
+
$rval[]=$row;
|
137 |
+
}
|
138 |
+
return $rval;
|
139 |
+
}
|
140 |
+
}
|
class.vaultpress-filesystem.php
ADDED
@@ -0,0 +1,217 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
<?php
|
2 |
+
|
3 |
+
class VaultPress_Filesystem {
|
4 |
+
|
5 |
+
var $type = null;
|
6 |
+
var $dir = null;
|
7 |
+
var $keys = array( 'ino', 'uid', 'gid', 'size', 'mtime', 'blksize', 'blocks' );
|
8 |
+
|
9 |
+
function VaultPress_Filesystem() {
|
10 |
+
$this->__construct();
|
11 |
+
}
|
12 |
+
|
13 |
+
function __construct() {
|
14 |
+
}
|
15 |
+
|
16 |
+
function want( $type ) {
|
17 |
+
$vp = VaultPress::init();
|
18 |
+
|
19 |
+
if ( $type == 'plugins' ) {
|
20 |
+
$this->dir = realpath( $vp->resolve_content_dir() . 'plugins' );
|
21 |
+
$this->type = 'p';
|
22 |
+
return true;
|
23 |
+
}
|
24 |
+
if ( $type == 'themes' ) {
|
25 |
+
$this->dir = realpath( $vp->resolve_content_dir() . 'themes' );
|
26 |
+
$this->type = 't';
|
27 |
+
return true;
|
28 |
+
}
|
29 |
+
if ( $type == 'uploads' ) {
|
30 |
+
$this->dir = realpath( $vp->resolve_upload_path() );
|
31 |
+
$this->type = 'u';
|
32 |
+
return true;
|
33 |
+
}
|
34 |
+
if ( $type == 'content' ) {
|
35 |
+
$this->dir = realpath( $vp->resolve_content_dir() );
|
36 |
+
$this->type = 'c';
|
37 |
+
return true;
|
38 |
+
}
|
39 |
+
if ( $type == 'root' ) {
|
40 |
+
$this->dir = realpath( ABSPATH );
|
41 |
+
$this->type = 'r';
|
42 |
+
return true;
|
43 |
+
}
|
44 |
+
die( 'naughty naughty' );
|
45 |
+
}
|
46 |
+
|
47 |
+
function fdump( $file ) {
|
48 |
+
header("Content-Type: application/octet-stream;");
|
49 |
+
header("Content-Transfer-Encoding: binary");
|
50 |
+
@ob_end_clean();
|
51 |
+
if ( !file_exists( $file ) || !is_readable( $file ) )
|
52 |
+
die( "no such file" );
|
53 |
+
if ( !is_file( $file ) && !is_link( $file ) )
|
54 |
+
die( "can only dump files" );
|
55 |
+
$fp = @fopen( $file, 'rb' );
|
56 |
+
if ( !$fp )
|
57 |
+
die( "could not open file" );
|
58 |
+
while ( !feof( $fp ) )
|
59 |
+
echo @fread( $fp, 8192 );
|
60 |
+
@fclose( $fp );
|
61 |
+
die();
|
62 |
+
}
|
63 |
+
|
64 |
+
function stat( $file, $md5=true, $sha1=true ) {
|
65 |
+
$rval = array();
|
66 |
+
foreach ( stat( $file ) as $i => $v ) {
|
67 |
+
if ( is_numeric( $i ) )
|
68 |
+
continue;
|
69 |
+
$rval[$i] = $v;
|
70 |
+
}
|
71 |
+
$rval['type'] = filetype( $file );
|
72 |
+
if ( $rval['type'] == 'file' ) {
|
73 |
+
if ( $md5 )
|
74 |
+
$rval['md5'] = md5_file( $file );
|
75 |
+
if ( $sha1 )
|
76 |
+
$rval['sha1'] = sha1_file( $file );
|
77 |
+
}
|
78 |
+
$rval['path'] = str_replace( $this->dir, '', $file );
|
79 |
+
return $rval;
|
80 |
+
}
|
81 |
+
|
82 |
+
function ls( $what, $md5=false, $sha1=false, $limit=null, $offset=null ) {
|
83 |
+
clearstatcache();
|
84 |
+
$path = realpath($this->dir . $what);
|
85 |
+
if ( is_file($path) )
|
86 |
+
return $this->stat( $path, $md5, $sha1 );
|
87 |
+
if ( is_dir($path) ) {
|
88 |
+
$entries = array();
|
89 |
+
$current = 0;
|
90 |
+
$offset = (int)$offset;
|
91 |
+
$orig_limit = (int)$limit;
|
92 |
+
$limit = $offset + (int)$limit;
|
93 |
+
foreach ( (array)$this->scan_dir( $path ) as $i ) {
|
94 |
+
$current++;
|
95 |
+
if ( $offset >= $current )
|
96 |
+
continue;
|
97 |
+
if ( $limit && $limit < $current )
|
98 |
+
break;
|
99 |
+
|
100 |
+
// don't sha1 files over 100MB if we are batching due to memory consumption
|
101 |
+
if ( $sha1 && $orig_limit > 1 && is_file( $i ) && (int)@filesize( $i ) > 104857600 )
|
102 |
+
$sha1 = false;
|
103 |
+
|
104 |
+
$entries[] = $this->stat( $i, $md5, $sha1 );
|
105 |
+
}
|
106 |
+
return $entries;
|
107 |
+
}
|
108 |
+
}
|
109 |
+
|
110 |
+
function validate( $file ) {
|
111 |
+
$rpath = realpath( $this->dir.$file );
|
112 |
+
if ( !$rpath )
|
113 |
+
die( serialize( array( 'type' => 'null', 'path' => $file ) ) );
|
114 |
+
if ( is_dir( $rpath ) )
|
115 |
+
$rpath = "$rpath/";
|
116 |
+
if ( strpos( $rpath, $this->dir ) !== 0 )
|
117 |
+
return false;
|
118 |
+
return true;
|
119 |
+
}
|
120 |
+
|
121 |
+
function dir_examine( $subdir='', $recursive=true, $origin=false ) {
|
122 |
+
$res = array();
|
123 |
+
if ( !$subdir )
|
124 |
+
$subdir='/';
|
125 |
+
$dir = $this->dir . $subdir;
|
126 |
+
if ( $origin === false )
|
127 |
+
$origin = $this->dir . $subdir;
|
128 |
+
if ( is_file($dir) ) {
|
129 |
+
if ( $origin == $dir )
|
130 |
+
$name = str_replace( $this->dir, '/', $subdir );
|
131 |
+
else
|
132 |
+
$name = str_replace( $origin, '/', $dir );
|
133 |
+
$res[$name] = $this->stat( $dir.$entry );
|
134 |
+
return $res;
|
135 |
+
}
|
136 |
+
$d = dir( $dir );
|
137 |
+
if ( !$d )
|
138 |
+
return $res;
|
139 |
+
while ( false !== ( $entry = $d->read() ) ) {
|
140 |
+
$rpath = realpath( $dir.$entry );
|
141 |
+
$bname = basename( $rpath );
|
142 |
+
if ( is_link( $dir.$entry ) )
|
143 |
+
continue;
|
144 |
+
if ( $entry == '.' || $entry == '..' || $entry == '...' )
|
145 |
+
continue;
|
146 |
+
if ( !$this->validate( $subdir.$entry ) )
|
147 |
+
continue;
|
148 |
+
$name = str_replace( $origin, '/', $dir.$entry );
|
149 |
+
$res[$name] = $this->stat( $dir.$entry );
|
150 |
+
if ( $recursive && is_dir( $this->dir.$subdir.'/'.$entry ) ) {
|
151 |
+
$res = array_merge( $res, $this->dir_examine( $subdir.$entry.'/', $recursive, $origin ) );
|
152 |
+
}
|
153 |
+
}
|
154 |
+
return $res;
|
155 |
+
}
|
156 |
+
|
157 |
+
function dir_checksum( $base, &$list, $recursive=true ) {
|
158 |
+
if ( $list == null )
|
159 |
+
$list = array();
|
160 |
+
|
161 |
+
if ( 0 !== strpos( $base, $this->dir ) )
|
162 |
+
$base = $this->dir . rtrim( $base, '/' );
|
163 |
+
|
164 |
+
$shortbase = substr( $base, strlen( $this->dir ) );
|
165 |
+
if ( !$shortbase )
|
166 |
+
$shortbase = '/';
|
167 |
+
$stat = stat( $base );
|
168 |
+
$directories = array();
|
169 |
+
$files = (array)$this->scan_dir( $base );
|
170 |
+
array_push( $files, $base );
|
171 |
+
foreach ( $files as $file ) {
|
172 |
+
if ( $file !== $base && @is_dir( $file ) ) {
|
173 |
+
$directories[] = $file;
|
174 |
+
continue;
|
175 |
+
}
|
176 |
+
$stat = @stat( $file );
|
177 |
+
if ( !$stat )
|
178 |
+
continue;
|
179 |
+
$shortstat = array();
|
180 |
+
foreach( $this->keys as $key ) {
|
181 |
+
if ( isset( $stat[$key] ) )
|
182 |
+
$shortstat[$key] = $stat[$key];
|
183 |
+
}
|
184 |
+
$list[$shortbase][basename( $file )] = $shortstat;
|
185 |
+
}
|
186 |
+
$list[$shortbase] = md5( serialize( $list[$shortbase] ) );
|
187 |
+
if ( !$recursive )
|
188 |
+
return $list;
|
189 |
+
foreach ( $directories as $dir ) {
|
190 |
+
$this->dir_checksum( $dir, $list, $recursive );
|
191 |
+
}
|
192 |
+
return $list;
|
193 |
+
}
|
194 |
+
|
195 |
+
function scan_dir( $path ) {
|
196 |
+
$files = array();
|
197 |
+
|
198 |
+
if ( false === is_readable( $path ) ) {
|
199 |
+
return array();
|
200 |
+
}
|
201 |
+
|
202 |
+
$dh = opendir( $path );
|
203 |
+
|
204 |
+
if ( false === $dh ) {
|
205 |
+
return array();
|
206 |
+
}
|
207 |
+
|
208 |
+
while ( false !== ( $file = readdir( $dh ) ) ) {
|
209 |
+
if ( $file == '.' || $file == '..' ) continue;
|
210 |
+
$files[] = "$path/$file";
|
211 |
+
}
|
212 |
+
|
213 |
+
closedir( $dh );
|
214 |
+
sort( $files );
|
215 |
+
return $files;
|
216 |
+
}
|
217 |
+
}
|
class.vaultpress-hotfixes.php
ADDED
@@ -0,0 +1,837 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
<?php
|
2 |
+
|
3 |
+
class VaultPress_Hotfixes {
|
4 |
+
function VaultPress_Hotfixes() {
|
5 |
+
$this->__construct();
|
6 |
+
}
|
7 |
+
|
8 |
+
function __construct() {
|
9 |
+
global $wp_version;
|
10 |
+
|
11 |
+
if ( version_compare( $wp_version, '3.0.2', '<' ) )
|
12 |
+
add_filter( 'query', array( $this, 'r16625' ) );
|
13 |
+
|
14 |
+
if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST && version_compare( $wp_version, '3.0.3', '<' ) )
|
15 |
+
add_action( 'xmlrpc_call', array( $this, 'r16803' ) );
|
16 |
+
|
17 |
+
if ( version_compare( $wp_version, '3.3.2', '<' ) ) {
|
18 |
+
add_filter( 'pre_kses', array( $this, 'r17172_wp_kses' ), 1, 3 );
|
19 |
+
add_filter( 'clean_url', array( $this, 'r17172_esc_url' ), 1, 3 );
|
20 |
+
}
|
21 |
+
|
22 |
+
if ( version_compare( $wp_version, '3.1.3', '<' ) ) {
|
23 |
+
add_filter( 'sanitize_file_name', array( $this, 'r17990' ) );
|
24 |
+
|
25 |
+
if ( !empty( $_POST ) )
|
26 |
+
$this->r17994( $_POST );
|
27 |
+
// Protect add_meta, update_meta used by the XML-RPC API
|
28 |
+
add_filter( 'wp_xmlrpc_server_class', create_function( '$class', 'return \'VaultPress_XMLRPC_Server_r17994\';' ) );
|
29 |
+
|
30 |
+
// clean post_mime_type and guid (r17994)
|
31 |
+
add_filter( 'pre_post_mime_type', array( $this, 'r17994_sanitize_mime_type' ) );
|
32 |
+
add_filter( 'post_mime_type', array( $this, 'r17994_sanitize_mime_type' ) );
|
33 |
+
add_filter( 'pre_post_guid', 'esc_url_raw' );
|
34 |
+
add_filter( 'post_guid', 'esc_url' );
|
35 |
+
}
|
36 |
+
|
37 |
+
if ( version_compare( $wp_version, '3.1.4', '<' ) ) {
|
38 |
+
add_filter( 'wp_insert_post_data', array( $this, 'r18368' ), 1, 2 );
|
39 |
+
|
40 |
+
// Add click jacking protection
|
41 |
+
// login_init does not exist before 17826.
|
42 |
+
$action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : 'login';
|
43 |
+
add_action( 'login_form_' . $action, array( $this, 'r17826_send_frame_options_header' ), 10, 0 );
|
44 |
+
add_action( 'admin_init', array( $this, 'r17826_send_frame_options_header' ), 10, 0 );
|
45 |
+
|
46 |
+
add_filter( 'sanitize_option_WPLANG', array( $this, 'r18346_sanitize_lang_on_save' ) );
|
47 |
+
add_filter( 'sanitize_option_new_admin_email', array( $this, 'r18346_sanitize_admin_email_on_save' ) );
|
48 |
+
}
|
49 |
+
add_filter( 'option_new_admin_email', array( $this, 'r18346_sanitize_admin_email' ) );
|
50 |
+
|
51 |
+
if ( version_compare( $wp_version, '3.3.2', '<' ) ) {
|
52 |
+
remove_filter( 'comment_text', 'make_clickable' );
|
53 |
+
add_filter( 'comment_text', array( $this, 'r20493_make_clickable' ), 9 );
|
54 |
+
|
55 |
+
add_filter( 'comment_post_redirect', array( $this, 'r20486_comment_post_redirect' ) );
|
56 |
+
}
|
57 |
+
|
58 |
+
// WooThemes < 3.8.3, foxypress, asset-manager, wordpress-member-private-conversation.
|
59 |
+
$end_execution = false;
|
60 |
+
if ( isset( $_SERVER['SCRIPT_FILENAME'] ) )
|
61 |
+
foreach ( array( 'preview-shortcode-external.php', 'uploadify.php', 'doupload.php', 'cef-upload.php', 'upload.php' ) as $vulnerable_script )
|
62 |
+
if ( $vulnerable_script == basename( $_SERVER['SCRIPT_FILENAME'] ) ) {
|
63 |
+
switch( $vulnerable_script ) {
|
64 |
+
case 'upload.php':
|
65 |
+
$pma_config_file = realpath( dirname( $_SERVER['SCRIPT_FILENAME'] ) . DIRECTORY_SEPARATOR . 'paam-config-ajax.php' );
|
66 |
+
if ( !in_array( $pma_config_file, get_included_files() ) )
|
67 |
+
break;
|
68 |
+
default:
|
69 |
+
$end_execution = true;
|
70 |
+
break 2;
|
71 |
+
}
|
72 |
+
}
|
73 |
+
if ( $end_execution )
|
74 |
+
die( 'Disabled for security reasons' );
|
75 |
+
|
76 |
+
if ( version_compare( $wp_version, '3.3.2', '>') && version_compare( $wp_version, '3.4.1', '<' ) ) {
|
77 |
+
add_filter( 'map_meta_cap', array( $this, 'r21138_xmlrpc_edit_posts' ), 10, 4 );
|
78 |
+
add_action( 'map_meta_cap', array( $this, 'r21152_unfiltered_html' ), 10, 4 );
|
79 |
+
}
|
80 |
+
|
81 |
+
// https://core.trac.wordpress.org/changeset/21083
|
82 |
+
if ( version_compare( $wp_version, '3.3', '>=') && version_compare( $wp_version, '3.3.3', '<' ) )
|
83 |
+
add_filter( 'editable_slug', 'esc_textarea' );
|
84 |
+
|
85 |
+
add_filter( 'get_pagenum_link', array( $this, 'get_pagenum_link' ) );
|
86 |
+
}
|
87 |
+
|
88 |
+
function r21138_xmlrpc_edit_posts( $caps, $cap, $user_id, $args ) {
|
89 |
+
if ( ! isset( $args[0] ) || isset( $args[1] ) && $args[1] === 'hotfixed' )
|
90 |
+
return $caps;
|
91 |
+
foreach ( get_post_types( array(), 'objects' ) as $post_type_object ) {
|
92 |
+
if ( $cap === $post_type_object->cap->edit_posts )
|
93 |
+
return map_meta_cap( $post_type_object->cap->edit_post, $user_id, $args[0], 'hotfixed' );
|
94 |
+
}
|
95 |
+
return $caps;
|
96 |
+
}
|
97 |
+
|
98 |
+
function r21152_unfiltered_html( $caps, $cap, $user_id, $args ) {
|
99 |
+
if ( $cap !== 'unfiltered_html' )
|
100 |
+
return $caps;
|
101 |
+
if ( defined( 'DISALLOW_UNFILTERED_HTML' ) && DISALLOW_UNFILTERED_HTML )
|
102 |
+
return $caps;
|
103 |
+
$key = array_search( 'do_not_allow', $caps );
|
104 |
+
if ( false !== $key )
|
105 |
+
return $caps;
|
106 |
+
if ( is_multisite() && ! is_super_admin( $user_id ) )
|
107 |
+
$caps[$key] = 'do_not_allow';
|
108 |
+
return $caps;
|
109 |
+
}
|
110 |
+
|
111 |
+
function get_pagenum_link( $url ) {
|
112 |
+
return esc_url_raw( $url );
|
113 |
+
}
|
114 |
+
|
115 |
+
function r20486_comment_post_redirect( $location ) {
|
116 |
+
$location = wp_sanitize_redirect( $location );
|
117 |
+
$location = wp_validate_redirect( $location, admin_url() );
|
118 |
+
|
119 |
+
return $location;
|
120 |
+
}
|
121 |
+
|
122 |
+
function r20493_make_clickable( $text ) {
|
123 |
+
$r = '';
|
124 |
+
$textarr = preg_split( '/(<[^<>]+>)/', $text, -1, PREG_SPLIT_DELIM_CAPTURE ); // split out HTML tags
|
125 |
+
foreach ( $textarr as $piece ) {
|
126 |
+
if ( empty( $piece ) || ( $piece[0] == '<' && ! preg_match('|^<\s*[\w]{1,20}+://|', $piece) ) ) {
|
127 |
+
$r .= $piece;
|
128 |
+
continue;
|
129 |
+
}
|
130 |
+
|
131 |
+
// Long strings might contain expensive edge cases ...
|
132 |
+
if ( 10000 < strlen( $piece ) ) {
|
133 |
+
// ... break it up
|
134 |
+
foreach ( $this->r20493_split_str_by_whitespace( $piece, 2100 ) as $chunk ) { // 2100: Extra room for scheme and leading and trailing paretheses
|
135 |
+
if ( 2101 < strlen( $chunk ) ) {
|
136 |
+
$r .= $chunk; // Too big, no whitespace: bail.
|
137 |
+
} else {
|
138 |
+
$r .= $this->r20493_make_clickable( $chunk );
|
139 |
+
}
|
140 |
+
}
|
141 |
+
} else {
|
142 |
+
$ret = " $piece "; // Pad with whitespace to simplify the regexes
|
143 |
+
|
144 |
+
$url_clickable = '~
|
145 |
+
([\\s(<.,;:!?]) # 1: Leading whitespace, or punctuation
|
146 |
+
( # 2: URL
|
147 |
+
[\\w]{1,20}+:// # Scheme and hier-part prefix
|
148 |
+
(?=\S{1,2000}\s) # Limit to URLs less than about 2000 characters long
|
149 |
+
[\\w\\x80-\\xff#%\\~/@\\[\\]*(+=&$-]*+ # Non-punctuation URL character
|
150 |
+
(?: # Unroll the Loop: Only allow puctuation URL character if followed by a non-punctuation URL character
|
151 |
+
[\'.,;:!?)] # Punctuation URL character
|
152 |
+
[\\w\\x80-\\xff#%\\~/@\\[\\]*(+=&$-]++ # Non-punctuation URL character
|
153 |
+
)*
|
154 |
+
)
|
155 |
+
(\)?) # 3: Trailing closing parenthesis (for parethesis balancing post processing)
|
156 |
+
~xS'; // The regex is a non-anchored pattern and does not have a single fixed starting character.
|
157 |
+
// Tell PCRE to spend more time optimizing since, when used on a page load, it will probably be used several times.
|
158 |
+
|
159 |
+
$ret = preg_replace_callback( $url_clickable, array( $this, 'r20493_make_url_clickable_cb') , $ret );
|
160 |
+
|
161 |
+
$ret = preg_replace_callback( '#([\s>])((www|ftp)\.[\w\\x80-\\xff\#$%&~/.\-;:=,?@\[\]+]+)#is', '_make_web_ftp_clickable_cb', $ret );
|
162 |
+
$ret = preg_replace_callback( '#([\s>])([.0-9a-z_+-]+)@(([0-9a-z-]+\.)+[0-9a-z]{2,})#i', '_make_email_clickable_cb', $ret );
|
163 |
+
|
164 |
+
$ret = substr( $ret, 1, -1 ); // Remove our whitespace padding.
|
165 |
+
$r .= $ret;
|
166 |
+
}
|
167 |
+
}
|
168 |
+
|
169 |
+
// Cleanup of accidental links within links
|
170 |
+
$r = preg_replace( '#(<a( [^>]+?>|>))<a [^>]+?>([^>]+?)</a></a>#i', "$1$3</a>", $r );
|
171 |
+
return $r;
|
172 |
+
}
|
173 |
+
|
174 |
+
function r20493_make_url_clickable_cb($matches) {
|
175 |
+
$url = $matches[2];
|
176 |
+
|
177 |
+
if ( ')' == $matches[3] && strpos( $url, '(' ) ) {
|
178 |
+
// If the trailing character is a closing parethesis, and the URL has an opening parenthesis in it, add the closing parenthesis to the URL.
|
179 |
+
// Then we can let the parenthesis balancer do its thing below.
|
180 |
+
$url .= $matches[3];
|
181 |
+
$suffix = '';
|
182 |
+
} else {
|
183 |
+
$suffix = $matches[3];
|
184 |
+
}
|
185 |
+
|
186 |
+
// Include parentheses in the URL only if paired
|
187 |
+
while ( substr_count( $url, '(' ) < substr_count( $url, ')' ) ) {
|
188 |
+
$suffix = strrchr( $url, ')' ) . $suffix;
|
189 |
+
$url = substr( $url, 0, strrpos( $url, ')' ) );
|
190 |
+
}
|
191 |
+
|
192 |
+
$url = esc_url($url);
|
193 |
+
if ( empty($url) )
|
194 |
+
return $matches[0];
|
195 |
+
|
196 |
+
return $matches[1] . "<a href=\"$url\" rel=\"nofollow\">$url</a>" . $suffix;
|
197 |
+
}
|
198 |
+
|
199 |
+
function r20493_split_str_by_whitespace( $string, $goal ) {
|
200 |
+
$chunks = array();
|
201 |
+
|
202 |
+
$string_nullspace = strtr( $string, "\r\n\t\v\f ", "\000\000\000\000\000\000" );
|
203 |
+
|
204 |
+
while ( $goal < strlen( $string_nullspace ) ) {
|
205 |
+
$pos = strrpos( substr( $string_nullspace, 0, $goal + 1 ), "\000" );
|
206 |
+
|
207 |
+
if ( false === $pos ) {
|
208 |
+
$pos = strpos( $string_nullspace, "\000", $goal + 1 );
|
209 |
+
if ( false === $pos ) {
|
210 |
+
break;
|
211 |
+
}
|
212 |
+
}
|
213 |
+
|
214 |
+
$chunks[] = substr( $string, 0, $pos + 1 );
|
215 |
+
$string = substr( $string, $pos + 1 );
|
216 |
+
$string_nullspace = substr( $string_nullspace, $pos + 1 );
|
217 |
+
}
|
218 |
+
|
219 |
+
if ( $string ) {
|
220 |
+
$chunks[] = $string;
|
221 |
+
}
|
222 |
+
|
223 |
+
return $chunks;
|
224 |
+
}
|
225 |
+
|
226 |
+
function r16625( $query ) {
|
227 |
+
// Hotfixes: http://core.trac.wordpress.org/changeset/16625
|
228 |
+
|
229 |
+
// Punt as fast as possible if this isn't an UPDATE
|
230 |
+
if ( substr( $query, 0, 6 ) != "UPDATE" )
|
231 |
+
return $query;
|
232 |
+
global $wpdb;
|
233 |
+
|
234 |
+
// Determine what the prefix of the bad query would look like and punt if this query doesn't match
|
235 |
+
$badstring = "UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '";
|
236 |
+
if ( substr( $query, 0, strlen( $badstring ) ) != $badstring )
|
237 |
+
return $query;
|
238 |
+
|
239 |
+
// Pull the post_id which is the last thing in the origin query, after a space, no quotes
|
240 |
+
$post_id = array_pop( explode( " ", $query ) );
|
241 |
+
|
242 |
+
// Chop off the beginning and end of the original query to get our unsanitized $tb_ping
|
243 |
+
$tb_ping = substr(
|
244 |
+
$query,
|
245 |
+
strlen( $badstring ),
|
246 |
+
(
|
247 |
+
strlen( $query ) - (
|
248 |
+
strlen( $badstring ) + strlen( sprintf( "', '')) WHERE ID = %d", $post_id ) )
|
249 |
+
)
|
250 |
+
)
|
251 |
+
);
|
252 |
+
|
253 |
+
// Return the fixed query
|
254 |
+
return $wpdb->prepare( "UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, %s, '')) WHERE ID = %d", $tb_ping, $post_id );
|
255 |
+
}
|
256 |
+
|
257 |
+
function r16803( $xmlrpc_method ) {
|
258 |
+
// Hotfixes: http://core.trac.wordpress.org/changeset/16803
|
259 |
+
global $wp_xmlrpc_server;
|
260 |
+
// Pretend that we are an xmlrpc method, freshly called
|
261 |
+
$args = $wp_xmlrpc_server->message->params;
|
262 |
+
$error_code = 401;
|
263 |
+
switch( $xmlrpc_method ) {
|
264 |
+
case 'metaWeblog.newPost':
|
265 |
+
$content_struct = $args[3];
|
266 |
+
$publish = isset( $args[4] ) ? $args[4] : 0;
|
267 |
+
if ( !empty( $content_struct['post_type'] ) ) {
|
268 |
+
if ( $content_struct['post_type'] == 'page' ) {
|
269 |
+
if ( $publish || 'publish' == $content_struct['page_status'] )
|
270 |
+
$cap = 'publish_pages';
|
271 |
+
else
|
272 |
+
$cap = 'edit_pages';
|
273 |
+
$error_message = __( 'Sorry, you are not allowed to publish pages on this site.' );
|
274 |
+
} elseif ( $content_struct['post_type'] == 'post' ) {
|
275 |
+
if ( $publish || 'publish' == $content_struct['post_status'] )
|
276 |
+
$cap = 'publish_posts';
|
277 |
+
else
|
278 |
+
$cap = 'edit_posts';
|
279 |
+
$error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
|
280 |
+
} else {
|
281 |
+
$error_message = __( 'Invalid post type.' );
|
282 |
+
}
|
283 |
+
} else {
|
284 |
+
if ( $publish || 'publish' == $content_struct['post_status'] )
|
285 |
+
$cap = 'publish_posts';
|
286 |
+
else
|
287 |
+
$cap = 'edit_posts';
|
288 |
+
$error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
|
289 |
+
}
|
290 |
+
if ( current_user_can( $cap ) )
|
291 |
+
return true;
|
292 |
+
break;
|
293 |
+
case 'metaWeblog.editPost':
|
294 |
+
$post_ID = (int) $args[0];
|
295 |
+
$content_struct = $args[3];
|
296 |
+
$publish = $args[4];
|
297 |
+
$cap = ( $publish ) ? 'publish_posts' : 'edit_posts';
|
298 |
+
$error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
|
299 |
+
if ( !empty( $content_struct['post_type'] ) ) {
|
300 |
+
if ( $content_struct['post_type'] == 'page' ) {
|
301 |
+
if ( $publish || 'publish' == $content_struct['page_status'] )
|
302 |
+
$cap = 'publish_pages';
|
303 |
+
else
|
304 |
+
$cap = 'edit_pages';
|
305 |
+
$error_message = __( 'Sorry, you are not allowed to publish pages on this site.' );
|
306 |
+
} elseif ( $content_struct['post_type'] == 'post' ) {
|
307 |
+
if ( $publish || 'publish' == $content_struct['post_status'] )
|
308 |
+
$cap = 'publish_posts';
|
309 |
+
else
|
310 |
+
$cap = 'edit_posts';
|
311 |
+
$error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
|
312 |
+
} else {
|
313 |
+
$error_message = __( 'Invalid post type.' );
|
314 |
+
}
|
315 |
+
} else {
|
316 |
+
if ( $publish || 'publish' == $content_struct['post_status'] )
|
317 |
+
$cap = 'publish_posts';
|
318 |
+
else
|
319 |
+
$cap = 'edit_posts';
|
320 |
+
$error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
|
321 |
+
}
|
322 |
+
if ( current_user_can( $cap ) )
|
323 |
+
return true;
|
324 |
+
break;
|
325 |
+
case 'mt.publishPost':
|
326 |
+
$post_ID = (int) $args[0];
|
327 |
+
if ( current_user_can( 'publish_posts' ) && current_user_can( 'edit_post', $post_ID ) )
|
328 |
+
return true;
|
329 |
+
$error_message = __( 'Sorry, you cannot edit this post.' );
|
330 |
+
break;
|
331 |
+
case 'blogger.deletePost':
|
332 |
+
$post_ID = (int) $args[1];
|
333 |
+
if ( current_user_can( 'delete_post', $post_ID ) )
|
334 |
+
return true;
|
335 |
+
$error_message = __( 'Sorry, you do not have the right to delete this post.' );
|
336 |
+
break;
|
337 |
+
case 'wp.getPageStatusList':
|
338 |
+
if ( current_user_can( 'edit_pages' ) )
|
339 |
+
return true;
|
340 |
+
$error_code = 403;
|
341 |
+
$error_message = __( 'You are not allowed access to details about this site.' );
|
342 |
+
break;
|
343 |
+
case 'wp.deleteComment':
|
344 |
+
case 'wp.editComment':
|
345 |
+
$comment_ID = (int) $args[3];
|
346 |
+
if ( !$comment = get_comment( $comment_ID ) )
|
347 |
+
return true; // This will be handled in the calling function explicitly
|
348 |
+
if ( current_user_can( 'edit_post', $comment->comment_post_ID ) )
|
349 |
+
return true;
|
350 |
+
$error_code = 403;
|
351 |
+
$error_message = __( 'You are not allowed to moderate comments on this site.' );
|
352 |
+
break;
|
353 |
+
default:
|
354 |
+
return true;
|
355 |
+
}
|
356 |
+
// If we are here then this was a handlable xmlrpc call and the capability checks above all failed
|
357 |
+
// ( otherwise they would have returned to the do_action from the switch statement above ) so it's
|
358 |
+
// time to exit with whatever error we've determined is the problem (thus short circuiting the
|
359 |
+
// original XMLRPC method call, and enforcing the above capability checks -- with an ax. We'll
|
360 |
+
// mimic the behavior from the end of IXR_Server::serve()
|
361 |
+
$r = new IXR_Error( $error_code, $error_message );
|
362 |
+
$resultxml = $r->getXml();
|
363 |
+
$xml = <<<EOD
|
364 |
+
<methodResponse>
|
365 |
+
<params>
|
366 |
+
<param>
|
367 |
+
<value>
|
368 |
+
$resultxml
|
369 |
+
</value>
|
370 |
+
</param>
|
371 |
+
</params>
|
372 |
+
</methodResponse>
|
373 |
+
EOD;
|
374 |
+
$wp_xmlrpc_server->output( $xml );
|
375 |
+
// For good measure...
|
376 |
+
die();
|
377 |
+
}
|
378 |
+
|
379 |
+
function r17172_esc_url( $url, $original_url, $_context ) {
|
380 |
+
$url = $original_url;
|
381 |
+
|
382 |
+
if ( '' == $url )
|
383 |
+
return $url;
|
384 |
+
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url);
|
385 |
+
$strip = array('%0d', '%0a', '%0D', '%0A');
|
386 |
+
$url = _deep_replace($strip, $url);
|
387 |
+
$url = str_replace(';//', '://', $url);
|
388 |
+
/* If the URL doesn't appear to contain a scheme, we
|
389 |
+
* presume it needs http:// appended (unless a relative
|
390 |
+
* link starting with /, # or ? or a php file).
|
391 |
+
*/
|
392 |
+
if ( strpos($url, ':') === false && ! in_array( $url[0], array( '/', '#', '?' ) ) &&
|
393 |
+
! preg_match('/^[a-z0-9-]+?\.php/i', $url) )
|
394 |
+
$url = 'http://' . $url;
|
395 |
+
|
396 |
+
// Replace ampersands and single quotes only when displaying.
|
397 |
+
if ( 'display' == $_context ) {
|
398 |
+
$url = wp_kses_normalize_entities( $url );
|
399 |
+
$url = str_replace( '&', '&', $url );
|
400 |
+
$url = str_replace( "'", ''', $url );
|
401 |
+
}
|
402 |
+
|
403 |
+
$protocols = array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn');
|
404 |
+
if ( VaultPress_kses::wp_kses_bad_protocol( $url, $protocols ) != $url )
|
405 |
+
return '';
|
406 |
+
return $url;
|
407 |
+
}
|
408 |
+
|
409 |
+
// http://core.trac.wordpress.org/changeset/17172
|
410 |
+
// http://core.trac.wordpress.org/changeset/20541
|
411 |
+
function r17172_wp_kses( $string, $html, $protocols ) {
|
412 |
+
return VaultPress_kses::wp_kses( $string, $html, $protocols );
|
413 |
+
}
|
414 |
+
|
415 |
+
// http://core.trac.wordpress.org/changeset/17990
|
416 |
+
function r17990( $filename ) {
|
417 |
+
$parts = explode('.', $filename);
|
418 |
+
$filename = array_shift($parts);
|
419 |
+
$extension = array_pop($parts);
|
420 |
+
$mimes = get_allowed_mime_types();
|
421 |
+
|
422 |
+
// Loop over any intermediate extensions. Munge them with a trailing underscore if they are a 2 - 5 character
|
423 |
+
// long alpha string not in the extension whitelist.
|
424 |
+
foreach ( (array) $parts as $part) {
|
425 |
+
$filename .= '.' . $part;
|
426 |
+
|
427 |
+
if ( preg_match("/^[a-zA-Z]{2,5}\d?$/", $part) ) {
|
428 |
+
$allowed = false;
|
429 |
+
foreach ( $mimes as $ext_preg => $mime_match ) {
|
430 |
+
$ext_preg = '!^(' . $ext_preg . ')$!i';
|
431 |
+
if ( preg_match( $ext_preg, $part ) ) {
|
432 |
+
$allowed = true;
|
433 |
+
break;
|
434 |
+
}
|
435 |
+
}
|
436 |
+
if ( !$allowed )
|
437 |
+
$filename .= '_';
|
438 |
+
}
|
439 |
+
}
|
440 |
+
$filename .= '.' . $extension;
|
441 |
+
return $filename;
|
442 |
+
}
|
443 |
+
|
444 |
+
/*
|
445 |
+
* Hotfixes: http://core.trac.wordpress.org/changeset/18368
|
446 |
+
*/
|
447 |
+
function r18368( $post, $raw_post ) {
|
448 |
+
if ( isset( $post['filter'] ) || isset ( $raw_post['filter'] ) ) {
|
449 |
+
unset( $post['filter'], $raw_post['filter'] ); // to ensure the post is properly sanitized
|
450 |
+
$post = sanitize_post($post, 'db');
|
451 |
+
}
|
452 |
+
if ( empty( $post['ID'] ) )
|
453 |
+
unset( $post['ID'] ); // sanitize_post
|
454 |
+
unset( $post['filter'] ); // sanitize_post
|
455 |
+
return $post;
|
456 |
+
}
|
457 |
+
|
458 |
+
/**
|
459 |
+
* Protect WordPress internal metadata.
|
460 |
+
*
|
461 |
+
* The post data is passed as a parameter to (unit) test this method.
|
462 |
+
* @param $post_data|array the $_POST array.
|
463 |
+
*/
|
464 |
+
function r17994( &$post_data ) {
|
465 |
+
// Protect admin-ajax add_meta
|
466 |
+
$metakeyselect = isset( $post_data['metakeyselect'] ) ? stripslashes( trim( $post_data['metakeyselect'] ) ) : '';
|
467 |
+
$metakeyinput = isset( $post_data['metakeyinput'] ) ? stripslashes( trim( $post_data['metakeyinput'] ) ) : '';
|
468 |
+
|
469 |
+
if ( ( $metakeyselect && '_' == $metakeyselect[0] ) || ( $metakeyinput && '_' == $metakeyinput[0] ) ) {
|
470 |
+
unset( $_POST['metakeyselect'], $_POST['metakeyinput'] );
|
471 |
+
}
|
472 |
+
|
473 |
+
// Protect admin-ajax update_meta
|
474 |
+
if ( isset( $post_data['meta'] ) ) {
|
475 |
+
foreach ( (array)$post_data['meta'] as $mid => $value ) {
|
476 |
+
$key = stripslashes( $post_data['meta'][$mid]['key'] );
|
477 |
+
if ( $key && '_' == $key[0] )
|
478 |
+
unset( $post_data['meta'][$mid] );
|
479 |
+
}
|
480 |
+
}
|
481 |
+
}
|
482 |
+
|
483 |
+
function r17994_sanitize_mime_type( $mime_type ) {
|
484 |
+
$sani_mime_type = preg_replace( '/[^\-*.a-zA-Z0-9\/+]/', '', $mime_type );
|
485 |
+
return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type );
|
486 |
+
}
|
487 |
+
|
488 |
+
function r17826_send_frame_options_header() {
|
489 |
+
@header( 'X-Frame-Options: SAMEORIGIN' );
|
490 |
+
}
|
491 |
+
|
492 |
+
function r18346_sanitize_admin_email_on_save($value) {
|
493 |
+
$value = sanitize_email( $value );
|
494 |
+
if ( !is_email( $value ) ) {
|
495 |
+
$value = get_option( 'new_admin_email' ); // Resets option to stored value in the case of failed sanitization
|
496 |
+
if ( function_exists( 'add_settings_error' ) )
|
497 |
+
add_settings_error( 'new_admin_email', 'invalid_admin_email', __( 'The email address entered did not appear to be a valid email address. Please enter a valid email address.' ) );
|
498 |
+
}
|
499 |
+
return $value;
|
500 |
+
}
|
501 |
+
|
502 |
+
function r18346_sanitize_admin_email( $value ) {
|
503 |
+
return sanitize_email( $value ); // Is it enough ?
|
504 |
+
}
|
505 |
+
|
506 |
+
function r18346_sanitize_lang_on_save( $value ) {
|
507 |
+
$value = $this->r18346_sanitize_lang( $value ); // sanitize the new value.
|
508 |
+
if ( empty( $value ) )
|
509 |
+
$value = get_option( 'WPLANG' );
|
510 |
+
return $value;
|
511 |
+
}
|
512 |
+
|
513 |
+
function r18346_sanitize_lang( $value ) {
|
514 |
+
$allowed = apply_filters( 'available_languages', get_available_languages() ); // add a filter to unit test
|
515 |
+
if ( !empty( $value ) && !in_array( $value, $allowed ) )
|
516 |
+
return false;
|
517 |
+
else
|
518 |
+
return $value;
|
519 |
+
}
|
520 |
+
}
|
521 |
+
|
522 |
+
global $wp_version;
|
523 |
+
$needs_class_fix = version_compare( $wp_version, '3.1', '>=') && version_compare( $wp_version, '3.1.3', '<' );
|
524 |
+
if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST && $needs_class_fix ) {
|
525 |
+
include_once( ABSPATH . WPINC . '/class-IXR.php' );
|
526 |
+
include_once( ABSPATH . WPINC . '/class-wp-xmlrpc-server.php' );
|
527 |
+
|
528 |
+
class VaultPress_XMLRPC_Server_r17994 extends wp_xmlrpc_server {
|
529 |
+
function set_custom_fields( $post_id, $fields ) {
|
530 |
+
foreach( $fields as $k => $meta ) {
|
531 |
+
$key = stripslashes( trim( $meta['key'] ) );
|
532 |
+
if ( $key && '_' == $key[0] )
|
533 |
+
unset( $fields[$k] );
|
534 |
+
}
|
535 |
+
parent::set_custom_fields( $post_id, $fields );
|
536 |
+
}
|
537 |
+
}
|
538 |
+
}
|
539 |
+
|
540 |
+
class VaultPress_kses {
|
541 |
+
static function wp_kses($string, $allowed_html, $allowed_protocols = array ()) {
|
542 |
+
$string = wp_kses_no_null($string);
|
543 |
+
$string = wp_kses_js_entities($string);
|
544 |
+
$string = wp_kses_normalize_entities($string);
|
545 |
+
return VaultPress_kses::wp_kses_split($string, $allowed_html, $allowed_protocols);
|
546 |
+
}
|
547 |
+
|
548 |
+
static function wp_kses_split($string, $allowed_html, $allowed_protocols) {
|
549 |
+
global $pass_allowed_html, $pass_allowed_protocols;
|
550 |
+
$pass_allowed_html = $allowed_html;
|
551 |
+
$pass_allowed_protocols = $allowed_protocols;
|
552 |
+
return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', 'VaultPress_kses::_vp_kses_split_callback', $string );
|
553 |
+
}
|
554 |
+
|
555 |
+
static function _vp_kses_split_callback( $match ) {
|
556 |
+
global $pass_allowed_html, $pass_allowed_protocols;
|
557 |
+
return VaultPress_kses::wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );
|
558 |
+
}
|
559 |
+
|
560 |
+
static function wp_kses_split2($string, $allowed_html, $allowed_protocols) {
|
561 |
+
$string = wp_kses_stripslashes($string);
|
562 |
+
|
563 |
+
if (substr($string, 0, 1) != '<')
|
564 |
+
return '>';
|
565 |
+
# It matched a ">" character
|
566 |
+
|
567 |
+
if ( '<!--' == substr( $string, 0, 4 ) ) {
|
568 |
+
$string = str_replace( array('<!--', '-->'), '', $string );
|
569 |
+
while ( $string != ($newstring = VaultPress_kses::wp_kses($string, $allowed_html, $allowed_protocols)) )
|
570 |
+
$string = $newstring;
|
571 |
+
if ( $string == '' )
|
572 |
+
return '';
|
573 |
+
// prevent multiple dashes in comments
|
574 |
+
$string = preg_replace('/--+/', '-', $string);
|
575 |
+
// prevent three dashes closing a comment
|
576 |
+
$string = preg_replace('/-$/', '', $string);
|
577 |
+
return "<!--{$string}-->";
|
578 |
+
}
|
579 |
+
# Allow HTML comments
|
580 |
+
|
581 |
+
if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches))
|
582 |
+
return '';
|
583 |
+
# It's seriously malformed
|
584 |
+
|
585 |
+
$slash = trim($matches[1]);
|
586 |
+
$elem = $matches[2];
|
587 |
+
$attrlist = $matches[3];
|
588 |
+
|
589 |
+
if ( ! isset($allowed_html[strtolower($elem)]) )
|
590 |
+
return '';
|
591 |
+
# They are using a not allowed HTML element
|
592 |
+
|
593 |
+
if ($slash != '')
|
594 |
+
return "</$elem>";
|
595 |
+
# No attributes are allowed for closing elements
|
596 |
+
|
597 |
+
return VaultPress_kses::wp_kses_attr( $elem, $attrlist, $allowed_html, $allowed_protocols );
|
598 |
+
}
|
599 |
+
|
600 |
+
static function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols) {
|
601 |
+
# Is there a closing XHTML slash at the end of the attributes?
|
602 |
+
|
603 |
+
$xhtml_slash = '';
|
604 |
+
if (preg_match('%\s*/\s*$%', $attr))
|
605 |
+
$xhtml_slash = ' /';
|
606 |
+
|
607 |
+
# Are any attributes allowed at all for this element?
|
608 |
+
if ( ! isset($allowed_html[strtolower($element)]) || count($allowed_html[strtolower($element)]) == 0 )
|
609 |
+
return "<$element$xhtml_slash>";
|
610 |
+
|
611 |
+
# Split it
|
612 |
+
$attrarr = VaultPress_kses::wp_kses_hair($attr, $allowed_protocols);
|
613 |
+
|
614 |
+
# Go through $attrarr, and save the allowed attributes for this element
|
615 |
+
# in $attr2
|
616 |
+
$attr2 = '';
|
617 |
+
|
618 |
+
$allowed_attr = $allowed_html[strtolower($element)];
|
619 |
+
foreach ($attrarr as $arreach) {
|
620 |
+
if ( ! isset( $allowed_attr[strtolower($arreach['name'])] ) )
|
621 |
+
continue; # the attribute is not allowed
|
622 |
+
|
623 |
+
$current = $allowed_attr[strtolower($arreach['name'])];
|
624 |
+
if ( $current == '' )
|
625 |
+
continue; # the attribute is not allowed
|
626 |
+
|
627 |
+
if ( strtolower( $arreach['name'] ) == 'style' ) {
|
628 |
+
$orig_value = $arreach['value'];
|
629 |
+
$value = safecss_filter_attr( $orig_value );
|
630 |
+
|
631 |
+
if ( empty( $value ) )
|
632 |
+
continue;
|
633 |
+
|
634 |
+
$arreach['value'] = $value;
|
635 |
+
$arreach['whole'] = str_replace( $orig_value, $value, $arreach['whole'] );
|
636 |
+
}
|
637 |
+
|
638 |
+
if ( ! is_array($current) ) {
|
639 |
+
$attr2 .= ' '.$arreach['whole'];
|
640 |
+
# there are no checks
|
641 |
+
|
642 |
+
} else {
|
643 |
+
# there are some checks
|
644 |
+
$ok = true;
|
645 |
+
foreach ($current as $currkey => $currval) {
|
646 |
+
if ( ! wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval) ) {
|
647 |
+
$ok = false;
|
648 |
+
break;
|
649 |
+
}
|
650 |
+
}
|
651 |
+
|
652 |
+
if ( $ok )
|
653 |
+
$attr2 .= ' '.$arreach['whole']; # it passed them
|
654 |
+
} # if !is_array($current)
|
655 |
+
} # foreach
|
656 |
+
|
657 |
+
# Remove any "<" or ">" characters
|
658 |
+
$attr2 = preg_replace('/[<>]/', '', $attr2);
|
659 |
+
|
660 |
+
return "<$element$attr2$xhtml_slash>";
|
661 |
+
}
|
662 |
+
|
663 |
+
static function wp_kses_hair($attr, $allowed_protocols) {
|
664 |
+
$attrarr = array ();
|
665 |
+
$mode = 0;
|
666 |
+
$attrname = '';
|
667 |
+
$uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
|
668 |
+
|
669 |
+
# Loop through the whole attribute list
|
670 |
+
|
671 |
+
while (strlen($attr) != 0) {
|
672 |
+
$working = 0; # Was the last operation successful?
|
673 |
+
|
674 |
+
switch ($mode) {
|
675 |
+
case 0 : # attribute name, href for instance
|
676 |
+
|
677 |
+
if (preg_match('/^([-a-zA-Z]+)/', $attr, $match)) {
|
678 |
+
$attrname = $match[1];
|
679 |
+
$working = $mode = 1;
|
680 |
+
$attr = preg_replace('/^[-a-zA-Z]+/', '', $attr);
|
681 |
+
}
|
682 |
+
|
683 |
+
break;
|
684 |
+
|
685 |
+
case 1 : # equals sign or valueless ("selected")
|
686 |
+
|
687 |
+
if (preg_match('/^\s*=\s*/', $attr)) # equals sign
|
688 |
+
{
|
689 |
+
$working = 1;
|
690 |
+
$mode = 2;
|
691 |
+
$attr = preg_replace('/^\s*=\s*/', '', $attr);
|
692 |
+
break;
|
693 |
+
}
|
694 |
+
|
695 |
+
if (preg_match('/^\s+/', $attr)) # valueless
|
696 |
+
{
|
697 |
+
$working = 1;
|
698 |
+
$mode = 0;
|
699 |
+
if(false === array_key_exists($attrname, $attrarr)) {
|
700 |
+
$attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');
|
701 |
+
}
|
702 |
+
$attr = preg_replace('/^\s+/', '', $attr);
|
703 |
+
}
|
704 |
+
|
705 |
+
break;
|
706 |
+
|
707 |
+
case 2 : # attribute value, a URL after href= for instance
|
708 |
+
|
709 |
+
if (preg_match('%^"([^"]*)"(\s+|/?$)%', $attr, $match))
|
710 |
+
# "value"
|
711 |
+
{
|
712 |
+
$thisval = $match[1];
|
713 |
+
if ( in_array(strtolower($attrname), $uris) )
|
714 |
+
$thisval = VaultPress_kses::wp_kses_bad_protocol($thisval, $allowed_protocols);
|
715 |
+
|
716 |
+
if(false === array_key_exists($attrname, $attrarr)) {
|
717 |
+
$attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n');
|
718 |
+
}
|
719 |
+
$working = 1;
|
720 |
+
$mode = 0;
|
721 |
+
$attr = preg_replace('/^"[^"]*"(\s+|$)/', '', $attr);
|
722 |
+
break;
|
723 |
+
}
|
724 |
+
|
725 |
+
if (preg_match("%^'([^']*)'(\s+|/?$)%", $attr, $match))
|
726 |
+
# 'value'
|
727 |
+
{
|
728 |
+
$thisval = $match[1];
|
729 |
+
if ( in_array(strtolower($attrname), $uris) )
|
730 |
+
$thisval = VaultPress_kses::wp_kses_bad_protocol($thisval, $allowed_protocols);
|
731 |
+
|
732 |
+
if(false === array_key_exists($attrname, $attrarr)) {
|
733 |
+
$attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname='$thisval'", 'vless' => 'n');
|
734 |
+
}
|
735 |
+
$working = 1;
|
736 |
+
$mode = 0;
|
737 |
+
$attr = preg_replace("/^'[^']*'(\s+|$)/", '', $attr);
|
738 |
+
break;
|
739 |
+
}
|
740 |
+
|
741 |
+
if (preg_match("%^([^\s\"']+)(\s+|/?$)%", $attr, $match))
|
742 |
+
# value
|
743 |
+
{
|
744 |
+
$thisval = $match[1];
|
745 |
+
if ( in_array(strtolower($attrname), $uris) )
|
746 |
+
$thisval = VaultPress_kses::wp_kses_bad_protocol($thisval, $allowed_protocols);
|
747 |
+
|
748 |
+
if(false === array_key_exists($attrname, $attrarr)) {
|
749 |
+
$attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n');
|
750 |
+
}
|
751 |
+
# We add quotes to conform to W3C's HTML spec.
|
752 |
+
$working = 1;
|
753 |
+
$mode = 0;
|
754 |
+
$attr = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attr);
|
755 |
+
}
|
756 |
+
|
757 |
+
break;
|
758 |
+
} # switch
|
759 |
+
|
760 |
+
if ($working == 0) # not well formed, remove and try again
|
761 |
+
{
|
762 |
+
$attr = wp_kses_html_error($attr);
|
763 |
+
$mode = 0;
|
764 |
+
}
|
765 |
+
} # while
|
766 |
+
|
767 |
+
if ($mode == 1 && false === array_key_exists($attrname, $attrarr))
|
768 |
+
# special case, for when the attribute list ends with a valueless
|
769 |
+
# attribute like "selected"
|
770 |
+
$attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');
|
771 |
+
|
772 |
+
return $attrarr;
|
773 |
+
}
|
774 |
+
|
775 |
+
static function wp_kses_bad_protocol($string, $allowed_protocols) {
|
776 |
+
$string = wp_kses_no_null($string);
|
777 |
+
$iterations = 0;
|
778 |
+
|
779 |
+
do {
|
780 |
+
$original_string = $string;
|
781 |
+
$string = VaultPress_kses::wp_kses_bad_protocol_once($string, $allowed_protocols);
|
782 |
+
} while ( $original_string != $string && ++$iterations < 6 );
|
783 |
+
|
784 |
+
if ( $original_string != $string )
|
785 |
+
return '';
|
786 |
+
|
787 |
+
return $string;
|
788 |
+
}
|
789 |
+
|
790 |
+
static function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1) {
|
791 |
+
$string2 = preg_split( '/:|�*58;|�*3a;/i', $string, 2 );
|
792 |
+
if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) {
|
793 |
+
$string = trim( $string2[1] );
|
794 |
+
$protocol = VaultPress_kses::wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );
|
795 |
+
if ( 'feed:' == $protocol ) {
|
796 |
+
if ( $count > 2 )
|
797 |
+
return '';
|
798 |
+
$string = VaultPress_kses::wp_kses_bad_protocol_once( $string, $allowed_protocols, ++$count );
|
799 |
+
if ( empty( $string ) )
|
800 |
+
return $string;
|
801 |
+
}
|
802 |
+
$string = $protocol . $string;
|
803 |
+
}
|
804 |
+
|
805 |
+
return $string;
|
806 |
+
}
|
807 |
+
|
808 |
+
static function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) {
|
809 |
+
$string2 = wp_kses_decode_entities($string);
|
810 |
+
$string2 = preg_replace('/\s/', '', $string2);
|
811 |
+
$string2 = wp_kses_no_null($string2);
|
812 |
+
$string2 = strtolower($string2);
|
813 |
+
|
814 |
+
$allowed = false;
|
815 |
+
foreach ( (array) $allowed_protocols as $one_protocol )
|
816 |
+
if ( strtolower($one_protocol) == $string2 ) {
|
817 |
+
$allowed = true;
|
818 |
+
break;
|
819 |
+
}
|
820 |
+
|
821 |
+
if ($allowed)
|
822 |
+
return "$string2:";
|
823 |
+
else
|
824 |
+
return '';
|
825 |
+
}
|
826 |
+
|
827 |
+
}
|
828 |
+
|
829 |
+
if ( !function_exists( 'get_available_languages' ) ) {
|
830 |
+
function get_available_languages( $dir = null ) {
|
831 |
+
$languages = array();
|
832 |
+
foreach( glob( ( is_null( $dir) ? WP_LANG_DIR : $dir ) . '/*.mo' ) as $lang_file )
|
833 |
+
if ( false === strpos( $lang_file, 'continents-cities' ) )
|
834 |
+
$languages[] = basename($lang_file, '.mo');
|
835 |
+
return $languages;
|
836 |
+
}
|
837 |
+
}
|
class.vaultpress-ixr-ssl-client.php
ADDED
@@ -0,0 +1,132 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
<?php
|
2 |
+
|
3 |
+
// don't call the file directly
|
4 |
+
if ( !defined( 'ABSPATH' ) )
|
5 |
+
return;
|
6 |
+
|
7 |
+
if ( !class_exists( 'IXR_Client' ) )
|
8 |
+
include_once( ABSPATH . WPINC . '/class-IXR.php' );
|
9 |
+
|
10 |
+
class VaultPress_IXR_SSL_Client extends IXR_Client {
|
11 |
+
var $ssl = false;
|
12 |
+
function VaultPress_IXR_SSL_Client( $server, $path = false, $port = 80, $timeout = false ) {
|
13 |
+
$this->IXR_Client( $server, $path, $port, $timeout );
|
14 |
+
}
|
15 |
+
function ssl( $port=443 ) {
|
16 |
+
if ( !extension_loaded( 'openssl' ) )
|
17 |
+
return;
|
18 |
+
|
19 |
+
$this->ssl = true;
|
20 |
+
if ( $port )
|
21 |
+
$this->port = $port;
|
22 |
+
}
|
23 |
+
function query() {
|
24 |
+
$args = func_get_args();
|
25 |
+
$method = array_shift($args);
|
26 |
+
$request = new IXR_Request($method, $args);
|
27 |
+
$length = $request->getLength();
|
28 |
+
$xml = $request->getXml();
|
29 |
+
$r = "\r\n";
|
30 |
+
$request = "POST {$this->path} HTTP/1.0$r";
|
31 |
+
|
32 |
+
$this->headers['Host'] = preg_replace( '#^ssl://#', '', $this->server );
|
33 |
+
$this->headers['Content-Type'] = 'text/xml';
|
34 |
+
$this->headers['User-Agent'] = $this->useragent;
|
35 |
+
$this->headers['Content-Length'] = $length;
|
36 |
+
|
37 |
+
if ( class_exists( 'WP_Http' ) ) {
|
38 |
+
$args = array(
|
39 |
+
'method' => 'POST',
|
40 |
+
'body' => $xml,
|
41 |
+
'headers' => $this->headers,
|
42 |
+
'sslverify' => false,
|
43 |
+
);
|
44 |
+
if ( $this->timeout )
|
45 |
+
$args['timeout'] = $this->timeout;
|
46 |
+
|
47 |
+
$http = new WP_Http();
|
48 |
+
if ( $this->ssl )
|
49 |
+
$url = sprintf( 'https://%s%s', $this->server, $this->path );
|
50 |
+
else
|
51 |
+
$url = sprintf( 'http://%s%s', $this->server, $this->path );
|
52 |
+
|
53 |
+
$result = $http->request( $url, $args );
|
54 |
+
if ( is_wp_error( $result ) ) {
|
55 |
+
foreach( $result->errors as $type => $messages ) {
|
56 |
+
$this->error = new IXR_Error(
|
57 |
+
-32702,
|
58 |
+
sprintf( 'WP_Http error: %s, %s', $type, $messages[0] )
|
59 |
+
);
|
60 |
+
break;
|
61 |
+
}
|
62 |
+
return false;
|
63 |
+
} else if ( $result['response']['code'] > 299 || $result['response']['code'] < 200 ) {
|
64 |
+
$this->error = new IXR_Error(
|
65 |
+
-32701,
|
66 |
+
sprintf( 'Server rejected request (HTTP response: %s %s)', $result['response']['code'], $result['response']['message'])
|
67 |
+
);
|
68 |
+
return false;
|
69 |
+
}
|
70 |
+
// Now parse what we've got back
|
71 |
+
$this->message = new IXR_Message( $result['body'] );
|
72 |
+
} else {
|
73 |
+
foreach( $this->headers as $header => $value ) {
|
74 |
+
$request .= "{$header}: {$value}{$r}";
|
75 |
+
}
|
76 |
+
$request .= $r;
|
77 |
+
|
78 |
+
$request .= $xml;
|
79 |
+
// Now send the request
|
80 |
+
if ( $this->ssl )
|
81 |
+
$host = 'ssl://'.$this->server;
|
82 |
+
else
|
83 |
+
$host = $this->server;
|
84 |
+
if ($this->timeout) {
|
85 |
+
$fp = @fsockopen( $host, $this->port, $errno, $errstr, $this->timeout );
|
86 |
+
} else {
|
87 |
+
$fp = @fsockopen( $host, $this->port, $errno, $errstr );
|
88 |
+
}
|
89 |
+
if (!$fp) {
|
90 |
+
$this->error = new IXR_Error( -32300, "Transport error - could not open socket: $errno $errstr" );
|
91 |
+
return false;
|
92 |
+
}
|
93 |
+
fputs( $fp, $request );
|
94 |
+
|
95 |
+
$contents = '';
|
96 |
+
$gotFirstLine = false;
|
97 |
+
$gettingHeaders = true;
|
98 |
+
|
99 |
+
while ( !feof($fp) ) {
|
100 |
+
$line = fgets( $fp, 4096 );
|
101 |
+
if ( !$gotFirstLine ) {
|
102 |
+
// Check line for '200'
|
103 |
+
if ( strstr($line, '200') === false ) {
|
104 |
+
$this->error = new IXR_Error( -32301, 'transport error - HTTP status code was not 200' );
|
105 |
+
return false;
|
106 |
+
}
|
107 |
+
$gotFirstLine = true;
|
108 |
+
}
|
109 |
+
if ( trim($line) == '' ) {
|
110 |
+
$gettingHeaders = false;
|
111 |
+
}
|
112 |
+
if ( !$gettingHeaders ) {
|
113 |
+
$contents .= trim( $line );
|
114 |
+
}
|
115 |
+
}
|
116 |
+
// Now parse what we've got back
|
117 |
+
$this->message = new IXR_Message( $contents );
|
118 |
+
}
|
119 |
+
if ( !$this->message->parse() ) {
|
120 |
+
// XML error
|
121 |
+
$this->error = new IXR_Error( -32700, 'parse error. not well formed' );
|
122 |
+
return false;
|
123 |
+
}
|
124 |
+
// Is the message a fault?
|
125 |
+
if ( $this->message->messageType == 'fault' ) {
|
126 |
+
$this->error = new IXR_Error( $this->message->faultCode, $this->message->faultString );
|
127 |
+
return false;
|
128 |
+
}
|
129 |
+
// Message must be OK
|
130 |
+
return true;
|
131 |
+
}
|
132 |
+
}
|
cron-tasks.php
ADDED
@@ -0,0 +1,152 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
<?php
|
2 |
+
include_once dirname( __FILE__ ) . '/vp-scanner.php';
|
3 |
+
|
4 |
+
if ( !function_exists( 'apply_filters_ref_array' ) ) :
|
5 |
+
|
6 |
+
function apply_filters_ref_array($tag, $args) {
|
7 |
+
global $wp_filter, $merged_filters, $wp_current_filter;
|
8 |
+
|
9 |
+
// Do 'all' actions first
|
10 |
+
if ( isset($wp_filter['all']) ) {
|
11 |
+
$wp_current_filter[] = $tag;
|
12 |
+
$all_args = func_get_args();
|
13 |
+
_wp_call_all_hook($all_args);
|
14 |
+
}
|
15 |
+
|
16 |
+
if ( !isset($wp_filter[$tag]) ) {
|
17 |
+
if ( isset($wp_filter['all']) )
|
18 |
+
array_pop($wp_current_filter);
|
19 |
+
return $args[0];
|
20 |
+
}
|
21 |
+
|
22 |
+
if ( !isset($wp_filter['all']) )
|
23 |
+
$wp_current_filter[] = $tag;
|
24 |
+
|
25 |
+
// Sort
|
26 |
+
if ( !isset( $merged_filters[ $tag ] ) ) {
|
27 |
+
ksort($wp_filter[$tag]);
|
28 |
+
$merged_filters[ $tag ] = true;
|
29 |
+
}
|
30 |
+
|
31 |
+
reset( $wp_filter[ $tag ] );
|
32 |
+
|
33 |
+
do {
|
34 |
+
foreach( (array) current($wp_filter[$tag]) as $the_ )
|
35 |
+
if ( !is_null($the_['function']) )
|
36 |
+
$args[0] = call_user_func_array($the_['function'], array_slice($args, 0, (int) $the_['accepted_args']));
|
37 |
+
|
38 |
+
} while ( next($wp_filter[$tag]) !== false );
|
39 |
+
|
40 |
+
array_pop( $wp_current_filter );
|
41 |
+
|
42 |
+
return $args[0];
|
43 |
+
}
|
44 |
+
|
45 |
+
endif;
|
46 |
+
|
47 |
+
class VP_Site_Scanner {
|
48 |
+
function VP_Site_Scanner() {
|
49 |
+
self::__construct();
|
50 |
+
}
|
51 |
+
function __construct() {
|
52 |
+
// Only scan once in multisites.
|
53 |
+
if( function_exists( 'is_main_site' ) && !is_main_site() )
|
54 |
+
return;
|
55 |
+
add_action( 'vp_scan_site' , array( $this, '_scan_site') );
|
56 |
+
add_filter( 'cron_schedules' , array( $this, '_custom_cron' ) );
|
57 |
+
add_action( 'vp_scan_next_batch', array( $this, '_scan_batch' ) );
|
58 |
+
|
59 |
+
$signatures = get_option( '_vp_signatures' );
|
60 |
+
if ( $signatures && ! wp_next_scheduled( 'vp_scan_site' ) )
|
61 |
+
wp_schedule_event( time(), 'daily', 'vp_scan_site' );
|
62 |
+
if ( $signatures && ! wp_next_scheduled( 'vp_scan_next_batch' ) )
|
63 |
+
wp_schedule_event( time(), 'five_minutes_interval', 'vp_scan_next_batch' );
|
64 |
+
}
|
65 |
+
|
66 |
+
function _custom_cron( $schedules ) {
|
67 |
+
$schedules['five_minutes_interval'] = array(
|
68 |
+
'interval' => 300,
|
69 |
+
'display' => __( 'Once every five minutes' ),
|
70 |
+
);
|
71 |
+
return $schedules;
|
72 |
+
}
|
73 |
+
|
74 |
+
function _scan_site() {
|
75 |
+
if ( !get_option( '_vp_current_scan' ) ) {
|
76 |
+
$paths = array( 'root' => new VP_FileScan( ABSPATH ) );
|
77 |
+
|
78 |
+
// Is WP_CONTENT_DIR inside ABSPATH?
|
79 |
+
if ( is_dir( WP_CONTENT_DIR ) && strpos( realpath( WP_CONTENT_DIR ), realpath( ABSPATH ) . DIRECTORY_SEPARATOR ) !== 0 )
|
80 |
+
$paths['content'] = new VP_FileScan( WP_CONTENT_DIR );
|
81 |
+
|
82 |
+
// Is WP_PLUGIN_DIR inside ABSPATH or WP_CONTENT_DIR?
|
83 |
+
if ( is_dir( WP_PLUGIN_DIR ) && strpos( realpath( WP_PLUGIN_DIR ), realpath( WP_CONTENT_DIR ) . DIRECTORY_SEPARATOR ) !== 0 && strpos( realpath( WP_PLUGIN_DIR ), realpath( ABSPATH ) . DIRECTORY_SEPARATOR ) !== 0 )
|
84 |
+
$paths['plugins'] = new VP_FileScan( WP_PLUGIN_DIR );
|
85 |
+
|
86 |
+
// Is WPMU_PLUGIN_DIR inside ABSPATH or WP_CONTENT_DIR?
|
87 |
+
if ( is_dir( WPMU_PLUGIN_DIR ) && strpos( realpath( WPMU_PLUGIN_DIR ), realpath( WP_CONTENT_DIR ) . DIRECTORY_SEPARATOR ) !== 0 && strpos( realpath( WPMU_PLUGIN_DIR ), realpath( ABSPATH ) . DIRECTORY_SEPARATOR ) !== 0 )
|
88 |
+
$paths['mu-plugins'] = new VP_FileScan( WPMU_PLUGIN_DIR );
|
89 |
+
|
90 |
+
update_option( '_vp_current_scan', $paths );
|
91 |
+
}
|
92 |
+
}
|
93 |
+
|
94 |
+
function _scan_clean_up( &$paths, $type = null ) {
|
95 |
+
if( is_array( $paths ) )
|
96 |
+
unset( $paths[$type] );
|
97 |
+
if ( empty( $paths ) || !is_array( $paths ) ) {
|
98 |
+
delete_option( '_vp_current_scan' );
|
99 |
+
return true;
|
100 |
+
}
|
101 |
+
return false;
|
102 |
+
}
|
103 |
+
|
104 |
+
function _scan_batch() {
|
105 |
+
$paths = get_option( '_vp_current_scan' );
|
106 |
+
if ( empty( $paths ) || $this->_scan_clean_up( $paths ) )
|
107 |
+
return false;
|
108 |
+
|
109 |
+
reset( $paths );
|
110 |
+
list( $type, $current ) = each( $paths );
|
111 |
+
if ( !is_object( $current ) || empty( $current->last_dir ) )
|
112 |
+
return $this->_scan_clean_up( $paths, $type );
|
113 |
+
|
114 |
+
$default_batch_limit = 400;
|
115 |
+
if ( function_exists( 'set_time_limit' ) )
|
116 |
+
set_time_limit(0);
|
117 |
+
else
|
118 |
+
$default_batch_limit = 100; // avoid timeouts
|
119 |
+
|
120 |
+
$GLOBALS['vp_signatures'] = get_option( '_vp_signatures' );
|
121 |
+
if ( empty( $GLOBALS['vp_signatures'] ) )
|
122 |
+
return false;
|
123 |
+
|
124 |
+
$limit = get_option( '_vp_batch_file_size', $default_batch_limit );
|
125 |
+
$files = $current->get_files( $limit );
|
126 |
+
|
127 |
+
// No more files to scan.
|
128 |
+
if ( !$current->last_dir || count( $files ) < $limit )
|
129 |
+
unset( $paths[$type] );
|
130 |
+
|
131 |
+
update_option( '_vp_current_scan', $paths );
|
132 |
+
$results = array();
|
133 |
+
foreach ( $files as $file ) {
|
134 |
+
$verdict = vp_scan_file( $file );
|
135 |
+
if ( !empty( $verdict ) )
|
136 |
+
$results[$file] = array( 'hash' => @md5_file( $file ), 'verdict' => $verdict );
|
137 |
+
}
|
138 |
+
|
139 |
+
if ( !empty( $results ) ) {
|
140 |
+
$vaultpress = VaultPress::init();
|
141 |
+
$vaultpress->add_ping( 'security', array( 'suspicious_v2' => $results ) );
|
142 |
+
}
|
143 |
+
}
|
144 |
+
|
145 |
+
function &init() {
|
146 |
+
static $instance = false;
|
147 |
+
if ( !$instance )
|
148 |
+
$instance = new VP_Site_Scanner();
|
149 |
+
return $instance;
|
150 |
+
}
|
151 |
+
}
|
152 |
+
VP_Site_Scanner::init();
|
readme.txt
ADDED
@@ -0,0 +1,53 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
=== VaultPress ===
|
2 |
+
Contributors: automattic, aldenta, apokalyptik, briancolinger, shaunandrews, xknown
|
3 |
+
Tags: security, malware, virus, backups, scanning
|
4 |
+
Requires at least: 2.9.2
|
5 |
+
Tested up to: 3.4.1
|
6 |
+
Stable tag: 1.3.7
|
7 |
+
|
8 |
+
VaultPress is a subscription service offering realtime backup, automated security scanning, and support from WordPress experts.
|
9 |
+
|
10 |
+
== Description ==
|
11 |
+
|
12 |
+
[VaultPress](http://vaultpress.com/?utm_source=plugin-readme&utm_medium=description&utm_campaign=1.0) is a real-time backup and security scanning service designed and built by [Automattic](http://automattic.com/), the same company that operates 25+ million sites on WordPress.com.
|
13 |
+
|
14 |
+
[wpvideo TxdSIdpO]
|
15 |
+
|
16 |
+
For more information, check out [VaultPress.com](http://vaultpress.com/).
|
17 |
+
|
18 |
+
== Installation ==
|
19 |
+
|
20 |
+
1. Search for VaultPress in the WordPress.org plugin directory and click install. Or, upload the files to your `wp-content/vaultpress/` folder.
|
21 |
+
2. Visit `wp-admin/plugins.php` and activate the VaultPress plugin.
|
22 |
+
3. Head to `wp-admin/admin.php?page=vaultpress` and enter your site’s registration key. You can purchase your registration key at [VaultPress.com](http://vaultpress.com/plugin/?utm_source=plugin-readme&utm_medium=installation&utm_campaign=1.0)
|
23 |
+
|
24 |
+
You can find more detailed instructions at [http://vaultpress.com/help/](http://vaultpress.com/help/install-vaultpress/?utm_source=plugin-readme&utm_medium=description&utm_campaign=1.0)
|
25 |
+
|
26 |
+
== Frequently Asked Questions ==
|
27 |
+
|
28 |
+
View our full list of FAQs at [http://vaultpress.com/help/faq/](http://vaultpress.com/help/faq/?utm_source=plugin-readme&utm_medium=faq&utm_campaign=1.0)
|
29 |
+
|
30 |
+
= What’s included in each VaultPress plan? =
|
31 |
+
|
32 |
+
All plans include Realtime Backups, Downloadable Archives for Restoring, Vitality Statistics, and the Activity Log.
|
33 |
+
|
34 |
+
The Basic plan provides access to disaster recovery and support services.
|
35 |
+
|
36 |
+
The Premium plan provides priority recovery and support services, along with site migration assistance. The Premium plan provides automated security scanning of Core, Theme, and Plugin files.
|
37 |
+
|
38 |
+
The Enterprise members receive top priority for support services and migration assistance. Along with security scanning, Enterprise members receive complimentary security consulting and performance auditing.
|
39 |
+
|
40 |
+
Update-to-date pricing and features can always be found on the [Plans & Pricing](http://vaultpress.com/plugin/?utm_source=plugin-readme&utm_medium=installation&utm_campaign=1.0) page.
|
41 |
+
|
42 |
+
= How many sites can I protect with VaultPress? =
|
43 |
+
|
44 |
+
A VaultPress subscription is for a single WordPress site. You can purchase additional subscriptions for each of your WordPress sites, and manage them all with in one place.
|
45 |
+
|
46 |
+
= Does VaultPress work with WordPress 3.0 Multisite installs? =
|
47 |
+
|
48 |
+
With our 1.0 release, VaultPress now supports Multisite installs. Each site will require its own subscription.
|
49 |
+
|
50 |
+
== Changelog ==
|
51 |
+
|
52 |
+
= 1.0 =
|
53 |
+
* First public release!
|
vaultpress.php
ADDED
@@ -0,0 +1,1912 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
<?php
|
2 |
+
/*
|
3 |
+
* Plugin Name: VaultPress
|
4 |
+
* Plugin URI: http://vaultpress.com/?utm_source=plugin-uri&utm_medium=plugin-description&utm_campaign=1.0
|
5 |
+
* Description: Protect your content, themes, plugins, and settings with <strong>realtime backup</strong> and <strong>automated security scanning</strong> from <a href="http://vaultpress.com/?utm_source=wp-admin&utm_medium=plugin-description&utm_campaign=1.0" rel="nofollow">VaultPress</a>. Activate, enter your registration key, and never worry again. <a href="http://vaultpress.com/help/?utm_source=wp-admin&utm_medium=plugin-description&utm_campaign=1.0" rel="nofollow">Need some help?</a>
|
6 |
+
* Version: 1.3.7
|
7 |
+
* Author: Automattic
|
8 |
+
* Author URI: http://vaultpress.com/?utm_source=author-uri&utm_medium=plugin-description&utm_campaign=1.0
|
9 |
+
* License: GPL2+
|
10 |
+
* Text Domain: vaultpress
|
11 |
+
* Domain Path: /languages/
|
12 |
+
*/
|
13 |
+
|
14 |
+
// don't call the file directly
|
15 |
+
if ( !defined( 'ABSPATH' ) )
|
16 |
+
return;
|
17 |
+
|
18 |
+
class VaultPress {
|
19 |
+
var $option_name = 'vaultpress';
|
20 |
+
var $db_version = 2;
|
21 |
+
var $plugin_version = '1.3.7';
|
22 |
+
|
23 |
+
function VaultPress() {
|
24 |
+
$this->__construct();
|
25 |
+
}
|
26 |
+
|
27 |
+
function __construct() {
|
28 |
+
register_activation_hook( __FILE__, array( $this, 'activate' ) );
|
29 |
+
register_deactivation_hook( __FILE__, array( $this, 'deactivate' ) );
|
30 |
+
|
31 |
+
$options = get_option( $this->option_name );
|
32 |
+
if ( !is_array( $options ) )
|
33 |
+
$options = array();
|
34 |
+
|
35 |
+
$defaults = array(
|
36 |
+
'db_version' => 0,
|
37 |
+
'key' => '',
|
38 |
+
'secret' => '',
|
39 |
+
'connection' => false,
|
40 |
+
'service_ips' => false
|
41 |
+
);
|
42 |
+
|
43 |
+
$this->options = wp_parse_args( $options, $defaults );
|
44 |
+
$this->reset_pings();
|
45 |
+
|
46 |
+
$this->upgrade();
|
47 |
+
|
48 |
+
if ( is_admin() )
|
49 |
+
$this->add_admin_actions_and_filters();
|
50 |
+
|
51 |
+
if ( $this->is_registered() ) {
|
52 |
+
$do_backups = $this->get_option( 'do_backups' );
|
53 |
+
if ( $do_backups )
|
54 |
+
$this->add_listener_actions_and_filters();
|
55 |
+
else
|
56 |
+
$this->add_vp_required_filters();
|
57 |
+
}
|
58 |
+
}
|
59 |
+
|
60 |
+
function &init() {
|
61 |
+
static $instance = false;
|
62 |
+
|
63 |
+
if ( !$instance ) {
|
64 |
+
$instance = new VaultPress();
|
65 |
+
}
|
66 |
+
|
67 |
+
return $instance;
|
68 |
+
}
|
69 |
+
|
70 |
+
function activate( $network_wide ) {
|
71 |
+
$type = $network_wide ? 'network' : 'single';
|
72 |
+
$this->update_option( 'activated', $type );
|
73 |
+
|
74 |
+
// force a connection check after an activation
|
75 |
+
$this->clear_connection();
|
76 |
+
}
|
77 |
+
|
78 |
+
function deactivate() {
|
79 |
+
if ( $this->is_registered() )
|
80 |
+
$this->contact_service( 'plugin_status', array( 'vp_plugin_status' => 'deactivated' ) );
|
81 |
+
}
|
82 |
+
|
83 |
+
function upgrade() {
|
84 |
+
$current_db_version = $this->get_option( 'db_version' );
|
85 |
+
|
86 |
+
if ( $current_db_version < 1 ) {
|
87 |
+
$this->options['connection'] = get_option( 'vaultpress_connection' );
|
88 |
+
$this->options['key'] = get_option( 'vaultpress_key' );
|
89 |
+
$this->options['secret'] = get_option( 'vaultpress_secret' );
|
90 |
+
$this->options['service_ips'] = get_option( 'vaultpress_service_ips' );
|
91 |
+
|
92 |
+
// remove old options
|
93 |
+
$old_options = array(
|
94 |
+
'vaultpress_connection',
|
95 |
+
'vaultpress_hostname',
|
96 |
+
'vaultpress_key',
|
97 |
+
'vaultpress_secret',
|
98 |
+
'vaultpress_service_ips',
|
99 |
+
'vaultpress_timeout',
|
100 |
+
'vp_allow_remote_execution',
|
101 |
+
'vp_debug_request_signing',
|
102 |
+
'vp_disable_firewall',
|
103 |
+
);
|
104 |
+
|
105 |
+
foreach ( $old_options as $option )
|
106 |
+
delete_option( $option );
|
107 |
+
|
108 |
+
$this->options['db_version'] = $this->db_version;
|
109 |
+
$this->update_options();
|
110 |
+
}
|
111 |
+
|
112 |
+
if ( $current_db_version < 2 ) {
|
113 |
+
$this->delete_option( 'timeout' );
|
114 |
+
$this->delete_option( 'disable_firewall' );
|
115 |
+
$this->update_option( 'db_version', $this->db_version );
|
116 |
+
$this->clear_connection();
|
117 |
+
}
|
118 |
+
}
|
119 |
+
|
120 |
+
function get_option( $key ) {
|
121 |
+
if ( 'hostname' == $key ) {
|
122 |
+
if ( defined( 'VAULTPRESS_HOSTNAME' ) )
|
123 |
+
return VAULTPRESS_HOSTNAME;
|
124 |
+
else
|
125 |
+
return 'vaultpress.com';
|
126 |
+
}
|
127 |
+
|
128 |
+
if ( 'timeout' == $key ) {
|
129 |
+
if ( defined( 'VAULTPRESS_TIMEOUT' ) )
|
130 |
+
return VAULTPRESS_TIMEOUT;
|
131 |
+
else
|
132 |
+
return 60;
|
133 |
+
}
|
134 |
+
|
135 |
+
if ( 'disable_firewall' == $key ) {
|
136 |
+
if ( defined( 'VAULTPRESS_DISABLE_FIREWALL' ) )
|
137 |
+
return VAULTPRESS_DISABLE_FIREWALL;
|
138 |
+
else
|
139 |
+
return false;
|
140 |
+
}
|
141 |
+
|
142 |
+
if ( isset( $this->options[$key] ) )
|
143 |
+
return $this->options[$key];
|
144 |
+
|
145 |
+
return false;
|
146 |
+
}
|
147 |
+
|
148 |
+
function update_option( $key, $value ) {
|
149 |
+
$this->options[$key] = $value;
|
150 |
+
$this->update_options();
|
151 |
+
}
|
152 |
+
|
153 |
+
function delete_option( $key ) {
|
154 |
+
unset( $this->options[$key] );
|
155 |
+
$this->update_options();
|
156 |
+
}
|
157 |
+
|
158 |
+
function update_options() {
|
159 |
+
update_option( $this->option_name, $this->options );
|
160 |
+
}
|
161 |
+
|
162 |
+
function admin_init() {
|
163 |
+
if ( !current_user_can( 'manage_options' ) )
|
164 |
+
return;
|
165 |
+
|
166 |
+
load_plugin_textdomain( 'vaultpress', false, dirname( plugin_basename( __FILE__ ) ) . '/languages/' );
|
167 |
+
}
|
168 |
+
|
169 |
+
function admin_head() {
|
170 |
+
if ( !current_user_can( 'manage_options' ) )
|
171 |
+
return;
|
172 |
+
|
173 |
+
if ( $activated = $this->get_option( 'activated' ) ) {
|
174 |
+
if ( 'network' == $activated ) {
|
175 |
+
add_action( 'network_admin_notices', array( $this, 'activated_notice' ) );
|
176 |
+
} else {
|
177 |
+
foreach ( array( 'user_admin_notices', 'admin_notices' ) as $filter )
|
178 |
+
add_action( $filter, array( $this, 'activated_notice' ) );
|
179 |
+
}
|
180 |
+
}
|
181 |
+
|
182 |
+
// ask the user to connect their site w/ VP
|
183 |
+
if ( !$this->is_registered() ) {
|
184 |
+
foreach ( array( 'user_admin_notices', 'admin_notices' ) as $filter )
|
185 |
+
add_action( $filter, array( $this, 'connect_notice' ) );
|
186 |
+
|
187 |
+
// if we have an error make sure to let the user know about it
|
188 |
+
} else {
|
189 |
+
$error_code = $this->get_option( 'connection_error_code' );
|
190 |
+
if ( !empty( $error_code ) ) {
|
191 |
+
foreach ( array( 'user_admin_notices', 'admin_notices' ) as $filter )
|
192 |
+
add_action( $filter, array( $this, 'error_notice' ) );
|
193 |
+
}
|
194 |
+
}
|
195 |
+
?>
|
196 |
+
|
197 |
+
<style type="text/css">
|
198 |
+
#toplevel_page_vaultpress div.wp-menu-image {
|
199 |
+
background: url(<?php echo esc_url( $this->server_url() ); ?>images/vp-icon-sprite.png?20111216) center top no-repeat;
|
200 |
+
background-size: 28px 84px;
|
201 |
+
}
|
202 |
+
|
203 |
+
.admin-color-classic #toplevel_page_vaultpress div.wp-menu-image {
|
204 |
+
background-position: center -28px;
|
205 |
+
}
|
206 |
+
|
207 |
+
#toplevel_page_vaultpress.current div.wp-menu-image,
|
208 |
+
#toplevel_page_vaultpress:hover div.wp-menu-image {
|
209 |
+
background-position: center bottom;
|
210 |
+
}
|
211 |
+
|
212 |
+
@media only screen and (-moz-min-device-pixel-ratio: 1.5), only screen and (-o-min-device-pixel-ratio: 3/2), only screen and (-webkit-min-device-pixel-ratio: 1.5), only screen and (min-device-pixel-ratio: 1.5) {
|
213 |
+
#toplevel_page_vaultpress div.wp-menu-image {
|
214 |
+
background-image: url(<?php echo esc_url( $this->server_url() ); ?>images/vp-icon-sprite-2x.png?20111216);
|
215 |
+
}
|
216 |
+
}
|
217 |
+
</style>
|
218 |
+
|
219 |
+
<?php
|
220 |
+
|
221 |
+
}
|
222 |
+
|
223 |
+
function admin_menu() {
|
224 |
+
// if Jetpack is loaded then we need to wait for that menu to be added
|
225 |
+
if ( class_exists( 'Jetpack' ) )
|
226 |
+
add_action( 'jetpack_admin_menu', array( $this, 'load_menu' ) );
|
227 |
+
else
|
228 |
+
$this->load_menu();
|
229 |
+
}
|
230 |
+
|
231 |
+
function load_menu() {
|
232 |
+
if ( class_exists( 'Jetpack' ) ) {
|
233 |
+
$hook = add_submenu_page( 'jetpack', 'VaultPress', 'VaultPress', 'manage_options', 'vaultpress', array( $this, 'ui' ) );
|
234 |
+
} else {
|
235 |
+
$hook = add_menu_page( 'VaultPress', 'VaultPress', 'manage_options', 'vaultpress', array( $this, 'ui' ), 'div' );
|
236 |
+
}
|
237 |
+
|
238 |
+
add_action( "load-$hook", array( $this, 'ui_load' ) );
|
239 |
+
add_action( 'admin_print_styles', array( $this, 'styles' ) );
|
240 |
+
}
|
241 |
+
|
242 |
+
function styles() {
|
243 |
+
if ( !current_user_can( 'manage_options' ) )
|
244 |
+
return;
|
245 |
+
|
246 |
+
// force the cache to bust every day
|
247 |
+
wp_enqueue_style( 'vaultpress', $this->server_url() . 'css/plugin.css' , false, date( 'Ymd' ) );
|
248 |
+
}
|
249 |
+
|
250 |
+
// display a security threat notice if one exists
|
251 |
+
function toolbar( $wp_admin_bar ) {
|
252 |
+
global $wp_version;
|
253 |
+
|
254 |
+
// these new toolbar functions were introduced in 3.3
|
255 |
+
// http://codex.wordpress.org/Function_Reference/add_node
|
256 |
+
if ( version_compare( $wp_version, '3.3', '<') )
|
257 |
+
return;
|
258 |
+
|
259 |
+
if ( !current_user_can( 'manage_options' ) )
|
260 |
+
return;
|
261 |
+
|
262 |
+
$messages = $this->get_messages();
|
263 |
+
if ( !empty( $messages['security_notice_count'] ) ) {
|
264 |
+
$count = (int)$messages['security_notice_count'];
|
265 |
+
if ( $count > 0 ) {
|
266 |
+
$count = number_format( $count, 0 );
|
267 |
+
$wp_admin_bar->add_node( array(
|
268 |
+
'id' => 'vp-notice',
|
269 |
+
'title' => '<strong><span class="ab-icon"></span>' .
|
270 |
+
sprintf( _n( '%s Security Threat', '%s Security Threats', $count ), $count ) .
|
271 |
+
' </strong>',
|
272 |
+
'parent' => 'top-secondary',
|
273 |
+
'href' => sprintf( 'https://dashboard.vaultpress.com/%d/security/', $messages['site_id'] ),
|
274 |
+
'meta' => array(
|
275 |
+
'title' => __( 'Visit VaultPress Security' ),
|
276 |
+
'onclick' => 'window.open( this.href ); return false;',
|
277 |
+
'class' => 'error'
|
278 |
+
),
|
279 |
+
) );
|
280 |
+
}
|
281 |
+
}
|
282 |
+
}
|
283 |
+
|
284 |
+
// get any messages from the VP servers
|
285 |
+
function get_messages( $force_reload = false ) {
|
286 |
+
$last_contact = $this->get_option( 'messages_last_contact' );
|
287 |
+
|
288 |
+
// only run the messages check every 30 minutes
|
289 |
+
if ( ( time() - (int)$last_contact ) > 1800 || $force_reload ) {
|
290 |
+
$messages = base64_decode( $this->contact_service( 'messages', array() ) );
|
291 |
+
$messages = unserialize( $messages );
|
292 |
+
$this->update_option( 'messages_last_contact', time() );
|
293 |
+
$this->update_option( 'messages', $messages );
|
294 |
+
} else {
|
295 |
+
$messages = $this->get_option( 'messages' );
|
296 |
+
}
|
297 |
+
|
298 |
+
return $messages;
|
299 |
+
}
|
300 |
+
|
301 |
+
function server_url() {
|
302 |
+
if ( !isset( $this->_server_url ) ) {
|
303 |
+
$scheme = is_ssl() ? 'https' : 'http';
|
304 |
+
$this->_server_url = sprintf( '%s://%s/', $scheme, $this->get_option( 'hostname' ) );
|
305 |
+
}
|
306 |
+
|
307 |
+
return $this->_server_url;
|
308 |
+
}
|
309 |
+
|
310 |
+
// show message if plugin is activated but not connected to VaultPress
|
311 |
+
function connect_notice() {
|
312 |
+
if ( isset( $_GET['page'] ) && 'vaultpress' == $_GET['page'] )
|
313 |
+
return;
|
314 |
+
|
315 |
+
$message = sprintf(
|
316 |
+
__( 'You must enter your registration key before VaultPress can back up and secure your site. <a href="%1$s">Register VaultPress</a>', 'vaultpress' ),
|
317 |
+
admin_url( 'admin.php?page=vaultpress' )
|
318 |
+
);
|
319 |
+
$this->ui_message( $message, 'notice', __( 'VaultPress needs your attention!', 'vaultpress' ) );
|
320 |
+
}
|
321 |
+
|
322 |
+
// show message after activation
|
323 |
+
function activated_notice() {
|
324 |
+
if ( 'network' == $this->get_option( 'activated' ) ) {
|
325 |
+
$message = sprintf(
|
326 |
+
__( 'Each site will need to be registered with VaultPress separately. You can purchase new keys from your <a href="%1$s">VaultPress Dashboard</a>.', 'vaultpress' ),
|
327 |
+
'https://dashboard.vaultpress.com/'
|
328 |
+
);
|
329 |
+
$this->ui_message( $message, 'activated', __( 'VaultPress has been activated across your network!', 'vaultpress' ) );
|
330 |
+
|
331 |
+
// key and secret already exist in db
|
332 |
+
} elseif ( $this->is_registered() ) {
|
333 |
+
if ( $this->check_connection() ) {
|
334 |
+
$message = sprintf(
|
335 |
+
__( 'VaultPress has been registered and is currently backing up your site. <a href="%1$s">View Backup Status</a>', 'vaultpress' ),
|
336 |
+
admin_url( 'admin.php?page=vaultpress' )
|
337 |
+
);
|
338 |
+
$this->ui_message( $message, 'registered', __( 'VaultPress has been activated!', 'vaultpress' ) );
|
339 |
+
}
|
340 |
+
}
|
341 |
+
|
342 |
+
$this->delete_option( 'activated' );
|
343 |
+
}
|
344 |
+
|
345 |
+
function error_notice() {
|
346 |
+
$error_message = $this->get_option( 'connection_error_message' );
|
347 |
+
|
348 |
+
// link to the VaultPress page if we're not already there
|
349 |
+
if ( !isset( $_GET['page'] ) || 'vaultpress' != $_GET['page'] )
|
350 |
+
$error_message .= ' ' . sprintf( '<a href="%s">%s</a>', admin_url( 'admin.php?page=vaultpress' ), __( 'Visit the VaultPress page' ) );
|
351 |
+
|
352 |
+
if ( !empty( $error_message ) )
|
353 |
+
$this->ui_message( $error_message, 'error' );
|
354 |
+
}
|
355 |
+
|
356 |
+
function ui() {
|
357 |
+
if ( !empty( $_GET['error'] ) ) {
|
358 |
+
$this->error_notice();
|
359 |
+
$this->clear_connection();
|
360 |
+
}
|
361 |
+
|
362 |
+
if ( !$this->is_registered() ) {
|
363 |
+
$this->ui_register();
|
364 |
+
return;
|
365 |
+
}
|
366 |
+
|
367 |
+
$status = $this->contact_service( 'status' );
|
368 |
+
if ( !$status ) {
|
369 |
+
$error_code = $this->get_option( 'connection_error_code' );
|
370 |
+
if ( 0 == $error_code )
|
371 |
+
$this->ui_fatal_error();
|
372 |
+
else
|
373 |
+
$this->ui_register();
|
374 |
+
return;
|
375 |
+
}
|
376 |
+
|
377 |
+
$ticker = $this->contact_service( 'ticker' );
|
378 |
+
if ( is_array( $ticker ) && isset( $ticker['faultCode'] ) ) {
|
379 |
+
$this->error_notice();
|
380 |
+
$this->ui_register();
|
381 |
+
return;
|
382 |
+
}
|
383 |
+
|
384 |
+
$this->ui_main();
|
385 |
+
}
|
386 |
+
|
387 |
+
function ui_load() {
|
388 |
+
if ( !current_user_can( 'manage_options' ) )
|
389 |
+
return;
|
390 |
+
|
391 |
+
// run code that might be updating the registration key
|
392 |
+
if ( isset( $_POST['action'] ) && 'register' == $_POST['action'] ) {
|
393 |
+
check_admin_referer( 'vaultpress_register' );
|
394 |
+
|
395 |
+
// reset the connection info so messages don't cross
|
396 |
+
$this->clear_connection();
|
397 |
+
|
398 |
+
$registration_key = trim( $_POST[ 'registration_key' ] );
|
399 |
+
if ( empty( $registration_key ) ) {
|
400 |
+
$this->update_option( 'connection_error_code', 1 );
|
401 |
+
$this->update_option(
|
402 |
+
'connection_error_message',
|
403 |
+
sprintf(
|
404 |
+
__( '<strong>That\'s not a valid registration key.</strong> Head over to the <a href="%1$s" title="Sign in to your VaultPress Dashboard">VaultPress Dashboard</a> to find your key.', 'vaultpress' ),
|
405 |
+
'https://dashboard.vaultpress.com/'
|
406 |
+
)
|
407 |
+
);
|
408 |
+
wp_redirect( admin_url( 'admin.php?page=vaultpress&error=true' ) );
|
409 |
+
exit();
|
410 |
+
}
|
411 |
+
|
412 |
+
// try to register the plugin
|
413 |
+
$nonce = wp_create_nonce( 'vp_register_' . $registration_key );
|
414 |
+
$args = array( 'registration_key' => $registration_key, 'nonce' => $nonce );
|
415 |
+
$response = $this->contact_service( 'register', $args );
|
416 |
+
|
417 |
+
// we received an error from the VaultPress servers
|
418 |
+
if ( !empty( $response['faultCode'] ) ) {
|
419 |
+
$this->update_option( 'connection_error_code', $response['faultCode'] );
|
420 |
+
$this->update_option( 'connection_error_message', $response['faultString'] );
|
421 |
+
wp_redirect( admin_url( 'admin.php?page=vaultpress&error=true' ) );
|
422 |
+
exit();
|
423 |
+
}
|
424 |
+
|
425 |
+
// make sure the returned data looks valid
|
426 |
+
if ( empty( $response['key'] ) || empty( $response['secret'] ) || empty( $response['nonce'] ) || $nonce != $response['nonce'] ) {
|
427 |
+
$this->update_option( 'connection_error_code', 1 );
|
428 |
+
$this->update_option( 'connection_error_message', sprintf( __( 'There was a problem trying to register your subscription. Please try again. If you’re still having issues please <a href="%1$s">contact the VaultPress Safekeepers</a>.', 'vaultpress' ), 'http://vaultpress.com/contact/' ) );
|
429 |
+
wp_redirect( admin_url( 'admin.php?page=vaultpress&error=true' ) );
|
430 |
+
exit();
|
431 |
+
}
|
432 |
+
|
433 |
+
// need to update these values in the db so the servers can try connecting to the plugin
|
434 |
+
$this->update_option( 'key', $response['key'] );
|
435 |
+
$this->update_option( 'secret', $response['secret'] );
|
436 |
+
if ( $this->check_connection( true ) ) {
|
437 |
+
wp_redirect( admin_url( 'admin.php?page=vaultpress' ) );
|
438 |
+
exit();
|
439 |
+
}
|
440 |
+
|
441 |
+
// reset the key and secret
|
442 |
+
$this->update_option( 'key', '' );
|
443 |
+
$this->update_option( 'secret', '' );
|
444 |
+
wp_redirect( admin_url( 'admin.php?page=vaultpress&error=true' ) );
|
445 |
+
exit();
|
446 |
+
}
|
447 |
+
}
|
448 |
+
|
449 |
+
function ui_register() {
|
450 |
+
?>
|
451 |
+
<div id="vp-wrap" class="wrap">
|
452 |
+
<div id="vp-head">
|
453 |
+
<h2>VaultPress<a href="https://dashboard.vaultpress.com/" class="vp-visit-dashboard" target="_blank"><?php _e( 'Visit Dashboard', 'vaultpress' ); ?></a></h2>
|
454 |
+
</div>
|
455 |
+
|
456 |
+
<div id="vp_registration">
|
457 |
+
<div class="vp_view-plans">
|
458 |
+
<h1><?php _e( 'The VaultPress plugin <strong>requires a monthly subscription</strong>.', 'vaultpress' ); ?></h1>
|
459 |
+
<p><?php _e( 'Get realtime backups, automated security scanning, and support from WordPress experts.', 'vaultpress' ); ?></p>
|
460 |
+
<p class="vp_plans-btn"><a href="https://vaultpress.com/plugin/?utm_source=plugin-unregistered&utm_medium=view-plans-and-pricing&utm_campaign=1.0-plugin"><strong><?php _e( 'View plans and pricing »', 'vaultpress' ); ?></strong></a></p>
|
461 |
+
</div>
|
462 |
+
|
463 |
+
<div class="vp_register-plugin">
|
464 |
+
<h3><?php _e( 'Already have a VaultPress account?', 'vaultpress' ); ?></h3>
|
465 |
+
<p><?php _e( 'Paste your registration key below:', 'vaultpress' ); ?></p>
|
466 |
+
<form method="post" action="">
|
467 |
+
<fieldset>
|
468 |
+
<textarea placeholder="<?php echo esc_attr( __( 'Enter your key here...', 'vaultpress' ) ); ?>" name="registration_key"></textarea>
|
469 |
+
<button><strong><?php _e( 'Register ', 'vaultpress' ); ?></strong></button>
|
470 |
+
<input type="hidden" name="action" value="register" />
|
471 |
+
<?php wp_nonce_field( 'vaultpress_register' ); ?>
|
472 |
+
</fieldset>
|
473 |
+
</form>
|
474 |
+
</div>
|
475 |
+
</div>
|
476 |
+
</div>
|
477 |
+
<?php
|
478 |
+
}
|
479 |
+
|
480 |
+
function ui_main() {
|
481 |
+
?>
|
482 |
+
<div id="vp-wrap" class="wrap">
|
483 |
+
<?php
|
484 |
+
$response = base64_decode( $this->contact_service( 'plugin_ui' ) );
|
485 |
+
echo $response;
|
486 |
+
?>
|
487 |
+
</div>
|
488 |
+
<?php
|
489 |
+
}
|
490 |
+
|
491 |
+
function ui_fatal_error() {
|
492 |
+
?>
|
493 |
+
<div id="vp-wrap" class="wrap">
|
494 |
+
<h2>VaultPress</h2>
|
495 |
+
|
496 |
+
<p><?php printf( __( 'Yikes! We’ve run into a serious issue and can’t connect to %1$s.', 'vaultpress' ), esc_html( $this->get_option( 'hostname' ) ) ); ?></p>
|
497 |
+
<p><?php printf( __( 'Please make sure that your website is accessible via the Internet. If you’re still having issues please <a href="%1$s">contact the VaultPress Safekeepers</a>.', 'vaultpress' ), 'http://vaultpress.com/contact/' ); ?></p>
|
498 |
+
</div>
|
499 |
+
<?php
|
500 |
+
}
|
501 |
+
|
502 |
+
function ui_message( $message, $type = 'notice', $heading = '' ) {
|
503 |
+
if ( empty( $heading ) ) {
|
504 |
+
switch ( $type ) {
|
505 |
+
case 'error':
|
506 |
+
$heading = __( 'Oops... there seems to be a problem.', 'vaultpress' );
|
507 |
+
break;
|
508 |
+
|
509 |
+
case 'success':
|
510 |
+
$heading = __( 'Yay! Things look good.', 'vaultpress' );
|
511 |
+
break;
|
512 |
+
|
513 |
+
default:
|
514 |
+
$heading = __( 'VaultPress needs your attention!', 'vaultpress' );
|
515 |
+
break;
|
516 |
+
}
|
517 |
+
}
|
518 |
+
?>
|
519 |
+
<div id="vp-notice" class="vp-<?php echo $type; ?> updated">
|
520 |
+
<div class="vp-message">
|
521 |
+
<h3><?php echo $heading; ?></h3>
|
522 |
+
<p><?php echo $message; ?></p>
|
523 |
+
</div>
|
524 |
+
</div>
|
525 |
+
<?php
|
526 |
+
}
|
527 |
+
|
528 |
+
function get_config( $key ) {
|
529 |
+
$val = get_option( $key );
|
530 |
+
if ( $val )
|
531 |
+
return $val;
|
532 |
+
switch( $key ) {
|
533 |
+
case '_vp_config_option_name_ignore':
|
534 |
+
$val = $this->get_option_name_ignore( true );
|
535 |
+
update_option( '_vp_config_option_name_ignore', $val );
|
536 |
+
break;
|
537 |
+
}
|
538 |
+
return $val;
|
539 |
+
}
|
540 |
+
|
541 |
+
// Option name patterns to ignore
|
542 |
+
function get_option_name_ignore( $return_defaults = false ) {
|
543 |
+
$defaults = array(
|
544 |
+
'vaultpress',
|
545 |
+
'cron',
|
546 |
+
'wpsupercache_gc_time',
|
547 |
+
'rewrite_rules',
|
548 |
+
'akismet_spam_count',
|
549 |
+
'/_transient_/',
|
550 |
+
'/^_vp_/',
|
551 |
+
);
|
552 |
+
if ( $return_defaults )
|
553 |
+
return $defaults;
|
554 |
+
$ignore_names = $this->get_config( '_vp_config_option_name_ignore' );
|
555 |
+
return array_unique( array_merge( $defaults, $ignore_names ) );
|
556 |
+
}
|
557 |
+
|
558 |
+
###
|
559 |
+
### Section: Backup Notification Hooks
|
560 |
+
###
|
561 |
+
|
562 |
+
// Handle Handle Notifying VaultPress of Options Activity At this point the options table has already been modified
|
563 |
+
//
|
564 |
+
// Note: we handle deleted, instead of delete because VaultPress backs up options by name (which are unique,) that
|
565 |
+
// means that we do not need to resolve an id like we would for, say, a post.
|
566 |
+
function option_handler( $option_name ) {
|
567 |
+
global $wpdb;
|
568 |
+
// Step 1 -- exclusionary rules, don't send these options to vaultpress, because they
|
569 |
+
// either change constantly and/or are inconsequential to the blog itself and/or they
|
570 |
+
// are specific to the VaultPress plugin process and we want to avoid recursion
|
571 |
+
$should_ping = true;
|
572 |
+
$ignore_names = $this->get_option_name_ignore();
|
573 |
+
foreach( (array)$ignore_names as $val ) {
|
574 |
+
if ( $val{0} == '/' ) {
|
575 |
+
if ( preg_match( $val, $option_name ) )
|
576 |
+
$should_ping = false;
|
577 |
+
} else {
|
578 |
+
if ( $val == $option_name )
|
579 |
+
$should_ping = false;
|
580 |
+
}
|
581 |
+
if ( !$should_ping )
|
582 |
+
break;
|
583 |
+
}
|
584 |
+
if ( $should_ping )
|
585 |
+
$this->add_ping( 'db', array( 'option' => $option_name ) );
|
586 |
+
|
587 |
+
// Step 2 -- If WordPress is about to kick off a some "cron" action, we need to
|
588 |
+
// flush vaultpress, because the "remote" cron threads done via http fetch will
|
589 |
+
// be happening completely inside the window of this thread. That thread will
|
590 |
+
// be expecting touched and accounted for tables
|
591 |
+
if ( $option_name == '_transient_doing_cron' )
|
592 |
+
$this->do_pings();
|
593 |
+
|
594 |
+
return $option_name;
|
595 |
+
}
|
596 |
+
|
597 |
+
// Handle Notifying VaultPress of Comment Activity
|
598 |
+
function comment_action_handler( $comment_id ) {
|
599 |
+
if ( !is_array( $comment_id ) ) {
|
600 |
+
if ( wp_get_comment_status( $comment_id ) != 'spam' )
|
601 |
+
$this->add_ping( 'db', array( 'comment' => $comment_id ) );
|
602 |
+
} else {
|
603 |
+
foreach ( $comment_id as $id ) {
|
604 |
+
if ( wp_get_comment_status( $comment_id ) != 'spam' )
|
605 |
+
$this->add_ping( 'db', array( 'comment' => $id) );
|
606 |
+
}
|
607 |
+
}
|
608 |
+
}
|
609 |
+
|
610 |
+
// Handle Notifying VaultPress of Theme Switches
|
611 |
+
function theme_action_handler( $theme ) {
|
612 |
+
$this->add_ping( 'themes', array( 'theme' => get_option( 'stylesheet' ) ) );
|
613 |
+
}
|
614 |
+
|
615 |
+
// Handle Notifying VaultPress of Upload Activity
|
616 |
+
function upload_handler( $file ) {
|
617 |
+
$this->add_ping( 'uploads', array( 'upload' => str_replace( $this->resolve_upload_path(), '', $file['file'] ) ) );
|
618 |
+
return $file;
|
619 |
+
}
|
620 |
+
|
621 |
+
// Handle Notifying VaultPress of Plugin Activation/Deactivation
|
622 |
+
function plugin_action_handler( $plugin='' ) {
|
623 |
+
$this->add_ping( 'plugins', array( 'name' => $plugin ) );
|
624 |
+
}
|
625 |
+
|
626 |
+
// Handle Notifying VaultPress of User Edits
|
627 |
+
function userid_action_handler( $user_or_id ) {
|
628 |
+
if ( is_object($user_or_id) )
|
629 |
+
$userid = intval( $user_or_id->ID );
|
630 |
+
else
|
631 |
+
$userid = intval( $user_or_id );
|
632 |
+
if ( !$userid )
|
633 |
+
return;
|
634 |
+
$this->add_ping( 'db', array( 'user' => $userid ) );
|
635 |
+
}
|
636 |
+
|
637 |
+
// Handle Notifying VaultPress of term changes
|
638 |
+
function term_handler( $term_id, $tt_id=null ) {
|
639 |
+
$this->add_ping( 'db', array( 'term' => $term_id ) );
|
640 |
+
if ( $tt_id )
|
641 |
+
$this->term_taxonomy_handler( $tt_id );
|
642 |
+
}
|
643 |
+
|
644 |
+
// Handle Notifying VaultPress of term_taxonomy changes
|
645 |
+
function term_taxonomy_handler( $tt_id ) {
|
646 |
+
$this->add_ping( 'db', array( 'term_taxonomy' => $tt_id ) );
|
647 |
+
}
|
648 |
+
// add(ed)_term_taxonomy handled via the created_term hook, the term_taxonomy_handler is called by the term_handler
|
649 |
+
|
650 |
+
// Handle Notifying VaultPress of term_taxonomy changes
|
651 |
+
function term_taxonomies_handler( $tt_ids ) {
|
652 |
+
foreach( (array)$tt_ids as $tt_id ) {
|
653 |
+
$this->term_taxonomy_handler( $tt_id );
|
654 |
+
}
|
655 |
+
}
|
656 |
+
|
657 |
+
// Handle Notifying VaultPress of term_relationship changes
|
658 |
+
function term_relationship_handler( $object_id, $term_id ) {
|
659 |
+
$this->add_ping( 'db', array( 'term_relationship' => array( 'object_id' => $object_id, 'term_taxonomy_id' => $term_id ) ) );
|
660 |
+
}
|
661 |
+
|
662 |
+
// Handle Notifying VaultPress of term_relationship changes
|
663 |
+
function term_relationships_handler( $object_id, $term_ids ) {
|
664 |
+
foreach ( (array)$term_ids as $term_id ) {
|
665 |
+
$this->term_relationship_handler( $object_id, $term_id );
|
666 |
+
}
|
667 |
+
}
|
668 |
+
|
669 |
+
// Handle Notifying VaultPress of term_relationship changes
|
670 |
+
function set_object_terms_handler( $object_id, $terms, $tt_ids ) {
|
671 |
+
$this->term_relationships_handler( $object_id, $tt_ids );
|
672 |
+
}
|
673 |
+
|
674 |
+
// Handle Notifying VaultPress of UserMeta changes
|
675 |
+
function usermeta_action_handler( $umeta_id, $user_id, $meta_key, $meta_value='' ) {
|
676 |
+
$this->add_ping( 'db', array( 'usermeta' => $umeta_id ) );
|
677 |
+
}
|
678 |
+
|
679 |
+
// Handle Notifying VaultPress of Post Changes
|
680 |
+
function post_action_handler($post_id) {
|
681 |
+
if ( current_filter() == 'delete_post' )
|
682 |
+
return $this->add_ping( 'db', array( 'post' => $post_id ), 'delete_post' );
|
683 |
+
return $this->add_ping( 'db', array( 'post' => $post_id ), 'edit_post' );
|
684 |
+
}
|
685 |
+
|
686 |
+
// Handle Notifying VaultPress of Link Changes
|
687 |
+
function link_action_handler( $link_id ) {
|
688 |
+
$this->add_ping( 'db', array( 'link' => $link_id ) );
|
689 |
+
}
|
690 |
+
|
691 |
+
// Handle Notifying VaultPress of Commentmeta Changes
|
692 |
+
function commentmeta_insert_handler( $meta_id, $comment_id=null ) {
|
693 |
+
if ( empty( $comment_id ) || wp_get_comment_status( $comment_id ) != 'spam' )
|
694 |
+
$this->add_ping( 'db', array( 'commentmeta' => $meta_id ) );
|
695 |
+
}
|
696 |
+
|
697 |
+
function commentmeta_modification_handler( $meta_id, $object_id, $meta_key, $meta_value ) {
|
698 |
+
if ( !is_array( $meta_id ) )
|
699 |
+
return $this->add_ping( 'db', array( 'commentmeta' => $meta_id ) );
|
700 |
+
foreach ( $meta_id as $id ) {
|
701 |
+
$this->add_ping( 'db', array( 'commentmeta' => $id ) );
|
702 |
+
}
|
703 |
+
}
|
704 |
+
|
705 |
+
// Handle Notifying VaultPress of PostMeta changes via newfangled metadata functions
|
706 |
+
function postmeta_insert_handler( $meta_id, $post_id, $meta_key, $meta_value='' ) {
|
707 |
+
$this->add_ping( 'db', array( 'postmeta' => $meta_id ) );
|
708 |
+
}
|
709 |
+
|
710 |
+
function postmeta_modification_handler( $meta_id, $object_id, $meta_key, $meta_value ) {
|
711 |
+
if ( !is_array( $meta_id ) )
|
712 |
+
return $this->add_ping( 'db', array( 'postmeta' => $meta_id ) );
|
713 |
+
foreach ( $meta_id as $id ) {
|
714 |
+
$this->add_ping( 'db', array( 'postmeta' => $id ) );
|
715 |
+
}
|
716 |
+
}
|
717 |
+
|
718 |
+
// Handle Notifying VaultPress of PostMeta changes via old school cherypicked hooks
|
719 |
+
function postmeta_action_handler( $meta_id ) {
|
720 |
+
if ( !is_array($meta_id) )
|
721 |
+
return $this->add_ping( 'db', array( 'postmeta' => $meta_id ) );
|
722 |
+
foreach ( $meta_id as $id )
|
723 |
+
$this->add_ping( 'db', array( 'postmeta' => $id ) );
|
724 |
+
}
|
725 |
+
|
726 |
+
function verify_table( $table ) {
|
727 |
+
global $wpdb;
|
728 |
+
$table = $wpdb->escape( $table );
|
729 |
+
$status = $wpdb->get_row( "SHOW TABLE STATUS WHERE Name = '$table'" );
|
730 |
+
if ( !$status || !$status->Update_time || !$status->Comment || $status->Engine != 'MyISAM' )
|
731 |
+
return true;
|
732 |
+
if ( preg_match( '/([0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2})/', $status->Comment, $m ) )
|
733 |
+
return ( $m[1] == $status->Update_time );
|
734 |
+
return false;
|
735 |
+
}
|
736 |
+
|
737 |
+
// Emulate $wpdb->last_table
|
738 |
+
function record_table( $table ) {
|
739 |
+
global $vaultpress_last_table;
|
740 |
+
$vaultpress_last_table = $table;
|
741 |
+
return $table;
|
742 |
+
}
|
743 |
+
|
744 |
+
// Emulate $wpdb->last_table
|
745 |
+
function get_last_table() {
|
746 |
+
global $wpdb, $vaultpress_last_table;
|
747 |
+
if ( is_object( $wpdb ) && isset( $wpdb->last_table ) )
|
748 |
+
return $wpdb->last_table;
|
749 |
+
return $vaultpress_last_table;
|
750 |
+
}
|
751 |
+
|
752 |
+
// Emulate hyperdb::is_write_query()
|
753 |
+
function is_write_query( $q ) {
|
754 |
+
$word = strtoupper( substr( trim( $q ), 0, 20 ) );
|
755 |
+
if ( 0 === strpos( $word, 'SELECT' ) )
|
756 |
+
return false;
|
757 |
+
if ( 0 === strpos( $word, 'SHOW' ) )
|
758 |
+
return false;
|
759 |
+
if ( 0 === strpos( $word, 'CHECKSUM' ) )
|
760 |
+
return false;
|
761 |
+
return true;
|
762 |
+
}
|
763 |
+
|
764 |
+
// Emulate hyperdb::get_table_from_query()
|
765 |
+
function get_table_from_query( $q ) {
|
766 |
+
global $wpdb, $vaultpress_last_table;
|
767 |
+
|
768 |
+
if ( is_object( $wpdb ) && method_exists( $wpdb, "get_table_from_query" ) )
|
769 |
+
return $wpdb->get_table_from_query( $q );
|
770 |
+
|
771 |
+
// Remove characters that can legally trail the table name
|
772 |
+
$q = rtrim( $q, ';/-#' );
|
773 |
+
// allow ( select... ) union [...] style queries. Use the first queries table name.
|
774 |
+
$q = ltrim( $q, "\t (" );
|
775 |
+
|
776 |
+
// Quickly match most common queries
|
777 |
+
if ( preg_match( '/^\s*(?:'
|
778 |
+
. 'SELECT.*?\s+FROM'
|
779 |
+
. '|INSERT(?:\s+IGNORE)?(?:\s+INTO)?'
|
780 |
+
. '|REPLACE(?:\s+INTO)?'
|
781 |
+
. '|UPDATE(?:\s+IGNORE)?'
|
782 |
+
. '|DELETE(?:\s+IGNORE)?(?:\s+FROM)?'
|
783 |
+
. ')\s+`?(\w+)`?/is', $q, $maybe) )
|
784 |
+
return $this->record_table($maybe[1] );
|
785 |
+
|
786 |
+
// Refer to the previous query
|
787 |
+
if ( preg_match( '/^\s*SELECT.*?\s+FOUND_ROWS\(\)/is', $q ) )
|
788 |
+
return $this->get_last_table();
|
789 |
+
|
790 |
+
// Big pattern for the rest of the table-related queries in MySQL 5.0
|
791 |
+
if ( preg_match( '/^\s*(?:'
|
792 |
+
. '(?:EXPLAIN\s+(?:EXTENDED\s+)?)?SELECT.*?\s+FROM'
|
793 |
+
. '|INSERT(?:\s+LOW_PRIORITY|\s+DELAYED|\s+HIGH_PRIORITY)?(?:\s+IGNORE)?(?:\s+INTO)?'
|
794 |
+
. '|REPLACE(?:\s+LOW_PRIORITY|\s+DELAYED)?(?:\s+INTO)?'
|
795 |
+
. '|UPDATE(?:\s+LOW_PRIORITY)?(?:\s+IGNORE)?'
|
796 |
+
. '|DELETE(?:\s+LOW_PRIORITY|\s+QUICK|\s+IGNORE)*(?:\s+FROM)?'
|
797 |
+
. '|DESCRIBE|DESC|EXPLAIN|HANDLER'
|
798 |
+
. '|(?:LOCK|UNLOCK)\s+TABLE(?:S)?'
|
799 |
+
. '|(?:RENAME|OPTIMIZE|BACKUP|RESTORE|CHECK|CHECKSUM|ANALYZE|OPTIMIZE|REPAIR).*\s+TABLE'
|
800 |
+
. '|TRUNCATE(?:\s+TABLE)?'
|
801 |
+
. '|CREATE(?:\s+TEMPORARY)?\s+TABLE(?:\s+IF\s+NOT\s+EXISTS)?'
|
802 |
+
. '|ALTER(?:\s+IGNORE)?\s+TABLE'
|
803 |
+
. '|DROP\s+TABLE(?:\s+IF\s+EXISTS)?'
|
804 |
+
. '|CREATE(?:\s+\w+)?\s+INDEX.*\s+ON'
|
805 |
+
. '|DROP\s+INDEX.*\s+ON'
|
806 |
+
. '|LOAD\s+DATA.*INFILE.*INTO\s+TABLE'
|
807 |
+
. '|(?:GRANT|REVOKE).*ON\s+TABLE'
|
808 |
+
. '|SHOW\s+(?:.*FROM|.*TABLE)'
|
809 |
+
. ')\s+`?(\w+)`?/is', $q, $maybe ) )
|
810 |
+
return $this->record_table( $maybe[1] );
|
811 |
+
|
812 |
+
// All unmatched queries automatically fall to the global master
|
813 |
+
return $this->record_table( '' );
|
814 |
+
}
|
815 |
+
|
816 |
+
function table_notify_columns( $table ) {
|
817 |
+
$want_cols = array(
|
818 |
+
// data
|
819 |
+
'posts' => '`ID`',
|
820 |
+
'users' => '`ID`',
|
821 |
+
'links' => '`link_id`',
|
822 |
+
'options' => '`option_id`,`option_name`',
|
823 |
+
'comments' => '`comment_ID`',
|
824 |
+
// metadata
|
825 |
+
'postmeta' => '`meta_id`',
|
826 |
+
'commentmeta' => '`meta_id`',
|
827 |
+
'usermeta' => '`umeta_id`',
|
828 |
+
// taxonomy
|
829 |
+
'term_relationships' => '`object_id`,`term_taxonomy_id`',
|
830 |
+
'term_taxonomy' => '`term_taxonomy_id`',
|
831 |
+
'terms' => '`term_id`',
|
832 |
+
// plugin special cases
|
833 |
+
'wpo_campaign' => '`id`', // WP-o-Matic
|
834 |
+
'wpo_campaign_category' => '`id`', // WP-o-Matic
|
835 |
+
'wpo_campaign_feed' => '`id`', // WP-o-Matic
|
836 |
+
'wpo_campaign_post' => '`id`', // WP-o-Matic
|
837 |
+
'wpo_campaign_word' => '`id`', // WP-o-Matic
|
838 |
+
'wpo_log' => '`id`', // WP-o-Matic
|
839 |
+
);
|
840 |
+
if ( isset( $want_cols[$table] ) )
|
841 |
+
return $want_cols[$table];
|
842 |
+
return '*';
|
843 |
+
}
|
844 |
+
|
845 |
+
function ai_ping_next() {
|
846 |
+
global $wpdb;
|
847 |
+
$name = "_vp_ai_ping";
|
848 |
+
$rval = $wpdb->query( $wpdb->prepare( "REPLACE INTO `$wpdb->options` (`option_name`, `option_value`, `autoload`) VALUES (%s, '', 'no')", $name ) );
|
849 |
+
if ( !$rval )
|
850 |
+
return false;
|
851 |
+
return $wpdb->insert_id;
|
852 |
+
}
|
853 |
+
|
854 |
+
function ai_ping_insert( $value ) {
|
855 |
+
$new_id = $this->ai_ping_next();
|
856 |
+
if ( !$new_id )
|
857 |
+
return false;
|
858 |
+
add_option( '_vp_ai_ping_' . $new_id, $value, '', 'no' );
|
859 |
+
}
|
860 |
+
|
861 |
+
function ai_ping_count() {
|
862 |
+
global $wpdb;
|
863 |
+
return $wpdb->get_var( "SELECT COUNT(`option_id`) FROM $wpdb->options WHERE `option_name` LIKE '\_vp\_ai\_ping\_%'" );
|
864 |
+
}
|
865 |
+
|
866 |
+
function ai_ping_get( $num=1, $order='ASC' ) {
|
867 |
+
global $wpdb;
|
868 |
+
if ( strtolower($order) != 'desc' )
|
869 |
+
$order = 'ASC';
|
870 |
+
else
|
871 |
+
$order = 'DESC';
|
872 |
+
return $wpdb->get_results( $wpdb->prepare(
|
873 |
+
"SELECT * FROM $wpdb->options WHERE `option_name` LIKE '\_vp\_ai\_ping\_%%' ORDER BY `option_id` $order LIMIT %d",
|
874 |
+
min( 10, max( 1, (int)$num ) )
|
875 |
+
) );
|
876 |
+
}
|
877 |
+
|
878 |
+
function update_firewall() {
|
879 |
+
$args = array( 'timeout' => $this->get_option( 'timeout' ) );
|
880 |
+
$hostname = $this->get_option( 'hostname' );
|
881 |
+
$data = wp_remote_get( "http://$hostname/service-ips", $args );
|
882 |
+
|
883 |
+
if ( $data )
|
884 |
+
$data = @unserialize( $data['body'] );
|
885 |
+
|
886 |
+
if ( $data ) {
|
887 |
+
$newval = array( 'updated' => time(), 'data' => $data );
|
888 |
+
$this->update_option( 'service_ips', $newval );
|
889 |
+
return $data;
|
890 |
+
}
|
891 |
+
|
892 |
+
return null;
|
893 |
+
}
|
894 |
+
|
895 |
+
function check_connection( $force_check = false ) {
|
896 |
+
$connection = $this->get_option( 'connection' );
|
897 |
+
|
898 |
+
if ( !$force_check && !empty( $connection ) ) {
|
899 |
+
// already established a connection
|
900 |
+
if ( 'ok' == $connection )
|
901 |
+
return true;
|
902 |
+
|
903 |
+
// only run the connection check every 5 minutes
|
904 |
+
if ( ( time() - (int)$connection ) < 300 )
|
905 |
+
return false;
|
906 |
+
}
|
907 |
+
|
908 |
+
// if we're running a connection test we don't want to run it a second time
|
909 |
+
$connection_test = $this->get_option( 'connection_test' );
|
910 |
+
if ( $connection_test )
|
911 |
+
return true;
|
912 |
+
|
913 |
+
// force update firewall settings
|
914 |
+
$this->update_firewall();
|
915 |
+
|
916 |
+
// initial connection test to server
|
917 |
+
$this->update_option( 'connection_test', true );
|
918 |
+
$this->delete_option( 'allow_forwarded_for' );
|
919 |
+
$connect = $this->contact_service( 'test', array( 'host' => $_SERVER['HTTP_HOST'], 'uri' => $_SERVER['REQUEST_URI'], 'ssl' => is_ssl() ) );
|
920 |
+
|
921 |
+
// we can't see the servers at all
|
922 |
+
if ( !$connect ) {
|
923 |
+
$this->update_option( 'connection', time() );
|
924 |
+
$this->update_option( 'connection_error_code', 0 );
|
925 |
+
$this->update_option( 'connection_error_message', sprintf( __( 'Cannot connect to the VaultPress servers. Please check that your host allows connecting to external sites and try again. If you’re still having issues please <a href="%1$s">contact the VaultPress Safekeepers</a>.', 'vaultpress' ), 'http://vaultpress.com/contact/' ) );
|
926 |
+
|
927 |
+
$this->delete_option( 'connection_test' );
|
928 |
+
return false;
|
929 |
+
}
|
930 |
+
|
931 |
+
// VaultPress gave us a meaningful error
|
932 |
+
if ( !empty( $connect['faultCode'] ) ) {
|
933 |
+
$this->update_option( 'connection', time() );
|
934 |
+
$this->update_option( 'connection_error_code', $connect['faultCode'] );
|
935 |
+
$this->update_option( 'connection_error_message', $connect['faultString'] );
|
936 |
+
$this->delete_option( 'connection_test' );
|
937 |
+
return false;
|
938 |
+
}
|
939 |
+
|
940 |
+
$this->update_option( 'do_backups', !empty( $connect['do_backups'] ) );
|
941 |
+
if ( !empty( $connect['signatures'] ) ) {
|
942 |
+
delete_option( '_vp_signatures' );
|
943 |
+
add_option( '_vp_signatures', maybe_unserialize( $connect['signatures'] ), '', 'no' );
|
944 |
+
}
|
945 |
+
|
946 |
+
// test connection between the site and the servers
|
947 |
+
$connect = (string)$this->contact_service( 'test', array( 'type' => 'connect' ) );
|
948 |
+
if ( 'ok' != $connect ) {
|
949 |
+
|
950 |
+
// still not working so see if we're behind a load balancer
|
951 |
+
$this->update_option( 'allow_forwarded_for', true );
|
952 |
+
$connect = (string)$this->contact_service( 'test', array( 'type' => 'firewall-off' ) );
|
953 |
+
|
954 |
+
if ( 'ok' != $connect ) {
|
955 |
+
if ( 'error' == $connect ) {
|
956 |
+
$this->update_option( 'connection_error_code', -1 );
|
957 |
+
$this->update_option( 'connection_error_message', sprintf( __( 'The VaultPress servers cannot connect to your site. Please check that your site is visible over the Internet and there are no firewall or load balancer settings on your server that might be blocking the communication. If you’re still having issues please <a href="%1$s">contact the VaultPress Safekeepers</a>.', 'vaultpress' ), 'http://vaultpress.com/contact/' ) );
|
958 |
+
} elseif ( !empty( $connect['faultCode'] ) ) {
|
959 |
+
$this->update_option( 'connection_error_code', $connect['faultCode'] );
|
960 |
+
$this->update_option( 'connection_error_message', $connect['faultString'] );
|
961 |
+
}
|
962 |
+
|
963 |
+
$this->update_option( 'connection', time() );
|
964 |
+
$this->delete_option( 'connection_test' );
|
965 |
+
return false;
|
966 |
+
}
|
967 |
+
}
|
968 |
+
|
969 |
+
// successful connection established
|
970 |
+
$this->update_option( 'connection', 'ok' );
|
971 |
+
$this->delete_option( 'connection_error_code' );
|
972 |
+
$this->delete_option( 'connection_error_message' );
|
973 |
+
$this->delete_option( 'connection_test' );
|
974 |
+
return true;
|
975 |
+
}
|
976 |
+
|
977 |
+
function parse_request( $wp ) {
|
978 |
+
if ( !isset( $_GET['vaultpress'] ) || $_GET['vaultpress'] !== 'true' )
|
979 |
+
return $wp;
|
980 |
+
|
981 |
+
global $wpdb, $current_blog;
|
982 |
+
|
983 |
+
// just in case we have any plugins that decided to spit some data out already...
|
984 |
+
@ob_end_clean();
|
985 |
+
|
986 |
+
if ( isset( $_GET['ticker'] ) && function_exists( 'current_user_can' ) && current_user_can( 'manage_options' ) )
|
987 |
+
die( (string)$this->contact_service( 'ticker' ) );
|
988 |
+
|
989 |
+
$_POST = array_map( 'stripslashes_deep', $_POST );
|
990 |
+
|
991 |
+
global $wpdb, $bdb, $bfs;
|
992 |
+
define( 'VAULTPRESS_API', true );
|
993 |
+
|
994 |
+
if ( !$this->validate_api_signature() ) {
|
995 |
+
die( 'invalid api call signature' );
|
996 |
+
}
|
997 |
+
|
998 |
+
if ( !isset( $bdb ) ) {
|
999 |
+
require_once( dirname( __FILE__ ) . '/class.vaultpress-database.php' );
|
1000 |
+
require_once( dirname( __FILE__ ) . '/class.vaultpress-filesystem.php' );
|
1001 |
+
|
1002 |
+
$bdb = new VaultPress_Database();
|
1003 |
+
$bfs = new VaultPress_Filesystem();
|
1004 |
+
}
|
1005 |
+
|
1006 |
+
header( 'Content-Type: text/plain' );
|
1007 |
+
|
1008 |
+
/*
|
1009 |
+
* general:ping
|
1010 |
+
*
|
1011 |
+
* catchup:get
|
1012 |
+
* catchup:delete
|
1013 |
+
*
|
1014 |
+
* db:tables
|
1015 |
+
* db:explain
|
1016 |
+
* db:cols
|
1017 |
+
*
|
1018 |
+
* plugins|themes|uploads|content|root:active
|
1019 |
+
* plugins|themes|uploads|content|root:dir
|
1020 |
+
* plugins|themes|uploads|content|root:ls
|
1021 |
+
* plugins|themes|uploads|content|root:stat
|
1022 |
+
* plugins|themes|uploads|content|root:get
|
1023 |
+
* plugins|themes|uploads|content|root:checksum
|
1024 |
+
*
|
1025 |
+
* config:get
|
1026 |
+
* config:set
|
1027 |
+
*
|
1028 |
+
*/
|
1029 |
+
if ( !isset( $_GET['action'] ) )
|
1030 |
+
die();
|
1031 |
+
|
1032 |
+
switch ( $_GET['action'] ) {
|
1033 |
+
default:
|
1034 |
+
die();
|
1035 |
+
break;
|
1036 |
+
case 'exec':
|
1037 |
+
$code = $_POST['code'];
|
1038 |
+
if ( !$code )
|
1039 |
+
$this->response( "No Code Found" );
|
1040 |
+
$syntax_check = @eval( 'return true;' . $code );
|
1041 |
+
if ( !$syntax_check )
|
1042 |
+
$this->response( "Code Failed Syntax Check" );
|
1043 |
+
$this->response( eval( $code ) );
|
1044 |
+
die();
|
1045 |
+
break;
|
1046 |
+
case 'catchup:get':
|
1047 |
+
$this->response( $this->ai_ping_get( (int)$_POST['num'], (string)$_POST['order'] ) );
|
1048 |
+
break;
|
1049 |
+
case 'catchup:delete':
|
1050 |
+
if ( isset( $_POST['pings'] ) ) {
|
1051 |
+
foreach( unserialize( $_POST['pings'] ) as $ping ) {
|
1052 |
+
if ( 0 === strpos( $ping, '_vp_ai_ping_' ) )
|
1053 |
+
delete_option( $ping );
|
1054 |
+
}
|
1055 |
+
}
|
1056 |
+
break;
|
1057 |
+
case 'general:ping':
|
1058 |
+
global $wp_version, $wp_db_version, $manifest_version;
|
1059 |
+
@error_reporting(0);
|
1060 |
+
$http_modules = array();
|
1061 |
+
$httpd = null;
|
1062 |
+
if ( function_exists( 'apache_get_modules' ) ) {
|
1063 |
+
if ( isset( $_POST['apache_modules'] ) && $_POST['apache_modules'] == 1 )
|
1064 |
+
$http_modules = apache_get_modules();
|
1065 |
+
else
|
1066 |
+
$http_modules = null;
|
1067 |
+
if ( function_exists( 'apache_get_version' ) )
|
1068 |
+
$httpd = array_shift( explode( ' ', apache_get_version() ) );
|
1069 |
+
}
|
1070 |
+
if ( !$httpd && 0 === stripos( $_SERVER['SERVER_SOFTWARE'], 'Apache' ) ) {
|
1071 |
+
$httpd = array_shift( explode( ' ', $_SERVER['SERVER_SOFTWARE'] ) );
|
1072 |
+
if ( isset( $_POST['apache_modules'] ) && $_POST['apache_modules'] == 1 )
|
1073 |
+
$http_modules = 'unknown';
|
1074 |
+
else
|
1075 |
+
$http_modules = null;
|
1076 |
+
}
|
1077 |
+
if ( !$httpd && defined( 'IIS_SCRIPT' ) && IIS_SCRIPT ) {
|
1078 |
+
$httpd = 'IIS';
|
1079 |
+
}
|
1080 |
+
if ( !$httpd && function_exists( 'nsapi_request_headers' ) ) {
|
1081 |
+
$httpd = 'NSAPI';
|
1082 |
+
}
|
1083 |
+
if ( !$httpd )
|
1084 |
+
$httpd = 'unknown';
|
1085 |
+
$mvars = array();
|
1086 |
+
if ( isset( $_POST['mysql_variables'] ) && $_POST['mysql_variables'] == 1 ) {
|
1087 |
+
foreach ( $wpdb->get_results( "SHOW VARIABLES" ) as $row )
|
1088 |
+
$mvars["$row->Variable_name"] = $row->Value;
|
1089 |
+
}
|
1090 |
+
|
1091 |
+
$ms_global_tables = array_merge( $wpdb->global_tables, $wpdb->ms_global_tables );
|
1092 |
+
$tinfo = array();
|
1093 |
+
$tprefix = $wpdb->prefix;
|
1094 |
+
if ( $this->is_multisite() ) {
|
1095 |
+
$tprefix = $wpdb->get_blog_prefix( $current_blog->blog_id );
|
1096 |
+
}
|
1097 |
+
$like_string = str_replace( '_', '\_', $tprefix ) . "%";
|
1098 |
+
foreach ( $wpdb->get_results( $wpdb->prepare( "SHOW TABLE STATUS LIKE %s", $like_string ) ) as $row ) {
|
1099 |
+
if ( $this->is_main_site() ) {
|
1100 |
+
$matches = array();
|
1101 |
+
preg_match( '/' . $tprefix . '(\d+)_/', $row->Name, $matches );
|
1102 |
+
if ( isset( $matches[1] ) && (int) $current_blog->blog_id !== (int) $matches[1] )
|
1103 |
+
continue;
|
1104 |
+
}
|
1105 |
+
|
1106 |
+
$table = str_replace( $wpdb->prefix, '', $row->Name );
|
1107 |
+
|
1108 |
+
if ( !$this->is_main_site() && $tprefix == $wpdb->prefix ) {
|
1109 |
+
if ( in_array( $table, $ms_global_tables ) )
|
1110 |
+
continue;
|
1111 |
+
if ( preg_match( '/' . $tprefix . '(\d+)_/', $row->Name ) )
|
1112 |
+
continue;
|
1113 |
+
}
|
1114 |
+
|
1115 |
+
$tinfo[$table] = array();
|
1116 |
+
foreach ( (array)$row as $i => $v )
|
1117 |
+
$tinfo[$table][$i] = $v;
|
1118 |
+
if ( empty( $tinfo[$table] ) )
|
1119 |
+
unset( $tinfo[$table] );
|
1120 |
+
}
|
1121 |
+
|
1122 |
+
if ( $this->is_main_site() ) {
|
1123 |
+
foreach ( (array) $ms_global_tables as $ms_global_table ) {
|
1124 |
+
$ms_table_status = $wpdb->get_row( $wpdb->prepare( "SHOW TABLE STATUS LIKE %s", $tprefix . $ms_global_table ) );
|
1125 |
+
if ( !$ms_table_status )
|
1126 |
+
continue;
|
1127 |
+
$table = substr( $ms_table_status->Name, strlen( $tprefix ) );
|
1128 |
+
$tinfo[$table] = array();
|
1129 |
+
foreach ( (array) $ms_table_status as $i => $v )
|
1130 |
+
$tinfo[$table][$i] = $v;
|
1131 |
+
if ( empty( $tinfo[$table] ) )
|
1132 |
+
unset( $tinfo[$table] );
|
1133 |
+
}
|
1134 |
+
}
|
1135 |
+
|
1136 |
+
if ( isset( $_POST['php_ini'] ) && $_POST['php_ini'] == 1 )
|
1137 |
+
$ini_vals = @ini_get_all();
|
1138 |
+
else
|
1139 |
+
$ini_vals = null;
|
1140 |
+
if ( function_exists( 'sys_getloadavg' ) )
|
1141 |
+
$loadavg = sys_getloadavg();
|
1142 |
+
else
|
1143 |
+
$loadavg = null;
|
1144 |
+
|
1145 |
+
require_once ABSPATH . '/wp-admin/includes/plugin.php';
|
1146 |
+
if ( function_exists( 'get_plugin_data' ) )
|
1147 |
+
$vaultpress_response_info = get_plugin_data( __FILE__ );
|
1148 |
+
else
|
1149 |
+
$vaultpress_response_info = array( 'Version' => $this->plugin_version );
|
1150 |
+
$vaultpress_response_info['deferred_pings'] = (int)$this->ai_ping_count();
|
1151 |
+
$vaultpress_response_info['vaultpress_hostname'] = $this->get_option( 'hostname' );
|
1152 |
+
$vaultpress_response_info['vaultpress_timeout'] = $this->get_option( 'timeout' );
|
1153 |
+
$vaultpress_response_info['disable_firewall'] = $this->get_option( 'disable_firewall' );
|
1154 |
+
$vaultpress_response_info['allow_forwarded_for'] = $this->get_option( 'allow_forwarded_for' );
|
1155 |
+
$vaultpress_response_info['is_writable'] = is_writable( __FILE__ );
|
1156 |
+
|
1157 |
+
$_wptype = 's';
|
1158 |
+
if ( $this->is_multisite() ) {
|
1159 |
+
global $wpmu_version;
|
1160 |
+
if ( isset( $wpmu_version ) )
|
1161 |
+
$_wptype = 'mu';
|
1162 |
+
else
|
1163 |
+
$_wptype = 'ms';
|
1164 |
+
}
|
1165 |
+
|
1166 |
+
$upload_url = '';
|
1167 |
+
$upload_dir = wp_upload_dir();
|
1168 |
+
if ( isset( $upload_dir['baseurl'] ) ) {
|
1169 |
+
$upload_url = $upload_dir['baseurl'];
|
1170 |
+
if ( false === strpos( $upload_url, 'http' ) )
|
1171 |
+
$upload_url = untrailingslashit( site_url() ) . $upload_url;
|
1172 |
+
}
|
1173 |
+
|
1174 |
+
$this->response( array(
|
1175 |
+
'vaultpress' => $vaultpress_response_info,
|
1176 |
+
'wordpress' => array(
|
1177 |
+
'wp_version' => $wp_version,
|
1178 |
+
'wp_db_version' => $wp_db_version,
|
1179 |
+
'locale' => get_locale(),
|
1180 |
+
'manifest_version' => $manifest_version,
|
1181 |
+
'prefix' => $wpdb->prefix,
|
1182 |
+
'is_multisite' => $this->is_multisite(),
|
1183 |
+
'is_main_site' => $this->is_main_site(),
|
1184 |
+
'blog_id' => isset( $current_blog ) ? $current_blog->blog_id : null,
|
1185 |
+
'theme' => (string) ( function_exists( 'wp_get_theme' ) ? wp_get_theme() : get_current_theme() ),
|
1186 |
+
'plugins' => preg_replace( '#/.*$#', '', get_option( 'active_plugins' ) ),
|
1187 |
+
'tables' => $tinfo,
|
1188 |
+
'name' => get_bloginfo( 'name' ),
|
1189 |
+
'upload_url' => $upload_url,
|
1190 |
+
'site_url' => $this->site_url(),
|
1191 |
+
'home_url' => ( function_exists( 'home_url' ) ? home_url() : get_option( 'home' ) ),
|
1192 |
+
'type' => $_wptype,
|
1193 |
+
),
|
1194 |
+
'server' => array(
|
1195 |
+
'host' => $_SERVER['HTTP_HOST'],
|
1196 |
+
'server' => @php_uname( "n" ),
|
1197 |
+
'load' => $loadavg,
|
1198 |
+
'info' => @php_uname( "a" ),
|
1199 |
+
'time' => time(),
|
1200 |
+
'php' => array( 'version' => phpversion(), 'ini' => $ini_vals, 'directory_separator' => DIRECTORY_SEPARATOR ),
|
1201 |
+
'httpd' => array(
|
1202 |
+
'type' => $httpd,
|
1203 |
+
'modules' => $http_modules,
|
1204 |
+
),
|
1205 |
+
'mysql' => $mvars,
|
1206 |
+
),
|
1207 |
+
) );
|
1208 |
+
break;
|
1209 |
+
case 'db:prefix':
|
1210 |
+
$this->response( $wpdb->prefix );
|
1211 |
+
break;
|
1212 |
+
case 'db:wpdb':
|
1213 |
+
if ( !$_POST['query'] )
|
1214 |
+
die( "naughty naughty" );
|
1215 |
+
$query = @base64_decode( $_POST['query'] );
|
1216 |
+
if ( !$query )
|
1217 |
+
die( "naughty naughty" );
|
1218 |
+
if ( !$_POST['function'] )
|
1219 |
+
$function = $function;
|
1220 |
+
else
|
1221 |
+
$function = $_POST['function'];
|
1222 |
+
$this->response( $bdb->wpdb( $query, $function ) );
|
1223 |
+
break;
|
1224 |
+
case 'db:diff':
|
1225 |
+
case 'db:count':
|
1226 |
+
case 'db:cols':
|
1227 |
+
if ( isset( $_POST['limit'] ) )
|
1228 |
+
$limit = $_POST['limit'];
|
1229 |
+
else
|
1230 |
+
$limit = null;
|
1231 |
+
|
1232 |
+
if ( isset( $_POST['offset'] ) )
|
1233 |
+
$offset = $_POST['offset'];
|
1234 |
+
else
|
1235 |
+
$offset = null;
|
1236 |
+
|
1237 |
+
if ( isset( $_POST['columns'] ) )
|
1238 |
+
$columns = $_POST['columns'];
|
1239 |
+
else
|
1240 |
+
$columns = null;
|
1241 |
+
|
1242 |
+
if ( isset( $_POST['signatures'] ) )
|
1243 |
+
$signatures = $_POST['signatures'];
|
1244 |
+
else
|
1245 |
+
$signatures = null;
|
1246 |
+
|
1247 |
+
if ( isset( $_POST['where'] ) )
|
1248 |
+
$where = $_POST['where'];
|
1249 |
+
else
|
1250 |
+
$where = null;
|
1251 |
+
|
1252 |
+
if ( isset( $_POST['table'] ) )
|
1253 |
+
$bdb->attach( base64_decode( $_POST['table'] ) );
|
1254 |
+
|
1255 |
+
switch ( array_pop( explode( ':', $_GET['action'] ) ) ) {
|
1256 |
+
case 'diff':
|
1257 |
+
if ( !$signatures ) die( 'naughty naughty' );
|
1258 |
+
// encoded because mod_security sees this as an SQL injection attack
|
1259 |
+
$this->response( $bdb->diff( unserialize( base64_decode( $signatures ) ) ) );
|
1260 |
+
case 'count':
|
1261 |
+
if ( !$columns ) die( 'naughty naughty' );
|
1262 |
+
$this->response( $bdb->count( unserialize( $columns ) ) );
|
1263 |
+
case 'cols':
|
1264 |
+
if ( !$columns ) die( 'naughty naughty' );
|
1265 |
+
$this->response( $bdb->get_cols( unserialize( $columns ), $limit, $offset, $where ) );
|
1266 |
+
}
|
1267 |
+
|
1268 |
+
break;
|
1269 |
+
case 'db:tables':
|
1270 |
+
case 'db:explain':
|
1271 |
+
case 'db:show_create':
|
1272 |
+
if ( isset( $_POST['filter'] ) )
|
1273 |
+
$filter = $_POST['filter'];
|
1274 |
+
else
|
1275 |
+
$filter = null;
|
1276 |
+
|
1277 |
+
if ( isset( $_POST['table'] ) )
|
1278 |
+
$bdb->attach( base64_decode( $_POST['table'] ) );
|
1279 |
+
|
1280 |
+
switch ( array_pop( explode( ':', $_GET['action'] ) ) ) {
|
1281 |
+
default:
|
1282 |
+
die( "naughty naughty" );
|
1283 |
+
case 'tables':
|
1284 |
+
$this->response( $bdb->get_tables( $filter ) );
|
1285 |
+
case 'explain':
|
1286 |
+
$this->response( $bdb->explain() );
|
1287 |
+
case 'show_create':
|
1288 |
+
$this->response( $bdb->show_create() );
|
1289 |
+
}
|
1290 |
+
break;
|
1291 |
+
case 'themes:active':
|
1292 |
+
$this->response( get_option( 'current_theme' ) );
|
1293 |
+
case 'plugins:active':
|
1294 |
+
$this->response( preg_replace( '#/.*$#', '', get_option( 'active_plugins' ) ) );
|
1295 |
+
break;
|
1296 |
+
case 'plugins:checksum': case 'uploads:checksum': case 'themes:checksum': case 'content:checksum': case 'root:checksum':
|
1297 |
+
case 'plugins:ls': case 'uploads:ls': case 'themes:ls': case 'content:ls': case 'root:ls':
|
1298 |
+
case 'plugins:dir': case 'uploads:dir': case 'themes:dir': case 'content:dir': case 'root:dir':
|
1299 |
+
case 'plugins:stat': case 'uploads:stat': case 'themes:stat': case 'content:stat': case 'root:stat':
|
1300 |
+
case 'plugins:get': case 'uploads:get': case 'themes:get': case 'content:get': case 'root:get':
|
1301 |
+
|
1302 |
+
$bfs->want( array_shift( explode( ':', $_GET['action'] ) ) );
|
1303 |
+
|
1304 |
+
if ( isset( $_POST['path'] ) )
|
1305 |
+
$path = $_POST['path'];
|
1306 |
+
else
|
1307 |
+
$path = '';
|
1308 |
+
|
1309 |
+
if ( !$bfs->validate( $path ) )
|
1310 |
+
die( "naughty naughty" );
|
1311 |
+
|
1312 |
+
if ( isset( $_POST['sha1'] ) && $_POST['sha1'] )
|
1313 |
+
$sha1 = true;
|
1314 |
+
else
|
1315 |
+
$sha1 = false;
|
1316 |
+
|
1317 |
+
if ( isset( $_POST['md5'] ) && $_POST['md5'] )
|
1318 |
+
$md5 = true;
|
1319 |
+
else
|
1320 |
+
$md5 = false;
|
1321 |
+
|
1322 |
+
if ( isset( $_POST['limit'] ) && $_POST['limit'] )
|
1323 |
+
$limit=$_POST['limit'];
|
1324 |
+
else
|
1325 |
+
$limit = false;
|
1326 |
+
|
1327 |
+
if ( isset( $_POST['offset'] ) && $_POST['offset'] )
|
1328 |
+
$offset = $_POST['offset'];
|
1329 |
+
else
|
1330 |
+
$offset = false;
|
1331 |
+
|
1332 |
+
if ( isset( $_POST['recursive'] ) )
|
1333 |
+
$recursive = (bool)$_POST['recursive'];
|
1334 |
+
else
|
1335 |
+
$recursive = false;
|
1336 |
+
|
1337 |
+
switch ( array_pop( explode( ':', $_GET['action'] ) ) ) {
|
1338 |
+
default:
|
1339 |
+
die( "naughty naughty" );
|
1340 |
+
case 'checksum':
|
1341 |
+
$list = array();
|
1342 |
+
$this->response( $bfs->dir_checksum( $path, $list, $recursive ) );
|
1343 |
+
case 'dir':
|
1344 |
+
$this->response( $bfs->dir_examine( $path, $recursive ) );
|
1345 |
+
case 'stat':
|
1346 |
+
$this->response( $bfs->stat( $bfs->dir.$path ) );
|
1347 |
+
case 'get':
|
1348 |
+
$bfs->fdump( $bfs->dir.$path );
|
1349 |
+
case 'ls':
|
1350 |
+
$this->response( $bfs->ls( $path, $md5, $sha1, $limit, $offset ) );
|
1351 |
+
}
|
1352 |
+
break;
|
1353 |
+
case 'config:get':
|
1354 |
+
if ( !isset( $_POST['key'] ) || !$_POST['key'] )
|
1355 |
+
$this->response( false );
|
1356 |
+
$key = '_vp_config_' . base64_decode( $_POST['key'] );
|
1357 |
+
$this->response( base64_encode( maybe_serialize( $this->get_config( $key ) ) ) );
|
1358 |
+
break;
|
1359 |
+
case 'config:set':
|
1360 |
+
if ( !isset( $_POST['key'] ) || !$_POST['key'] ) {
|
1361 |
+
$this->response( false );
|
1362 |
+
break;
|
1363 |
+
}
|
1364 |
+
$key = '_vp_config_' . base64_decode( $_POST['key'] );
|
1365 |
+
if ( !isset( $_POST['val'] ) || !$_POST['val'] ) {
|
1366 |
+
if ( !isset($_POST['delete']) || !$_POST['delete'] ) {
|
1367 |
+
$this->response( false );
|
1368 |
+
} else {
|
1369 |
+
$this->response( delete_option( $key ) );
|
1370 |
+
}
|
1371 |
+
break;
|
1372 |
+
}
|
1373 |
+
$val = maybe_unserialize( base64_decode( $_POST['val'] ) );
|
1374 |
+
$this->response( update_option( $key, $val ) );
|
1375 |
+
break;
|
1376 |
+
}
|
1377 |
+
die();
|
1378 |
+
}
|
1379 |
+
|
1380 |
+
function _fix_ixr_null_to_string( &$args ) {
|
1381 |
+
if ( is_array( $args ) )
|
1382 |
+
foreach ( $args as $k => $v )
|
1383 |
+
$args[$k] = $this->_fix_ixr_null_to_string( $v );
|
1384 |
+
else if ( is_object( $args ) )
|
1385 |
+
foreach ( get_object_vars( $args ) as $k => $v )
|
1386 |
+
$args->$k = $this->_fix_ixr_null_to_string( $v );
|
1387 |
+
else
|
1388 |
+
return null == $args ? '' : $args;
|
1389 |
+
return $args;
|
1390 |
+
}
|
1391 |
+
|
1392 |
+
function contact_service( $action, $args = array() ) {
|
1393 |
+
if ( 'test' != $action && 'register' != $action && !$this->check_connection() )
|
1394 |
+
return false;
|
1395 |
+
|
1396 |
+
global $current_user;
|
1397 |
+
if ( !isset( $args['args'] ) )
|
1398 |
+
$args['args'] = '';
|
1399 |
+
$old_timeout = ini_get( 'default_socket_timeout' );
|
1400 |
+
$timeout = $this->get_option( 'timeout' );
|
1401 |
+
ini_set( 'default_socket_timeout', $timeout );
|
1402 |
+
$hostname = $this->get_option( 'hostname' );
|
1403 |
+
|
1404 |
+
if ( !class_exists( 'VaultPress_IXR_SSL_Client' ) )
|
1405 |
+
require_once( dirname( __FILE__ ) . '/class.vaultpress-ixr-ssl-client.php' );
|
1406 |
+
$client = new VaultPress_IXR_SSL_Client( $hostname, '/xmlrpc.php', 80, $timeout );
|
1407 |
+
|
1408 |
+
if ( 'vaultpress.com' == $hostname )
|
1409 |
+
$client->ssl();
|
1410 |
+
|
1411 |
+
// Begin audit trail breadcrumbs
|
1412 |
+
if ( isset( $current_user ) && is_object( $current_user ) && isset( $current_user->ID ) ) {
|
1413 |
+
$args['cause_user_id'] = intval( $current_user->ID );
|
1414 |
+
$args['cause_user_login'] = (string)$current_user->user_login;
|
1415 |
+
} else {
|
1416 |
+
$args['cause_user_id'] = -1;
|
1417 |
+
$args['cause_user_login'] = '';
|
1418 |
+
}
|
1419 |
+
$args['cause_ip'] = $_SERVER['REMOTE_ADDR'];
|
1420 |
+
$args['cause_uri'] = $_SERVER['REQUEST_URI'];
|
1421 |
+
$args['cause_method'] = $_SERVER['REQUEST_METHOD'];
|
1422 |
+
// End audit trail breadcrumbs
|
1423 |
+
|
1424 |
+
$args['version'] = $this->plugin_version;
|
1425 |
+
$args['locale'] = get_locale();
|
1426 |
+
$args['site_url'] = $this->site_url();
|
1427 |
+
|
1428 |
+
$salt = md5( time() . serialize( $_SERVER ) );
|
1429 |
+
$args['key'] = $this->get_option( 'key' );
|
1430 |
+
$this->_fix_ixr_null_to_string( $args );
|
1431 |
+
$args['signature'] = $this->sign_string( serialize( $args ), $this->get_option( 'secret' ), $salt ).":$salt";
|
1432 |
+
|
1433 |
+
$client->query( 'vaultpress.'.$action, new IXR_Base64( serialize( $args ) ) );
|
1434 |
+
$rval = $client->message ? $client->getResponse() : '';
|
1435 |
+
ini_set( 'default_socket_timeout', $old_timeout );
|
1436 |
+
|
1437 |
+
// we got an error from the servers
|
1438 |
+
if ( is_array( $rval ) && isset( $rval['faultCode'] ) ) {
|
1439 |
+
$this->update_option( 'connection', time() );
|
1440 |
+
$this->update_option( 'connection_error_code', $rval['faultCode'] );
|
1441 |
+
$this->update_option( 'connection_error_message', $rval['faultString'] );
|
1442 |
+
}
|
1443 |
+
|
1444 |
+
return $rval;
|
1445 |
+
}
|
1446 |
+
|
1447 |
+
function validate_api_signature() {
|
1448 |
+
global $__vp_validate_error;
|
1449 |
+
if ( isset( $_POST['signature']) && $_POST['signature'] )
|
1450 |
+
$sig = $_POST['signature'];
|
1451 |
+
else
|
1452 |
+
return false;
|
1453 |
+
|
1454 |
+
$secret = $this->get_option( 'secret' );
|
1455 |
+
if ( !$secret ) {
|
1456 |
+
$__vp_validate_error = "missing_secret";
|
1457 |
+
return false;
|
1458 |
+
}
|
1459 |
+
if ( !$this->get_option( 'disable_firewall' ) ) {
|
1460 |
+
$rxs = $this->get_option( 'service_ips' );
|
1461 |
+
if ( $rxs ) {
|
1462 |
+
$timeout = time() - 86400;
|
1463 |
+
if ( $rxs ) {
|
1464 |
+
if ( $rxs['updated'] < $timeout )
|
1465 |
+
$refetch = true;
|
1466 |
+
else
|
1467 |
+
$refetch = false;
|
1468 |
+
$rxs = $rxs['data'];
|
1469 |
+
}
|
1470 |
+
} else {
|
1471 |
+
$refetch = true;
|
1472 |
+
}
|
1473 |
+
if ( $refetch ) {
|
1474 |
+
if ( $data = $this->update_firewall() )
|
1475 |
+
$rxs = $data;
|
1476 |
+
}
|
1477 |
+
if ( !$this->validate_ip_address( $rxs ) ) {
|
1478 |
+
$__vp_validate_error = "firewall_fail";
|
1479 |
+
return false;
|
1480 |
+
}
|
1481 |
+
}
|
1482 |
+
$sig = explode( ':', $sig );
|
1483 |
+
if ( !is_array( $sig ) || count( $sig ) != 2 || !$sig[0] || !$sig[1] ) {
|
1484 |
+
$__vp_validate_error = "invalid_sig";
|
1485 |
+
return false;
|
1486 |
+
}
|
1487 |
+
|
1488 |
+
// Pass 1 -- new method
|
1489 |
+
$uri = preg_replace( '/^[^?]+\?/', '?', $_SERVER['REQUEST_URI'] );
|
1490 |
+
$post = $_POST;
|
1491 |
+
unset( $post['signature'] );
|
1492 |
+
// Work around for dd-formmailer plugin
|
1493 |
+
if ( isset( $post['_REPEATED'] ) )
|
1494 |
+
unset( $post['_REPEATED'] );
|
1495 |
+
ksort( $post );
|
1496 |
+
$to_sign = serialize( array( 'uri' => $uri, 'post' => $post ) );
|
1497 |
+
$signature = $this->sign_string( $to_sign, $secret, $sig[1] );
|
1498 |
+
if ( $sig[0] == $signature )
|
1499 |
+
return true;
|
1500 |
+
|
1501 |
+
$__vp_validate_error = "was: {$sig[0]}, need: $signature";
|
1502 |
+
return false;
|
1503 |
+
}
|
1504 |
+
|
1505 |
+
function validate_ip_address( $rxs ) {
|
1506 |
+
if ( empty( $rxs ) )
|
1507 |
+
return false;
|
1508 |
+
|
1509 |
+
$remote_ips = array();
|
1510 |
+
|
1511 |
+
if ( $this->get_option( 'allow_forwarded_for') && !empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) )
|
1512 |
+
$remote_ips = explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] );
|
1513 |
+
|
1514 |
+
if ( !empty( $_SERVER['REMOTE_ADDR'] ) )
|
1515 |
+
$remote_ips[] = $_SERVER['REMOTE_ADDR'];
|
1516 |
+
|
1517 |
+
$iprx = '/^([0-9]+\.[0-9]+\.[0-9]+\.)([0-9]+)$/';
|
1518 |
+
|
1519 |
+
foreach ( $remote_ips as $remote_ip ) {
|
1520 |
+
if ( !preg_match( $iprx, $remote_ip, $r ) ) {
|
1521 |
+
$__vp_validate_error = "remote_addr_fail";
|
1522 |
+
return false;
|
1523 |
+
}
|
1524 |
+
|
1525 |
+
foreach ( (array)$rxs as $begin => $end ) {
|
1526 |
+
if ( !preg_match( $iprx, $begin, $b ) )
|
1527 |
+
continue;
|
1528 |
+
if ( !preg_match( $iprx, $end, $e ) )
|
1529 |
+
continue;
|
1530 |
+
if ( $r[1] != $b[1] || $r[1] != $e[1] )
|
1531 |
+
continue;
|
1532 |
+
$me = $r[2];
|
1533 |
+
$b = min( (int)$b[2], (int)$e[2] );
|
1534 |
+
$e = max( (int)$b[2], (int)$e[2] );
|
1535 |
+
if ( $me >= $b && $me <= $e ) {
|
1536 |
+
return true;
|
1537 |
+
}
|
1538 |
+
}
|
1539 |
+
}
|
1540 |
+
|
1541 |
+
return false;
|
1542 |
+
}
|
1543 |
+
|
1544 |
+
function sign_string( $string, $secret, $salt ) {
|
1545 |
+
return hash_hmac( 'sha1', "$string:$salt", $secret );
|
1546 |
+
}
|
1547 |
+
|
1548 |
+
function response( $response, $raw = false ) {
|
1549 |
+
if ( $raw )
|
1550 |
+
die( $response );
|
1551 |
+
list( $usec, $sec ) = explode( " ", microtime() );
|
1552 |
+
$r = new stdClass();
|
1553 |
+
$r->req_vector = floatval( $_GET['vector'] );
|
1554 |
+
$r->rsp_vector = ( (float)$usec + (float)$sec );
|
1555 |
+
if ( function_exists( "getrusage" ) )
|
1556 |
+
$r->rusage = getrusage();
|
1557 |
+
else
|
1558 |
+
$r->rusage = false;
|
1559 |
+
if ( function_exists( "memory_get_peak_usage" ) )
|
1560 |
+
$r->peak_memory_usage = memory_get_peak_usage( true );
|
1561 |
+
else
|
1562 |
+
$r->peak_memory_usage = false;
|
1563 |
+
if ( function_exists( "memory_get_usage" ) )
|
1564 |
+
$r->memory_usage = memory_get_usage( true );
|
1565 |
+
else
|
1566 |
+
$r->memory_usage = false;
|
1567 |
+
$r->response = $response;
|
1568 |
+
die( serialize( $r ) );
|
1569 |
+
}
|
1570 |
+
|
1571 |
+
function reset_pings() {
|
1572 |
+
global $vaultpress_pings;
|
1573 |
+
$vaultpress_pings = array(
|
1574 |
+
'version' => 1,
|
1575 |
+
'count' => 0,
|
1576 |
+
'editedtables' => array(),
|
1577 |
+
'plugins' => array(),
|
1578 |
+
'themes' => array(),
|
1579 |
+
'uploads' => array(),
|
1580 |
+
'db' => array(),
|
1581 |
+
'debug' => array(),
|
1582 |
+
'security' => array(),
|
1583 |
+
);
|
1584 |
+
}
|
1585 |
+
|
1586 |
+
function add_ping( $type, $data, $hook=null ) {
|
1587 |
+
global $vaultpress_pings;
|
1588 |
+
if ( defined( 'WP_IMPORTING' ) && constant( 'WP_IMPORTING' ) )
|
1589 |
+
return;
|
1590 |
+
if ( !array_key_exists( $type, $vaultpress_pings ) )
|
1591 |
+
return;
|
1592 |
+
|
1593 |
+
switch( $type ) {
|
1594 |
+
case 'editedtables';
|
1595 |
+
$vaultpress_pings[$type] = $data;
|
1596 |
+
return;
|
1597 |
+
case 'uploads':
|
1598 |
+
case 'themes':
|
1599 |
+
case 'plugins':
|
1600 |
+
if ( !is_array( $data ) ) {
|
1601 |
+
$data = array( $data );
|
1602 |
+
}
|
1603 |
+
foreach ( $data as $val ) {
|
1604 |
+
if ( in_array( $data, $vaultpress_pings[$type] ) )
|
1605 |
+
continue;
|
1606 |
+
$vaultpress_pings['count']++;
|
1607 |
+
$vaultpress_pings[$type][]=$val;
|
1608 |
+
}
|
1609 |
+
return;
|
1610 |
+
case 'db':
|
1611 |
+
$subtype = array_shift( array_keys( $data ) );
|
1612 |
+
if ( !isset( $vaultpress_pings[$type][$subtype] ) )
|
1613 |
+
$vaultpress_pings[$type][$subtype] = array();
|
1614 |
+
if ( in_array( $data, $vaultpress_pings[$type][$subtype] ) )
|
1615 |
+
return;
|
1616 |
+
$vaultpress_pings['count']++;
|
1617 |
+
$vaultpress_pings[$type][$subtype][] = $data;
|
1618 |
+
return;
|
1619 |
+
default:
|
1620 |
+
if ( in_array( $data, $vaultpress_pings[$type] ) )
|
1621 |
+
return;
|
1622 |
+
$vaultpress_pings['count']++;
|
1623 |
+
$vaultpress_pings[$type][] = $data;
|
1624 |
+
return;
|
1625 |
+
}
|
1626 |
+
}
|
1627 |
+
|
1628 |
+
function do_pings() {
|
1629 |
+
global $wpdb, $vaultpress_pings, $__vp_recursive_ping_lock;
|
1630 |
+
if ( defined( 'WP_IMPORTING' ) && constant( 'WP_IMPORTING' ) )
|
1631 |
+
return;
|
1632 |
+
|
1633 |
+
if ( !isset( $wpdb ) ) {
|
1634 |
+
$wpdb = new wpdb( DB_USER, DB_PASSWORD, DB_NAME, DB_HOST );
|
1635 |
+
$close_wpdb = true;
|
1636 |
+
} else {
|
1637 |
+
$close_wpdb = false;
|
1638 |
+
}
|
1639 |
+
|
1640 |
+
if ( !$vaultpress_pings['count'] )
|
1641 |
+
return;
|
1642 |
+
|
1643 |
+
// Short circuit the contact process if we know that we can't contact the service
|
1644 |
+
if ( isset( $__vp_recursive_ping_lock ) && $__vp_recursive_ping_lock ) {
|
1645 |
+
$this->ai_ping_insert( serialize( $vaultpress_pings ) );
|
1646 |
+
if ( $close_wpdb ) {
|
1647 |
+
$wpdb->__destruct();
|
1648 |
+
unset( $wpdb );
|
1649 |
+
}
|
1650 |
+
$this->reset_pings();
|
1651 |
+
return;
|
1652 |
+
}
|
1653 |
+
|
1654 |
+
$ping_attempts = 0;
|
1655 |
+
do {
|
1656 |
+
$ping_attempts++;
|
1657 |
+
$rval = $this->contact_service( 'ping', array( 'args' => $vaultpress_pings ) );
|
1658 |
+
if ( $rval || $ping_attempts >= 3 )
|
1659 |
+
break;
|
1660 |
+
if ( !$rval )
|
1661 |
+
usleep(500000);
|
1662 |
+
} while ( true );
|
1663 |
+
if ( !$rval ) {
|
1664 |
+
$__vp_recursive_ping_lock = true;
|
1665 |
+
$this->ai_ping_insert( serialize( $vaultpress_pings ) );
|
1666 |
+
}
|
1667 |
+
$this->reset_pings();
|
1668 |
+
if ( $close_wpdb ) {
|
1669 |
+
$wpdb->__destruct();
|
1670 |
+
unset( $wpdb );
|
1671 |
+
}
|
1672 |
+
return $rval;
|
1673 |
+
}
|
1674 |
+
|
1675 |
+
function resolve_content_dir() {
|
1676 |
+
// Take the easy way out
|
1677 |
+
if ( defined( 'WP_CONTENT_DIR' ) ) {
|
1678 |
+
if ( substr( WP_CONTENT_DIR, -1 ) != DIRECTORY_SEPARATOR )
|
1679 |
+
return WP_CONTENT_DIR . DIRECTORY_SEPARATOR;
|
1680 |
+
return WP_CONTENT_DIR;
|
1681 |
+
}
|
1682 |
+
// Best guess
|
1683 |
+
if ( defined( 'ABSPATH' ) ) {
|
1684 |
+
if ( substr( ABSPATH, -1 ) != DIRECTORY_SEPARATOR )
|
1685 |
+
return ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR;
|
1686 |
+
return ABSPATH . 'wp-content' . DIRECTORY_SEPARATOR;
|
1687 |
+
}
|
1688 |
+
// Run with a solid assumption: WP_CONTENT_DIR/vaultpress/vaultpress.php
|
1689 |
+
return dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR;
|
1690 |
+
}
|
1691 |
+
|
1692 |
+
function resolve_upload_path() {
|
1693 |
+
$upload_path = false;
|
1694 |
+
$upload_dir = wp_upload_dir();
|
1695 |
+
|
1696 |
+
if ( isset( $upload_dir['basedir'] ) )
|
1697 |
+
$upload_path = $upload_dir['basedir'];
|
1698 |
+
|
1699 |
+
// Nothing recorded? use a best guess!
|
1700 |
+
if ( !$upload_path || $upload_path == realpath( ABSPATH ) )
|
1701 |
+
return $this->resolve_content_dir() . 'uploads' . DIRECTORY_SEPARATOR;
|
1702 |
+
|
1703 |
+
if ( substr( $upload_path, -1 ) != DIRECTORY_SEPARATOR )
|
1704 |
+
$upload_path .= DIRECTORY_SEPARATOR;
|
1705 |
+
|
1706 |
+
return $upload_path;
|
1707 |
+
}
|
1708 |
+
|
1709 |
+
function load_first( $value ) {
|
1710 |
+
$value = array_unique( $value ); // just in case there are duplicates
|
1711 |
+
return array_merge(
|
1712 |
+
preg_grep( '/vaultpress\.php$/', $value ),
|
1713 |
+
preg_grep( '/vaultpress\.php$/', $value, PREG_GREP_INVERT )
|
1714 |
+
);
|
1715 |
+
}
|
1716 |
+
|
1717 |
+
function is_multisite() {
|
1718 |
+
if ( function_exists( 'is_multisite' ) )
|
1719 |
+
return is_multisite();
|
1720 |
+
|
1721 |
+
return false;
|
1722 |
+
}
|
1723 |
+
|
1724 |
+
function is_main_site() {
|
1725 |
+
if ( !function_exists( 'is_main_site' ) || !$this->is_multisite() )
|
1726 |
+
return true;
|
1727 |
+
|
1728 |
+
return is_main_site();
|
1729 |
+
}
|
1730 |
+
|
1731 |
+
function is_registered() {
|
1732 |
+
$key = $this->get_option( 'key' );
|
1733 |
+
$secret = $this->get_option( 'secret' );
|
1734 |
+
return !empty( $key ) && !empty( $secret );
|
1735 |
+
}
|
1736 |
+
|
1737 |
+
function clear_connection() {
|
1738 |
+
$this->delete_option( 'connection' );
|
1739 |
+
$this->delete_option( 'connection_error_code' );
|
1740 |
+
$this->delete_option( 'connection_error_message' );
|
1741 |
+
$this->delete_option( 'connection_test' );
|
1742 |
+
}
|
1743 |
+
|
1744 |
+
function site_url() {
|
1745 |
+
$site_url = '';
|
1746 |
+
|
1747 |
+
// compatibility for WordPress MU Domain Mapping plugin
|
1748 |
+
if ( defined( 'DOMAIN_MAPPING' ) && DOMAIN_MAPPING ) {
|
1749 |
+
if ( !function_exists( 'domain_mapping_siteurl' ) ) {
|
1750 |
+
|
1751 |
+
if ( !function_exists( 'is_plugin_active' ) )
|
1752 |
+
require_once ABSPATH . '/wp-admin/includes/plugin.php';
|
1753 |
+
|
1754 |
+
$plugin = 'wordpress-mu-domain-mapping/domain_mapping.php';
|
1755 |
+
if ( is_plugin_active( $plugin ) )
|
1756 |
+
include_once( WP_PLUGIN_DIR . '/' . $plugin );
|
1757 |
+
}
|
1758 |
+
|
1759 |
+
if ( function_exists( 'domain_mapping_siteurl' ) )
|
1760 |
+
$site_url = domain_mapping_siteurl( false );
|
1761 |
+
}
|
1762 |
+
|
1763 |
+
if ( empty( $site_url ) )
|
1764 |
+
$site_url = site_url();
|
1765 |
+
|
1766 |
+
return $site_url;
|
1767 |
+
}
|
1768 |
+
|
1769 |
+
function add_admin_actions_and_filters() {
|
1770 |
+
add_action( 'admin_init', array( $this, 'admin_init' ) );
|
1771 |
+
add_action( 'admin_menu', array( $this, 'admin_menu' ) );
|
1772 |
+
add_action( 'admin_head', array( $this, 'admin_head' ) );
|
1773 |
+
}
|
1774 |
+
|
1775 |
+
function add_listener_actions_and_filters() {
|
1776 |
+
add_action( 'admin_bar_menu', array( $this, 'toolbar' ), 999 );
|
1777 |
+
add_action( 'admin_bar_init', array( $this, 'styles' ) );
|
1778 |
+
|
1779 |
+
// Comments
|
1780 |
+
add_action( 'delete_comment', array( $this, 'comment_action_handler' ) );
|
1781 |
+
add_action( 'wp_set_comment_status', array( $this, 'comment_action_handler' ) );
|
1782 |
+
add_action( 'trashed_comment', array( $this, 'comment_action_handler' ) );
|
1783 |
+
add_action( 'untrashed_comment', array( $this, 'comment_action_handler' ) );
|
1784 |
+
add_action( 'wp_insert_comment', array( $this, 'comment_action_handler' ) );
|
1785 |
+
add_action( 'comment_post', array( $this, 'comment_action_handler' ) );
|
1786 |
+
add_action( 'edit_comment', array( $this, 'comment_action_handler' ) );
|
1787 |
+
|
1788 |
+
// Commentmeta
|
1789 |
+
add_action( 'added_comment_meta', array( $this, 'commentmeta_insert_handler' ), 10, 2 );
|
1790 |
+
add_action( 'updated_comment_meta', array( $this, 'commentmeta_modification_handler' ), 10, 4 );
|
1791 |
+
add_action( 'deleted_comment_meta', array( $this, 'commentmeta_modification_handler' ), 10, 4 );
|
1792 |
+
|
1793 |
+
// Users
|
1794 |
+
if ( $this->is_main_site() ) {
|
1795 |
+
add_action( 'user_register', array( $this, 'userid_action_handler' ) );
|
1796 |
+
add_action( 'password_reset', array( $this, 'userid_action_handler' ) );
|
1797 |
+
add_action( 'profile_update', array( $this, 'userid_action_handler' ) );
|
1798 |
+
add_action( 'user_register', array( $this, 'userid_action_handler' ) );
|
1799 |
+
add_action( 'deleted_user', array( $this, 'userid_action_handler' ) );
|
1800 |
+
}
|
1801 |
+
|
1802 |
+
// Usermeta
|
1803 |
+
if ( $this->is_main_site() ) {
|
1804 |
+
add_action( 'added_usermeta', array( $this, 'usermeta_action_handler' ), 10, 4 );
|
1805 |
+
add_action( 'update_usermeta', array( $this, 'usermeta_action_handler' ), 10, 4 );
|
1806 |
+
add_action( 'delete_usermeta', array( $this, 'usermeta_action_handler' ), 10, 4 );
|
1807 |
+
}
|
1808 |
+
|
1809 |
+
// Posts
|
1810 |
+
add_action( 'delete_post', array( $this, 'post_action_handler' ) );
|
1811 |
+
add_action( 'trash_post', array( $this, 'post_action_handler' ) );
|
1812 |
+
add_action( 'untrash_post', array( $this, 'post_action_handler' ) );
|
1813 |
+
add_action( 'edit_post', array( $this, 'post_action_handler' ) );
|
1814 |
+
add_action( 'save_post', array( $this, 'post_action_handler' ) );
|
1815 |
+
add_action( 'wp_insert_post', array( $this, 'post_action_handler' ) );
|
1816 |
+
add_action( 'edit_attachment', array( $this, 'post_action_handler' ) );
|
1817 |
+
add_action( 'add_attachment', array( $this, 'post_action_handler' ) );
|
1818 |
+
add_action( 'delete_attachment', array( $this, 'post_action_handler' ) );
|
1819 |
+
add_action( 'private_to_published', array( $this, 'post_action_handler' ) );
|
1820 |
+
add_action( 'wp_restore_post_revision', array( $this, 'post_action_handler' ) );
|
1821 |
+
|
1822 |
+
// Postmeta
|
1823 |
+
add_action( 'added_post_meta', array( $this, 'postmeta_insert_handler' ), 10, 4 );
|
1824 |
+
add_action( 'update_post_meta', array( $this, 'postmeta_modification_handler' ), 10, 4 );
|
1825 |
+
add_action( 'updated_post_meta', array( $this, 'postmeta_modification_handler' ), 10, 4 );
|
1826 |
+
add_action( 'delete_post_meta', array( $this, 'postmeta_modification_handler' ), 10, 4 );
|
1827 |
+
add_action( 'deleted_post_meta', array( $this, 'postmeta_modification_handler' ), 10, 4 );
|
1828 |
+
add_action( 'added_postmeta', array( $this, 'postmeta_action_handler' ) );
|
1829 |
+
add_action( 'update_postmeta', array( $this, 'postmeta_action_handler' ) );
|
1830 |
+
add_action( 'delete_postmeta', array( $this, 'postmeta_action_handler' ) );
|
1831 |
+
|
1832 |
+
// Links
|
1833 |
+
add_action( 'edit_link', array( $this, 'link_action_handler' ) );
|
1834 |
+
add_action( 'add_link', array( $this, 'link_action_handler' ) );
|
1835 |
+
add_action( 'delete_link', array( $this, 'link_action_handler' ) );
|
1836 |
+
|
1837 |
+
// Taxonomy
|
1838 |
+
add_action( 'created_term', array( $this, 'term_handler' ), 2 );
|
1839 |
+
add_action( 'edited_terms', array( $this, 'term_handler' ), 2 );
|
1840 |
+
add_action( 'delete_term', array( $this, 'term_handler' ), 2 );
|
1841 |
+
add_action( 'edit_term_taxonomy', array( $this, 'term_taxonomy_handler' ) );
|
1842 |
+
add_action( 'delete_term_taxonomy', array( $this, 'term_taxonomy_handler' ) );
|
1843 |
+
add_action( 'edit_term_taxonomies', array( $this, 'term_taxonomies_handler' ) );
|
1844 |
+
add_action( 'add_term_relationship', array( $this, 'term_relationship_handler' ), 10, 2 );
|
1845 |
+
add_action( 'delete_term_relationships', array( $this, 'term_relationships_handler' ), 10, 2 );
|
1846 |
+
add_action( 'set_object_terms', array( $this, 'set_object_terms_handler' ), 10, 3 );
|
1847 |
+
|
1848 |
+
// Files
|
1849 |
+
if ( $this->is_main_site() ) {
|
1850 |
+
add_action( 'switch_theme', array( $this, 'theme_action_handler' ) );
|
1851 |
+
add_action( 'activate_plugin', array( $this, 'plugin_action_handler' ) );
|
1852 |
+
add_action( 'deactivate_plugin', array( $this, 'plugin_action_handler' ) );
|
1853 |
+
}
|
1854 |
+
add_action( 'wp_handle_upload', array( $this, 'upload_handler' ) );
|
1855 |
+
|
1856 |
+
// Options
|
1857 |
+
add_action( 'deleted_option', array( $this, 'option_handler' ), 1 );
|
1858 |
+
add_action( 'updated_option', array( $this, 'option_handler' ), 1 );
|
1859 |
+
add_action( 'added_option', array( $this, 'option_handler' ), 1 );
|
1860 |
+
|
1861 |
+
$this->add_vp_required_filters();
|
1862 |
+
}
|
1863 |
+
|
1864 |
+
function add_vp_required_filters() {
|
1865 |
+
// Report back to VaultPress
|
1866 |
+
add_action( 'shutdown', array( $this, 'do_pings' ) );
|
1867 |
+
|
1868 |
+
// VaultPress likes being first in line
|
1869 |
+
add_filter( 'pre_update_option_active_plugins', array( $this, 'load_first' ) );
|
1870 |
+
}
|
1871 |
+
}
|
1872 |
+
|
1873 |
+
$vaultpress = VaultPress::init();
|
1874 |
+
|
1875 |
+
if ( isset( $_GET['vaultpress'] ) && $_GET['vaultpress'] ) {
|
1876 |
+
if ( !function_exists( 'wp_magic_quotes' ) ) {
|
1877 |
+
// If already slashed, strip.
|
1878 |
+
if ( get_magic_quotes_gpc() ) {
|
1879 |
+
$_GET = stripslashes_deep( $_GET );
|
1880 |
+
$_POST = stripslashes_deep( $_POST );
|
1881 |
+
$_COOKIE = stripslashes_deep( $_COOKIE );
|
1882 |
+
}
|
1883 |
+
|
1884 |
+
// Escape with wpdb.
|
1885 |
+
$_GET = add_magic_quotes( $_GET );
|
1886 |
+
$_POST = add_magic_quotes( $_POST );
|
1887 |
+
$_COOKIE = add_magic_quotes( $_COOKIE );
|
1888 |
+
$_SERVER = add_magic_quotes( $_SERVER );
|
1889 |
+
|
1890 |
+
// Force REQUEST to be GET + POST. If SERVER, COOKIE, or ENV are needed, use those superglobals directly.
|
1891 |
+
$_REQUEST = array_merge( $_GET, $_POST );
|
1892 |
+
} else {
|
1893 |
+
wp_magic_quotes();
|
1894 |
+
}
|
1895 |
+
|
1896 |
+
if ( !function_exists( 'wp_get_current_user' ) )
|
1897 |
+
include ABSPATH . '/wp-includes/pluggable.php';
|
1898 |
+
|
1899 |
+
// TODO: this prevents some error notices but do we need it? is there a better way to check capabilities/logged in user/etc?
|
1900 |
+
if ( function_exists( 'wp_cookie_constants' ) && !defined( 'AUTH_COOKIE' ) )
|
1901 |
+
wp_cookie_constants();
|
1902 |
+
|
1903 |
+
$vaultpress->parse_request( null );
|
1904 |
+
|
1905 |
+
die();
|
1906 |
+
}
|
1907 |
+
|
1908 |
+
// only load hotfixes if it's not a VP request
|
1909 |
+
require_once( dirname( __FILE__ ) . '/class.vaultpress-hotfixes.php' );
|
1910 |
+
$hotfixes = new VaultPress_Hotfixes();
|
1911 |
+
|
1912 |
+
include_once( dirname( __FILE__ ) . '/cron-tasks.php' );
|
vp-scanner.php
ADDED
@@ -0,0 +1,139 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
<?php
|
2 |
+
|
3 |
+
class VP_FileScan {
|
4 |
+
var $path;
|
5 |
+
var $last_dir = null;
|
6 |
+
var $offset = 0;
|
7 |
+
|
8 |
+
function VP_FileScan( $path ) {
|
9 |
+
if ( is_dir( $path ) )
|
10 |
+
$this->last_dir = $this->path = @realpath( $path );
|
11 |
+
else
|
12 |
+
$this->last_dir = $this->path = dirname( @realpath( $path ) );
|
13 |
+
}
|
14 |
+
|
15 |
+
function get_files( $limit = 100 ) {
|
16 |
+
$files = array();
|
17 |
+
if ( is_dir( $this->last_dir ) ) {
|
18 |
+
$return = $this->_scan_files( $this->path, $files, $this->offset, $limit, $this->last_dir );
|
19 |
+
$this->offset = $return[0];
|
20 |
+
$this->last_dir = $return[1];
|
21 |
+
if ( count( $files ) < $limit )
|
22 |
+
$this->last_dir = false;
|
23 |
+
}
|
24 |
+
return $files;
|
25 |
+
}
|
26 |
+
|
27 |
+
function _scan_files( $path, &$files, $offset, $limit, &$last_dir ) {
|
28 |
+
$_offset = 0;
|
29 |
+
if ( $handle = opendir( $path ) ) {
|
30 |
+
while( false !== ( $entry = readdir( $handle ) ) ) {
|
31 |
+
if ( '.' == $entry || '..' == $entry )
|
32 |
+
continue;
|
33 |
+
|
34 |
+
$_offset++;
|
35 |
+
$full_entry = $path . DIRECTORY_SEPARATOR . $entry;
|
36 |
+
$next_item = ltrim( str_replace( $path, '', $last_dir ), DIRECTORY_SEPARATOR );
|
37 |
+
$next = preg_split( '#(?<!\\\\)' . preg_quote( DIRECTORY_SEPARATOR, '#' ) . '#', $next_item, 2 );
|
38 |
+
|
39 |
+
// Skip if the next item is not found.
|
40 |
+
if ( !empty( $next[0] ) && $next[0] != $entry )
|
41 |
+
continue;
|
42 |
+
if ( rtrim( $last_dir, DIRECTORY_SEPARATOR ) == rtrim( $path, DIRECTORY_SEPARATOR ) && $_offset < $offset )
|
43 |
+
continue;
|
44 |
+
|
45 |
+
if ( rtrim( $last_dir, DIRECTORY_SEPARATOR ) == rtrim( $path, DIRECTORY_SEPARATOR ) ) {
|
46 |
+
// Reset last_dir and offset when we reached the previous last_dir value.
|
47 |
+
$last_dir = '';
|
48 |
+
$offset = 0;
|
49 |
+
}
|
50 |
+
|
51 |
+
if ( is_file( $full_entry ) ) {
|
52 |
+
if ( !vp_is_interesting_file( $full_entry ) )
|
53 |
+
continue;
|
54 |
+
$_return_offset = $_offset;
|
55 |
+
$_return_dir = dirname( $full_entry );
|
56 |
+
$files[] = $full_entry;
|
57 |
+
} elseif ( is_dir( $full_entry ) ) {
|
58 |
+
list( $_return_offset, $_return_dir ) = $this->_scan_files( $full_entry, $files, $offset, $limit, $last_dir );
|
59 |
+
}
|
60 |
+
if ( count( $files ) >= $limit ) {
|
61 |
+
closedir( $handle );
|
62 |
+
return array( $_return_offset, $_return_dir );
|
63 |
+
}
|
64 |
+
}
|
65 |
+
closedir( $handle );
|
66 |
+
}
|
67 |
+
return array( $_offset, $path );
|
68 |
+
}
|
69 |
+
}
|
70 |
+
|
71 |
+
function vp_get_real_file_path( $file_path, $tmp_file = false ) {
|
72 |
+
global $site, $site_id;
|
73 |
+
$site_id = !empty( $site->id ) ? $site->id : $site_id;
|
74 |
+
if ( !$tmp_file && !empty( $site_id ) && function_exists( 'determine_file_type_path' ) ) {
|
75 |
+
$path = determine_file_type_path( $file_path );
|
76 |
+
$file = file_by_path( $site_id, $path );
|
77 |
+
if ( !$file )
|
78 |
+
return false;
|
79 |
+
return $file->get_unencrypted();
|
80 |
+
}
|
81 |
+
return !empty( $tmp_file ) ? $tmp_file : $file_path;
|
82 |
+
}
|
83 |
+
|
84 |
+
function vp_is_interesting_file($file) {
|
85 |
+
$scan_only_regex = apply_filters( 'scan_only_extension_regex', '#\.(ph(p3|p4|p5|p|tml)|html|js|htaccess)$#i' );
|
86 |
+
return preg_match( $scan_only_regex, $file );
|
87 |
+
}
|
88 |
+
|
89 |
+
/**
|
90 |
+
* Scans a file with the registered signatures. To report a security notice for a specified signature, all its regular
|
91 |
+
* expressions should result in a match.
|
92 |
+
* @param $file the filename to be scanned.
|
93 |
+
* @param null $tmp_file used if the file to be scanned doesn't exist or if the filename doesn't match vp_is_interesting_file().
|
94 |
+
* @return array|bool false if no matched signature is found. A list of matched signatures otherwise.
|
95 |
+
*/
|
96 |
+
function vp_scan_file($file, $tmp_file = null) {
|
97 |
+
$real_file = vp_get_real_file_path( $file, $tmp_file );
|
98 |
+
$file_size = file_exists( $real_file ) ? @filesize( $real_file ) : 0;
|
99 |
+
if ( !$file_size || $file_size > apply_filters( 'scan_max_file_size', 3 * 1024 * 1024 ) ) // don't scan empty or files larger than 3MB.
|
100 |
+
return false;
|
101 |
+
|
102 |
+
$file_content = null;
|
103 |
+
$skip_file = apply_filters_ref_array( 'pre_scan_file', array ( false, $file, $real_file, &$file_content ) );
|
104 |
+
if ( false !== $skip_file ) // maybe detect malware without regular expressions.
|
105 |
+
return $skip_file;
|
106 |
+
|
107 |
+
if ( !vp_is_interesting_file( $file ) ) // only scan relevant files.
|
108 |
+
return false;
|
109 |
+
|
110 |
+
$found = array ();
|
111 |
+
foreach ( $GLOBALS['vp_signatures'] as $signature ) {
|
112 |
+
// if there is no filename_regex, we assume it's the same of vp_is_interesting_file().
|
113 |
+
if ( empty( $signature->filename_regex ) || preg_match( '#' . addcslashes( $signature->filename_regex, '#' ) . '#i', $file ) ) {
|
114 |
+
if ( null === $file_content )
|
115 |
+
$file_content = file_get_contents( $real_file );
|
116 |
+
|
117 |
+
$is_vulnerable = true;
|
118 |
+
reset( $signature->patterns );
|
119 |
+
$matches = array ();
|
120 |
+
while ( $is_vulnerable && list( , $pattern ) = each( $signature->patterns ) ) {
|
121 |
+
if ( !preg_match( '#' . addcslashes( $pattern, '#' ) . '#im', $file_content, $match ) ) {
|
122 |
+
$is_vulnerable = false;
|
123 |
+
break;
|
124 |
+
}
|
125 |
+
$matches[] = $match;
|
126 |
+
}
|
127 |
+
// Additional checking needed?
|
128 |
+
if ( method_exists( $signature, 'get_detailed_scanner' ) && $scanner = $signature->get_detailed_scanner() )
|
129 |
+
$is_vulnerable = $scanner->scan( $is_vulnerable, $file, $real_file, $file_content, $matches );
|
130 |
+
if ( $is_vulnerable ) {
|
131 |
+
$found[$signature->id] = $matches;
|
132 |
+
if ( isset( $signature->severity ) && $signature->severity > 8 ) // don't continue scanning
|
133 |
+
break;
|
134 |
+
}
|
135 |
+
}
|
136 |
+
}
|
137 |
+
|
138 |
+
return apply_filters_ref_array( 'post_scan_file', array ( $found, $file, $real_file, &$file_content ) );
|
139 |
+
}
|