VaultPress - Version 1.7.2

Version Description

20 Apr 2015 =
Hotfix: Protect against a core security issue.
Bugfix: Don't allow direct access to plugin files
Bugfix: Ensure that the firewall rule option is not autoloaded.
Bugfix: More careful path tidy-up when inspecting directory contents. Fixes an edge case where some sites were having backup problems.

Release Info

Developer	thingalon
Plugin	VaultPress
Version	1.7.2
Comparing to
See all releases

Code changes from version 1.7.1 to 1.7.2

Files changed (8) hide show

class.vaultpress-database.php +2 -0
class.vaultpress-filesystem.php +12 -1
class.vaultpress-hotfixes.php +24 -1
class.vaultpress-ixr-ssl-client.php +1 -2
cron-tasks.php +3 -0
readme.txt +7 -1
vaultpress.php +6 -5
vp-scanner.php +2 -0

class.vaultpress-database.php CHANGED Viewed

	@@ -1,4 +1,6 @@
1	<?php


2
3	class VaultPress_Database {
4


1	<?php
2	+ // don't call the file directly
3	+ defined( 'ABSPATH' ) or die();
4
5	class VaultPress_Database {
6

class.vaultpress-filesystem.php CHANGED Viewed

	@@ -1,4 +1,6 @@
1	<?php


2
3	class VaultPress_Filesystem {
4
	@@ -134,7 +136,16 @@ class VaultPress_Filesystem {
134	$dir = implode( DIRECTORY_SEPARATOR, $dir );
135	}
136	$rval['full_path'] = realpath( $file );
137	- ~~$rval['path'] = str_replace( $dir, '', $file );~~









138	return $rval;
139	}
140


1	<?php
2	+ // don't call the file directly
3	+ defined( 'ABSPATH' ) or die();
4
5	class VaultPress_Filesystem {
6

136	$dir = implode( DIRECTORY_SEPARATOR, $dir );
137	}
138	$rval['full_path'] = realpath( $file );
139	+
140	+ // Avoid rebuilding path tidy-up regex when fetching multiple entries
141	+ static $last_dir = null;
142	+ static $dir_regex = null;
143	+ if ( $last_dir !== $dir ) {
144	+ $dir_regex = '#' . preg_quote( $dir ) . '#';
145	+ $last_dir = $dir;
146	+ }
147	+
148	+ $rval['path'] = preg_replace( $dir_regex, '', $file, 1 );
149	return $rval;
150	}
151

class.vaultpress-hotfixes.php CHANGED Viewed

	@@ -1,4 +1,6 @@
1	<?php


2
3	class VaultPress_Hotfixes {
4	function __construct() {
	@@ -76,7 +78,10 @@ class VaultPress_Hotfixes {
76
77	// https://core.trac.wordpress.org/changeset/21083
78	if ( version_compare( $wp_version, '3.3', '>=') && version_compare( $wp_version, '3.3.3', '<' ) )
79	- add_filter( 'editable_slug', 'esc_textarea' );



80
81	add_filter( 'get_pagenum_link', array( $this, 'get_pagenum_link' ) );
82
	@@ -93,6 +98,24 @@ class VaultPress_Hotfixes {
93	add_action( 'init', array( $this , 'protect_revslider_lfi' ), 1 );
94	}
95


















96	function disable_jetpack_xmlrpc_methods_293( $jetpack_methods, $core_methods, $user = false ) {
97	if ( $this->needs_jetpack_293_fix() && !$user )
98	unset( $jetpack_methods['jetpack.jsonAPI'], $jetpack_methods['jetpack.verifyAction'] );


1	<?php
2	+ // don't call the file directly
3	+ defined( 'ABSPATH' ) or die();
4
5	class VaultPress_Hotfixes {
6	function __construct() {

78
79	// https://core.trac.wordpress.org/changeset/21083
80	if ( version_compare( $wp_version, '3.3', '>=') && version_compare( $wp_version, '3.3.3', '<' ) )
81	+ add_filter( 'editable_slug', 'esc_textarea' );
82	+
83	+ if ( version_compare( $wp_version, '4.1', '>=' ) && version_compare( $wp_version, '4.1.2', '<' ) )
84	+ add_filter( 'wp_check_filetype_and_ext', array( $this, 'wp_check_filetype_and_ext' ), 20, 4 );
85
86	add_filter( 'get_pagenum_link', array( $this, 'get_pagenum_link' ) );
87

98	add_action( 'init', array( $this , 'protect_revslider_lfi' ), 1 );
99	}
100
101	+ function wp_check_filetype_and_ext( $filetype, $file, $filename, $mimes ) {
102	+ if ( empty( $mimes ) )
103	+ $mimes = get_allowed_mime_types();
104	+ $type = false;
105	+ $ext = false;
106	+ foreach ( $mimes as $ext_preg => $mime_match ) {
107	+ $ext_preg = '!\.(' . $ext_preg . ')$!i';
108	+ if ( preg_match( $ext_preg, $filename, $ext_matches ) ) {
109	+ $type = $mime_match;
110	+ $ext = $ext_matches[1];
111	+ break;
112	+ }
113	+ }
114	+ $filetype['ext'] = $ext;
115	+ $filetype['type'] = $type;
116	+ return $filetype;
117	+ }
118	+
119	function disable_jetpack_xmlrpc_methods_293( $jetpack_methods, $core_methods, $user = false ) {
120	if ( $this->needs_jetpack_293_fix() && !$user )
121	unset( $jetpack_methods['jetpack.jsonAPI'], $jetpack_methods['jetpack.verifyAction'] );

class.vaultpress-ixr-ssl-client.php CHANGED Viewed

	@@ -1,8 +1,7 @@
1	<?php
2
3	// don't call the file directly
4	- ~~if ( !~~defined( 'ABSPATH' ) )
5	- return;
6
7	if ( !class_exists( 'IXR_Client' ) )
8	include_once( ABSPATH . WPINC . '/class-IXR.php' );


1	<?php
2
3	// don't call the file directly
4	+ defined( 'ABSPATH' ) or die();

5
6	if ( !class_exists( 'IXR_Client' ) )
7	include_once( ABSPATH . WPINC . '/class-IXR.php' );

cron-tasks.php CHANGED Viewed

	@@ -1,4 +1,7 @@
1	<?php



2	include_once dirname( __FILE__ ) . '/vp-scanner.php';
3
4	if ( !function_exists( 'apply_filters_ref_array' ) ) :


1	<?php
2	+ // don't call the file directly
3	+ defined( 'ABSPATH' ) or die();
4	+
5	include_once dirname( __FILE__ ) . '/vp-scanner.php';
6
7	if ( !function_exists( 'apply_filters_ref_array' ) ) :

readme.txt CHANGED Viewed

	@@ -3,7 +3,7 @@ Contributors: automattic, apokalyptik, briancolinger, josephscott, shaunandrews,
3	Tags: security, malware, virus, archive, back up, back ups, backup, backups, scanning, restore, wordpress backup, site backup, website backup
4	Requires at least: 2.9.2
5	Tested up to: 4.2
6	- Stable tag: 1.7.1
7	License: GPLv2
8
9	VaultPress is a subscription service offering realtime backup, automated security scanning, and support from WordPress experts.
	@@ -51,6 +51,12 @@ A VaultPress subscription is for a single WordPress site. You can purchase addit
51	Yes, VaultPress supports Multisite installs. Each site will require its own subscription.
52
53	== Changelog ==






54	= 1.7.1 - 25 Mar 2015 =
55	* Added support for openssl signing.
56


3	Tags: security, malware, virus, archive, back up, back ups, backup, backups, scanning, restore, wordpress backup, site backup, website backup
4	Requires at least: 2.9.2
5	Tested up to: 4.2
6	+ Stable tag: 1.7.2
7	License: GPLv2
8
9	VaultPress is a subscription service offering realtime backup, automated security scanning, and support from WordPress experts.

51	Yes, VaultPress supports Multisite installs. Each site will require its own subscription.
52
53	== Changelog ==
54	+ = 1.7.2 - 20 Apr 2015 =
55	+ * Hotfix: Protect against a core security issue.
56	+ * Bugfix: Don't allow direct access to plugin files
57	+ * Bugfix: Ensure that the firewall rule option is not autoloaded.
58	+ * Bugfix: More careful path tidy-up when inspecting directory contents. Fixes an edge case where some sites were having backup problems.
59	+
60	= 1.7.1 - 25 Mar 2015 =
61	* Added support for openssl signing.
62

vaultpress.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	* Plugin Name: VaultPress
4	* Plugin URI: http://vaultpress.com/?utm_source=plugin-uri&utm_medium=plugin-description&utm_campaign=1.0
5	* Description: Protect your content, themes, plugins, and settings with <strong>realtime backup</strong> and <strong>automated security scanning</strong> from <a href="http://vaultpress.com/?utm_source=wp-admin&utm_medium=plugin-description&utm_campaign=1.0" rel="nofollow">VaultPress</a>. Activate, enter your registration key, and never worry again. <a href="http://vaultpress.com/help/?utm_source=wp-admin&utm_medium=plugin-description&utm_campaign=1.0" rel="nofollow">Need some help?</a>
6	- * Version: 1.7.1
7	* Author: Automattic
8	* Author URI: http://vaultpress.com/?utm_source=author-uri&utm_medium=plugin-description&utm_campaign=1.0
9	* License: GPL2+
	@@ -12,13 +12,12 @@
12	*/
13
14	// don't call the file directly
15	- ~~if ( !~~defined( 'ABSPATH' ) )
16	- return;
17
18	class VaultPress {
19	var $option_name = 'vaultpress';
20	var $db_version = 4;
21	- var $plugin_version = '1.7.1';
22
23	function __construct() {
24	register_activation_hook( __FILE__, array( $this, 'activate' ) );
	@@ -1028,7 +1027,9 @@ class VaultPress {
1028	$external_data = $this->request_firewall_update( true );
1029	if ( $external_data ) {
1030	$external_newval = array( 'updated' => time(), 'data' => $external_data );
1031	- ~~update_option( 'vaultpress_service_ips_external_cidr', $external_newval );~~


1032	}
1033
1034	if ( !empty( $data ) && !empty( $external_data ) )


3	* Plugin Name: VaultPress
4	* Plugin URI: http://vaultpress.com/?utm_source=plugin-uri&utm_medium=plugin-description&utm_campaign=1.0
5	* Description: Protect your content, themes, plugins, and settings with <strong>realtime backup</strong> and <strong>automated security scanning</strong> from <a href="http://vaultpress.com/?utm_source=wp-admin&utm_medium=plugin-description&utm_campaign=1.0" rel="nofollow">VaultPress</a>. Activate, enter your registration key, and never worry again. <a href="http://vaultpress.com/help/?utm_source=wp-admin&utm_medium=plugin-description&utm_campaign=1.0" rel="nofollow">Need some help?</a>
6	+ * Version: 1.7.2
7	* Author: Automattic
8	* Author URI: http://vaultpress.com/?utm_source=author-uri&utm_medium=plugin-description&utm_campaign=1.0
9	* License: GPL2+

12	*/
13
14	// don't call the file directly
15	+ defined( 'ABSPATH' ) or die();

16
17	class VaultPress {
18	var $option_name = 'vaultpress';
19	var $db_version = 4;
20	+ var $plugin_version = '1.7.2';
21
22	function __construct() {
23	register_activation_hook( __FILE__, array( $this, 'activate' ) );

1027	$external_data = $this->request_firewall_update( true );
1028	if ( $external_data ) {
1029	$external_newval = array( 'updated' => time(), 'data' => $external_data );
1030	+
1031	+ delete_option( 'vaultpress_service_ips_external_cidr' );
1032	+ add_option( 'vaultpress_service_ips_external_cidr', $external_newval, '', 'no' );
1033	}
1034
1035	if ( !empty( $data ) && !empty( $external_data ) )

vp-scanner.php CHANGED Viewed

	@@ -1,4 +1,6 @@
1	<?php


2
3	class VP_FileScan {
4	var $path;


1	<?php
2	+ // don't call the file directly
3	+ defined( 'ABSPATH' ) or die();
4
5	class VP_FileScan {
6	var $path;